Hi, A message form assessors and further tests below.
[image: image.png] I have configured relayd to serve a single url that accepts no parameters. This url is blocked by relayd with error 403 Forbidden if anything is appended to its end. I would expect WAF detection in such a test case but this has not happened. what other means are malicious payloads being delivered in this case? Thanks and regards, Kihaguru ---------------------------------------------------------------------------------------------------------------------------- # $OpenBSD: relayd.conf,v 1.5 2018/05/06 20:56:55 benno Exp $ # # Relay and protocol # http protocol httpp { return error match response header remove "Server" pass block quick path "/cgi-bin/index.cgi" value "*command=*" pass quick path "/net/index.html" value "" block } relay httpr { # Listen on localhost, accept diverted connections from pf(4) listen on 127.0.0.1 port 8080 protocol httpp # Forward to the original target host forward to destination } http protocol httpsp { return error match response header remove "Server" pass block quick path "/cgi-bin/index.cgi" value "*command=*" pass quick path "/net/index.html" value "" block tls keypair example.net } relay httpsr { # Listen on localhost, accept diverted connections from pf(4) listen on 127.0.0.1 port 8443 tls protocol httpsp # Forward to the original target host forward with tls to destination } --------------------------------------------------------------------------------------------------------------------------- On Thu, Dec 5, 2019 at 2:11 PM Stuart Henderson <s...@spacehopper.org> wrote: > On 2019/12/05 00:17, Kihaguru Gathura wrote: > > > > > > > > On Wed, Dec 4, 2019 at 11:58 PM Kihaguru Gathura <pqscr...@gmail.com> > wrote: > > > > > > > > >> Which is a better way to implement a WAF on OpenBSD using the > base utilities? > > > > > > relayd configured in certain ways might be considered as a WAF. > > > > > > All methods and all other security headers and path filters are > coded in the web > > application which had always been detected as a custom WAF until two > weeks ago. > > > > I have now included relayd and a re-test passes all other > requirements but does not detect > > a WAF (please find sample configurations and test report below). > > > > Any hint highly appreciated > > I think you will need to talk to your assessors and ask what they're > looking for. > >