Submit Search
Upload
Novogodisno boziken aranzman 2012 (sv.naum, makedonija)
•
Download as DOC, PDF
•
0 likes
•
262 views
Ana Bobinkova
Follow
Spiritual
Report
Share
Report
Share
1 of 7
Download now
Recommended
MyEdu
MyEdu
PR, Marketing
Web Applications Firewalls (WAFs) are fundamental building blocks of modern application security. For example, the PCI standard for organizations handling credit card transactions dictates that any application facing the internet should be either protected by a WAF or successfully pass a code review process. Nevertheless, despite their popularity and importance, auditing web application firewalls remains a challenging and complex task. Finding attacks that bypass the firewall usually requires expert domain knowledge for a specific vulnerability class. Thus, penetration testers not armed with this knowledge are left with publicly available lists of attack strings, like the XSS Cheat Sheet, which are usually insufficient for thoroughly evaluating the security of a WAF product. In this presentation we introduce a novel, efficient, approach for bypassing WAFs using automata learning algorithms. We show that automata learning algorithms can be used to obtain useful models of WAFs. Given such a model, we show how to construct, either manually or automatically, a grammar describing the set of possible attacks which are then tested against the obtained model for the firewall. Moreover, if our system fails to find an attack, a regular expression model of the firewall is generated for further analysis. Using this technique we found over 10 previously unknown vulnerabilities in popular WAFs such as Mod-Security, PHPIDS and Expose allowing us to mount SQL Injection and XSS attacks bypassing the firewalls. Finally, we present LightBulb, an open source python framework for auditing web applications firewalls using the techniques described above. In the release we include the set of grammars used to find the vulnerabilities presented.
ANOTHER BRICK OFF THE WALL: DECONSTRUCTING WEB APPLICATION FIREWALLS USING AU...
ANOTHER BRICK OFF THE WALL: DECONSTRUCTING WEB APPLICATION FIREWALLS USING AU...
Ioannis Stais
Scratch
Scratch
Ioannis Stais
Εκμάθηση ταξινόμησης με χρήση λογισμικού Scratch
Scratch
Scratch
Ioannis Stais
CV2015_Abdulloh Azzam
CV2015_Abdulloh Azzam
Abdullah Azzam
Marketing expert Andrew Ford reveals his 8 step process to get more business referrals using your personal brand and LinkedIn that he has developed over his years at Social Star.
Andrew Ford at Social Star Webinar on how to get more referrals from Linkedin...
Andrew Ford at Social Star Webinar on how to get more referrals from Linkedin...
Andrew Ford
Identifying Evaluative Sentences in Online Discussions Zhongwu Zhai Bing Liu Lei Zhang Hua Xu Peifa Jia Tsinghua National Lab for Info. Sci. and Tech University of Illinois at Chicago
article presentation
article presentation
Ioannis Stais
Scratch 2003
Scratch 2003
Ioannis Stais
Recommended
MyEdu
MyEdu
PR, Marketing
Web Applications Firewalls (WAFs) are fundamental building blocks of modern application security. For example, the PCI standard for organizations handling credit card transactions dictates that any application facing the internet should be either protected by a WAF or successfully pass a code review process. Nevertheless, despite their popularity and importance, auditing web application firewalls remains a challenging and complex task. Finding attacks that bypass the firewall usually requires expert domain knowledge for a specific vulnerability class. Thus, penetration testers not armed with this knowledge are left with publicly available lists of attack strings, like the XSS Cheat Sheet, which are usually insufficient for thoroughly evaluating the security of a WAF product. In this presentation we introduce a novel, efficient, approach for bypassing WAFs using automata learning algorithms. We show that automata learning algorithms can be used to obtain useful models of WAFs. Given such a model, we show how to construct, either manually or automatically, a grammar describing the set of possible attacks which are then tested against the obtained model for the firewall. Moreover, if our system fails to find an attack, a regular expression model of the firewall is generated for further analysis. Using this technique we found over 10 previously unknown vulnerabilities in popular WAFs such as Mod-Security, PHPIDS and Expose allowing us to mount SQL Injection and XSS attacks bypassing the firewalls. Finally, we present LightBulb, an open source python framework for auditing web applications firewalls using the techniques described above. In the release we include the set of grammars used to find the vulnerabilities presented.
ANOTHER BRICK OFF THE WALL: DECONSTRUCTING WEB APPLICATION FIREWALLS USING AU...
ANOTHER BRICK OFF THE WALL: DECONSTRUCTING WEB APPLICATION FIREWALLS USING AU...
Ioannis Stais
Scratch
Scratch
Ioannis Stais
Εκμάθηση ταξινόμησης με χρήση λογισμικού Scratch
Scratch
Scratch
Ioannis Stais
CV2015_Abdulloh Azzam
CV2015_Abdulloh Azzam
Abdullah Azzam
Marketing expert Andrew Ford reveals his 8 step process to get more business referrals using your personal brand and LinkedIn that he has developed over his years at Social Star.
Andrew Ford at Social Star Webinar on how to get more referrals from Linkedin...
Andrew Ford at Social Star Webinar on how to get more referrals from Linkedin...
Andrew Ford
Identifying Evaluative Sentences in Online Discussions Zhongwu Zhai Bing Liu Lei Zhang Hua Xu Peifa Jia Tsinghua National Lab for Info. Sci. and Tech University of Illinois at Chicago
article presentation
article presentation
Ioannis Stais
Scratch 2003
Scratch 2003
Ioannis Stais
How to be a Social Star for your business gain. Learn the secrets of Personal Branding from the team at Social Star.
Social star
Social star
Andrew Ford
1107110030 Abdulloh Azzam
1107110030 Abdulloh Azzam
Abdullah Azzam
Paradigmas de flexión nominal
Tablas de repaso de las declinaciones griegas
Tablas de repaso de las declinaciones griegas
Rafael Ayuso
Jokes
Jokes
Anfield Chukaa
The issues touched in this presentation were common side channel information leakage issues that arise when apps use standard APIs and features.
Side Channel Leaks in Mobile Applications
Side Channel Leaks in Mobile Applications
Ioannis Stais
How to create e-ttraction, digital attraction, to gain more referrals from building a powerful personal brand.
Social Star e-ttraction Presentation - Social Media for Sales
Social Star e-ttraction Presentation - Social Media for Sales
Andrew Ford
Pakistan trade policy
Pakistan trade policy
RaXi Abid
More Related Content
Viewers also liked
How to be a Social Star for your business gain. Learn the secrets of Personal Branding from the team at Social Star.
Social star
Social star
Andrew Ford
1107110030 Abdulloh Azzam
1107110030 Abdulloh Azzam
Abdullah Azzam
Paradigmas de flexión nominal
Tablas de repaso de las declinaciones griegas
Tablas de repaso de las declinaciones griegas
Rafael Ayuso
Jokes
Jokes
Anfield Chukaa
The issues touched in this presentation were common side channel information leakage issues that arise when apps use standard APIs and features.
Side Channel Leaks in Mobile Applications
Side Channel Leaks in Mobile Applications
Ioannis Stais
How to create e-ttraction, digital attraction, to gain more referrals from building a powerful personal brand.
Social Star e-ttraction Presentation - Social Media for Sales
Social Star e-ttraction Presentation - Social Media for Sales
Andrew Ford
Pakistan trade policy
Pakistan trade policy
RaXi Abid
Viewers also liked
(7)
Social star
Social star
1107110030 Abdulloh Azzam
1107110030 Abdulloh Azzam
Tablas de repaso de las declinaciones griegas
Tablas de repaso de las declinaciones griegas
Jokes
Jokes
Side Channel Leaks in Mobile Applications
Side Channel Leaks in Mobile Applications
Social Star e-ttraction Presentation - Social Media for Sales
Social Star e-ttraction Presentation - Social Media for Sales
Pakistan trade policy
Pakistan trade policy
Download now