Profile

Ken Chau

Contact Details

1 to 20 of 39 total

About Node.js vulnerabilities CVE-2023-30586/30589、CVE-2022-32222

Posted By Ken Chau 08-02-2023 01:59
Found In Egroup: Imperva Cyber Community \ view thread
Hi all, Do u know if the ImpervaWAF could detect & block such vulnerabilities of Node.js CVE-2023-30586/30589、CVE-2022-32222? Thanks #On-PremisesWAF(formerlySecuresphere) ------------------------------ Ken Chau IT Manager ------------------------------

RE: How to block the source IP to access other/all Server Groups?

Posted By Ken Chau 07-14-2023 04:23
Found In Egroup: Imperva Cyber Community \ view thread
Hi Cezmi, Thanks for your reply. It seems this long block is still effective on the specific server group only. It does not apply to blocking the access to other server groups. ------------------------------ Ken Chau IT Manager ------------------------------

RE: CVE-2021-38647

Posted By Ken Chau 07-14-2023 04:19
Found In Egroup: Imperva Cyber Community \ view thread
Hi Syed, MX version is 14.7.0.20. Thanks. ------------------------------ Ken Chau IT Manager ------------------------------

RE: Fullwidth/Halfwidth Unicode Decoding On URL/Parameter

Posted By Ken Chau 07-14-2023 04:17
Found In Egroup: Imperva Cyber Community \ view thread
Hi Cezmi, Thanks for your reply. It actually comes from the ADC HTTP Protocol Signatures policy of Recommended Signatures Policy for Web Applications, and seems not able to be cloned. Best Regards ------------------------------ Ken Chau IT Manager ------------------------------

How to block the source IP to access other/all Server Groups?

Posted By Ken Chau 07-13-2023 03:57
Found In Egroup: Imperva Cyber Community \ view thread
Dear all, When a source IP triggers the security policy in WAF for blocking in one Server Group, is it possible to automatically apply/extend the blocking to other/all Server Groups in the same box? Thank you. #On-PremisesWAF(formerlySecuresphere) ------------------------------ ...

Fullwidth/Halfwidth Unicode Decoding On URL/Parameter

Posted By Ken Chau 07-13-2023 03:51
Found In Egroup: Imperva Cyber Community \ view thread
Dear all, The alert "Fullwidth/Halfwidth Unicode Decoding On URL/Parameter" happens on one of the request parameter rather frequently. Is there a way to diable this checking on that specific parameter? Thank you. #On-PremisesWAF(formerlySecuresphere) ------------------------------ Ken Chau ...

CVE-2021-38647

Posted By Ken Chau 07-13-2023 03:49
Found In Egroup: Imperva Cyber Community \ view thread
Hi all, Recently we find some strange requests of POST /wsman HTTP/1.1 And, I search from Internet and find this article https://www.pwndefend.com/2021/09/17/cve-2021-38647-open-management-infrastructure-omi-rce-azure-linux-hosts/ So, possibly some hackers are looking for this vulnerability ...

RE: What does "Originating Session" mean?

Posted By Ken Chau 07-06-2023 03:55
Found In Egroup: Imperva Cyber Community \ view thread
Hi Syed, I sometimes get this Session Attribute Change alert from our on-premise WAF. The details is about User Agent Mismatch as below. It seems that the user just changes the browser from one to another. Just wonder how the WAF determines that these connections are in the same session. Thank you. ...

Suspicious traffic related to Apache Struts vulnerabilities?

Posted By Ken Chau 05-31-2023 23:50
Found In Egroup: Imperva Cyber Community \ view thread
Hi all, From time to time, we could observe that web servers are receiving below suspicious http requests. GET /?actionErrors=1111 HTTP/1.1 GET /?id=%(((11))*((11))) HTTP/1.1 What is their puspose? Anyone has encountered this and could share your insight? Thank you. #On-Premises ...

RE: CVE-2018-3167 Unauthenticated Blind SSRF in Oracle EBS

Posted By Ken Chau 05-23-2023 06:02
Found In Egroup: Imperva Cyber Community \ view thread
Hi Sarah, Thanks a lot! ------------------------------ Ken Chau IT Manager ------------------------------

CVE-2018-3167 Unauthenticated Blind SSRF in Oracle EBS

Posted By Ken Chau 05-18-2023 05:54
Found In Egroup: Imperva Cyber Community \ view thread
Dear all, Recently I see some one is trying to exploit this from the Internet, do we have a signature/policy to block it? Thank you. Unauthenticated Blind SSRF in Oracle EBS | by John M | Medium #On-PremisesWAF(formerlySecuresphere) ------------------------------ Ken Chau IT Manager - ...

RE: Spring Boot Eureka Xstream Deserialization RCE vulnearbility

Posted By Ken Chau 05-15-2023 20:07
Found In Egroup: Imperva Cyber Community \ view thread
Hi Sarah, You may check this Spring Boot Actuators - cheat-sheets (gitbook.io), the first part discussed how to exploit it. Thanks. ------------------------------ Ken Chau IT Manager ------------------------------

Spring Boot Eureka Xstream Deserialization RCE vulnearbility

Posted By Ken Chau 05-15-2023 09:34
Found In Egroup: Imperva Cyber Community \ view thread
Hi all, Is there any signature in WAF to block the Spring Boot Eureka Xstream Deserialization RCE vulnearbility where attacker will send GET/POST request to the following URLs /actuator/env /actuator/refresh Thank you! #On-PremisesWAF(formerlySecuresphere) ------------------------------ ...

Is WAF Gateway Fail-Open during boot from USB / Re-image?

Posted By Ken Chau 03-21-2023 22:43
Found In Egroup: Imperva Cyber Community \ view thread
Hi folks, I would like to boot my WAF gateway (single box) from USB and re-istall a new version image in it. During this process, would the WAF gateway be Fail-Open and allowing web traffic to go through the data plane? Anyone has such experience to share, thanks a lot. #On-PremisesWAF ...

RE: Unauthorized Request Content Type

Posted By Ken Chau 12-12-2022 21:31
Found In Egroup: Imperva Cyber Community \ view thread
Hi Syed, I don't want the mx to completely not generating alert on this policy. I just want it to be able to identify a customized request content type defined by us, and then it won't need to fire the alert. Under Policy > Security > HTTP/1.x Protocol Policy, I tried to expand the "Unauthorized ...

RE: Unauthorized Request Content Type

Posted By Ken Chau 11-15-2022 21:10
Found In Egroup: Imperva Cyber Community \ view thread
Hi Syed, We are using version 13.3 and seems it does not have the feature of Content-type Discovery. By the way, we just want to stop generating the alert when the content-type matches our defined value, and there is no need to block any traffic. Thanks. ------------------------------ Ken ...

Unauthorized Request Content Type

Posted By Ken Chau 11-11-2022 06:56
Found In Egroup: Imperva Cyber Community \ view thread
Dear all, If our web application is using a customized value for the Content-type header field in different HTTP POST requests, is there any way to fine tune the application profile such that the Imperva WAF would recognize such customized value is valid and not to trigger alert? Thank you!. ...

RE: Directory traversal attempts not blocked

Posted By Ken Chau 10-24-2022 21:37
Found In Egroup: Imperva Cyber Community \ view thread
Hello Sarvesh, Both conditions mentioned are met and traffic is going through the WAF to web server and not taking another route. By the way, may I know what is the signature to block the / and then 3 dots? Thank you. ------------------------------ Ken Chau IT Manager ------------------- ...

RE: Directory traversal attempts not blocked

Posted By Ken Chau 10-18-2022 06:07
Found In Egroup: Imperva Cyber Community \ view thread
Hi Syed, Thanks for your reply. Our sever group is in active mode and it is blocking other malicious traffic. We find out the attack string in the URI from the web server access log, so they should not be altered by the browser. Specifically for the previously attached request traffic, the attacker ...

Directory traversal attempts not blocked

Posted By Ken Chau 10-18-2022 03:00
Found In Egroup: Imperva Cyber Community \ view thread
Dear all, Recently we find from our web server access log indicating that the attached directory traversal attempts had not been blocked by the WAF. Our WAF gateway is deployed in bridge mode and we see "Connections using unsupported ciphers" error in the Setup > Gateways screen. However, we are ...