Watch the stream
Web Application Firewalls usage is controversial in the field of application security. Some consider them useless since they are imperfect. Others consider them an interesting ally for virtual patching and for defense in depth. Beyond this debate, firewalls are a reality in several organizations to defend edge services.
Testers may find the presence of such protection to be a drag on their security assessment. As these firewalls cannot always be disabled for testing, it is important to be able to quickly assess whether a circumvention method is possible. We have designed a workshop featuring different scenarios where a firewall is used to block certain attacks or features.
The workshop will consist of 4 main bypass categories: - Encoding (URL, Unicode, case mapping) - SQLi bypass (for mod_security and libinjection) - Switching protocol (WebSocket, H2C) - Syntax alternatives for table names, keywords and URLs.
For each of the exercises, an in-depth explanation of the technique will be discussed. Then a demonstration application will be available to participants to apply their new knowledge.
Participants should prepare by:
The participants should have the following software to save some time. - Docker - Burp Suite Pro / OWASP ZAP - Python
Participants must have the following equipment:
The participants should have the following software to save some time. - Docker - Burp Suite Pro / OWASP ZAP - Python
Philippe Arteau ,
Philippe is a security engineer for ServiceNow. He has an interest in software development, penetration testing and security code review. He maintains Find Security Bugs, the static analysis tool. He has presented at various conferences including Black Hat Arsenal, SecTor, AppSec USA, ATLSecCon, 44CON and JavaOne.