WebApp Sec: Re: [WEB SECURITY] Can HTTP Request Smuggling be blocked by Web Application Firewalls?

["Amit Klein (AKsecurity)" <aksecurity () hotpop com>]

On 22 Jun 2005 at 0:40, Daniel wrote:

> Amit,
>
> Maybe i've missed a point here, but why would you deploy a WAF behind
> a web server and proxy server? in fact why would you even deploy the
> WAF in this scenario?
I discussed 3 scenarios:

1. Internet-WAF-device#1-device#2  (where device#1 can be a proxy server, and device#2 can 
be a web server, and all WAF, device#1 and device#2 are on the site premises).

2. (Internet)-device#1-(Internet)-WAF-device#2 (where device#1 may be off premises - e.g. a 
forward proxy server).

3. (Internet)-device#1-(Internet)-deivce#2-(Internet)-WAF-... (both device#1 and device#2 
are not protected by the WAF - they can be chained proxies, or a proxy and a perimeter 
firewall).

Obviously, there's no point in deploying a WAF behind the web server, but as you can see in 
#3, it's possible to mount an attack against two non-webserver devices (the request still 
has to go through the web server, but the real action takes place before that).

> Have you tested the 2nd scenario with a NC and two devices?
Which scenario would that be?