thePCI Portal

WAFs and ASV scans

If by WAF you mean “an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic”, then we are on the same page!

Ryan Barnett wrote about it in 2008 in his Tactical Web Application Security blog .
Didier Godart has a Rapid7 blog post from 2013.

The ASV Program Guide (v3.1 July 2018) has a section (5.6) titled ASV Scan Interference that reads as follows:

If an ASV detects that an active protection system has actively blocked or filtered a scan, then the ASV is required to handle it in accordance with Section 7.6, “Resolving Inconclusive Scans.”
In order to ensure that reliable scans can be conducted, the ASV scan solution must be allowed to perform scanning without interference from active protection systems, where “active” denotes security systems that dynamically modify their behavior based on information gathered from non-attack network traffic patterns. Non-attack traffic refers to potentially legitimate network traffic patterns that do not indicate malformed or malicious traffic, whereas attack traffic includes, for example, malicious network traffic patterns or patterns that match known attack signatures, malware, or packets exceeding the maximum permitted IP packet size.
Such systems may react differently to an automated scanning solution than they would react to a targeted hacker attack, which could cause inaccuracies in the scan report.

Systems that consistently block attack traffic, while consistently allowing non-attack traffic to pass (even if the non-attack traffic follows directly after attack traffic) typically do not cause ASV scan interference.

There you go.

Ad below this line:

Leave a Reply