Comment by gav
1 day ago
It's more so that Cloudflare has a WAF product that checks a box for security and makes people who's job it is to care about boxes being checked happy.
For example, I worked with a client that had a test suite of about 7000 or so strings that should return a 500 error, including /etc/hosts and other ones such as:
../../apache/logs/error.log
AND%20(SELECT%208203%20FROM%20(SELECT(SLEEP(5)))xGId)
/../..//../..//../..//../winnt/system32/netstat.exe?-a
We "failed" and were not in compliance as you could make a request containing one of those strings--ignoring that neither Apache, SQL, or Windows were in use.
We ended up deploying a WAF to block all these requests, even though it didn't improve security in any meaningful way.
> For example, I worked with a client that had a test suite of about 7000 or so strings that should return a 500 error
> We "failed" and were not in compliance as you could make a request containing one of those strings--ignoring that neither Apache, SQL, or Windows were in use.
this causes me pain
Why in the world should those be 500 even? Those all are "40x client fuckup".
I guess someone was told, when compiling those strings, that they should observe this known-good implementation (that actually crashed upon receiving such things) and record whatever it returns, and then mandate it of everyone else from now on.