Michael Kirchner and Wolfgang Neudorfer have published 3 advisories in various Web Application Firewall products.
Artofdefence Hyperguard Web Application Firewal (Remote Denial of Service)
- phion airlock Web Application Firewall (Remote Denial of Service via Management Interface (unauthenticated) and Command Execution)
radware AppWall Web Application Firewall (Source code disclosure on management interface)
They have also published a whitepaper "An evaluation of current web application rewall capabilities and techniques" describing the effectiveness of WAFs.
From the paper
"To protect an organisation from attacks on their IT infrastructure, perimeter rewalls are
nowadays means of standard protective measures. Attacks on the application layer (e.g.
web applications) cannot be eectively prevented by those systems as HTTP and HTTPS
requests usually pass the rewalling mechanisms unltered and are forwarded directly to the
web server. Web application rewalls therefore operate on a higher network layer seeking
to prevent application level attacks by analysing the user data transmitted via HTTP or
By ltering requests and responses of the web server, the exploitation of vulnerabilities in
web applications and the leakage of sensitive data should be prevented. However, the usage
of web application rewalls cannot provide eective protection for all typically encountered
vulnerability classes or bogus web server conguration issues.
The project at hand evaluated current web application rewall capabilities and techniques
to state in which scenarios and for which vulnerability classes the usage of these products can
be recommended. On the other side the drawbacks of the current products and techniques
have been found and demonstrated."