Web Application Firewall Workshop

Back to the list of Speakers and Sessions
Watch the stream
Web Application Firewalls (WAF) are a reality in several organizations to defend edge services. In this workshop, you will learn to bypass such appliance in hand-on exercises.

Web Application Firewalls usage is controversial in the field of application security. Some consider them useless since they are imperfect. Others consider them an interesting ally for virtual patching and for defense in depth. Beyond this debate, firewalls are a reality in several organizations to defend edge services.

Testers may find the presence of such protection to be a drag on their security assessment. As these firewalls cannot always be disabled for testing, it is important to be able to quickly assess whether a circumvention method is possible. We have designed a workshop featuring different scenarios where a firewall is used to block certain attacks or features.

The workshop will consist of 4 main bypass categories: - Encoding (URL, Unicode, case mapping) - SQLi bypass (for mod_security and libinjection) - Switching protocol (WebSocket, H2C) - Syntax alternatives for table names, keywords and URLs.

For each of the exercises, an in-depth explanation of the technique will be discussed. Then a demonstration application will be available to participants to apply their new knowledge.

Participants should prepare by:

The participants should have the following software to save some time. - Docker - Burp Suite Pro / OWASP ZAP - Python

Participants must have the following equipment:

The participants should have the following software to save some time. - Docker - Burp Suite Pro / OWASP ZAP - Python


Philippe Arteau Security Researcher, GoSecure

Philippe is a security researcher working for GoSecure. His research is focused on Web application security. His past work experience includes pentesting, secure code review and software development. He is the author of the widely used Java static analysis tool OWASP Find Security Bugs (FSB). He is also a contributor to the static analysis tool for .NET called Security Code Scan. He built many plugins for Burp and ZAP proxy tools: Retire.js, Reissue Request Scripter, CSP Auditor and many others. Philippe has presented at several conferences including Black Hat Arsenal, SecTor, AppSec USA, ATLSecCon, NorthSec, and 44CON.