upvote

points

by schnable2 days ago |
comments
upvoteby kiitos2 days ago|
[-]
And a rule that denies everything blocks all vulnerabilities entirely.

A false positive from a conservative evaluation of a query parameter or header value is one thing, conceivably understandable. A false positive due to the content of a blog post is something else altogether.

reply
upvoteby afiori2 days ago|
parent|
[-]
This is a strawman, especially if like the parent claims this was improving security for one of the most popular website backends ever.

Rules like this might very well have had incredible positive impact on ten of thousands of websites at the cost of some weird debugging sessions for dozens of programmers (made up numbers obviously).

reply
upvoteby kiitos1 days ago|
parent|
[-]
Look, any WAF that blocks a document like

    <!DOCTYPE html>
    <html lang="en">
    <body>
    <p>/etc/hosts is a file on Unix hosts</p>
is pretty clearly broken. And you can't meaningfully measure product metrics like impact for fundamentally broken products.
reply
upvoteby afiori1 days ago|
parent|
[-]
> is pretty clearly broken

agree

> And you can't meaningfully measure product metrics like impact for fundamentally broken products

disagree

reply