A pair of researchers at the OWASP Europe 2009 conference on Wednesday showed how some Web application firewalls (WAFs) are prone to attack.
Wendel Henrique, a member of SpiderLabs (Trustwave's advanced security team), and Sandro Gauci, founder and CSO for EnableSecurity, also found some WAFs vulnerable to the same types of exploits they are supposed to protect Web apps from, such as cross-site scripting (XSS) attacks.
Hacking WAFs is an old art form, which I'm glad to see is picking up again. WAFs are extremely delicate pieces of software, which require thorough and precise configuration in order to provide the security they promise. Since the WAF market is finally picking up, I expect to see more security advisories related to vulnerabilities in such products in the near future.
I wish the WASC WHID project would have a listing of web sites that were hacked, even though they had a WAF installed, just so we'll have an insight to the real techniques used to bypass them, although I'm not optimistic about such information being released to the public.
Disclaimer - I am a WAF supporter.
* until OWASP releases the full presentation online, I think you can get a glimpse of it here.