![Filter Evasion Houdini on the Wire Rob Ragan ( [email_address] ) HP Application Security Center](https://image.slidesharecdn.com/filterevasion-090310145239-phpapp02/75/filter-evasion-houdini-on-the-wire-1-2048.jpg?cb=1667937510)
![Overview ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]](https://image.slidesharecdn.com/filterevasion-090310145239-phpapp02/75/filter-evasion-houdini-on-the-wire-2-2048.jpg?cb=1667937510)
![Some Reasons to Elude a Filter ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]](https://image.slidesharecdn.com/filterevasion-090310145239-phpapp02/75/filter-evasion-houdini-on-the-wire-3-2048.jpg?cb=1667937510)
![Security Filters ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]](https://image.slidesharecdn.com/filterevasion-090310145239-phpapp02/75/filter-evasion-houdini-on-the-wire-4-2048.jpg?cb=1667937510)
![Why is it important to understand evasion tactics? ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]](https://image.slidesharecdn.com/filterevasion-090310145239-phpapp02/75/filter-evasion-houdini-on-the-wire-5-2048.jpg?cb=1667937510)
![New Filters ,[object Object],[object Object],[object Object],[object Object]](https://image.slidesharecdn.com/filterevasion-090310145239-phpapp02/75/filter-evasion-houdini-on-the-wire-7-2048.jpg?cb=1667937510)
![Who is responsible for each layer? ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]](https://image.slidesharecdn.com/filterevasion-090310145239-phpapp02/75/filter-evasion-houdini-on-the-wire-9-2048.jpg?cb=1667937510)
![[object Object]](https://image.slidesharecdn.com/filterevasion-090310145239-phpapp02/75/filter-evasion-houdini-on-the-wire-10-2048.jpg?cb=1667937510)
![Whisker's anti-IDS tactics · 1999 ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Details @ http://www.wiretrip.net/rfp/txt/whiskerids.html](https://image.slidesharecdn.com/filterevasion-090310145239-phpapp02/75/filter-evasion-houdini-on-the-wire-11-2048.jpg?cb=1667937510)
![Playbook – Let the games begin! ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]](https://image.slidesharecdn.com/filterevasion-090310145239-phpapp02/75/filter-evasion-houdini-on-the-wire-12-2048.jpg?cb=1667937510)
![Canocalization ,[object Object],[object Object],[object Object],[object Object]](https://image.slidesharecdn.com/filterevasion-090310145239-phpapp02/75/filter-evasion-houdini-on-the-wire-13-2048.jpg?cb=1667937510)
![Canocalization ,[object Object],[object Object],[object Object],[object Object],[object Object]](https://image.slidesharecdn.com/filterevasion-090310145239-phpapp02/75/filter-evasion-houdini-on-the-wire-14-2048.jpg?cb=1667937510)
![Poison NULL Byte ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]](https://image.slidesharecdn.com/filterevasion-090310145239-phpapp02/75/filter-evasion-houdini-on-the-wire-15-2048.jpg?cb=1667937510)
![Bypass WAF ,[object Object],[object Object],[object Object],[object Object]](https://image.slidesharecdn.com/filterevasion-090310145239-phpapp02/75/filter-evasion-houdini-on-the-wire-16-2048.jpg?cb=1667937510)
![Full-Width/Half-Width Unicode ,[object Object],[object Object],[object Object],[object Object],[object Object]](https://image.slidesharecdn.com/filterevasion-090310145239-phpapp02/75/filter-evasion-houdini-on-the-wire-17-2048.jpg?cb=1667937510)
![Full-Width/Half-Width Unicode Attacks ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]](https://image.slidesharecdn.com/filterevasion-090310145239-phpapp02/75/filter-evasion-houdini-on-the-wire-18-2048.jpg?cb=1667937510)
![HTTP Method Tampering ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]](https://image.slidesharecdn.com/filterevasion-090310145239-phpapp02/75/filter-evasion-houdini-on-the-wire-19-2048.jpg?cb=1667937510)
![HTTP Method Tampering ,[object Object],[object Object],[object Object],[object Object],[object Object]](https://image.slidesharecdn.com/filterevasion-090310145239-phpapp02/75/filter-evasion-houdini-on-the-wire-20-2048.jpg?cb=1667937510)
![ASP.NET Framework XSS Filter ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]](https://image.slidesharecdn.com/filterevasion-090310145239-phpapp02/75/filter-evasion-houdini-on-the-wire-22-2048.jpg?cb=1667937510)
![Encoding Attack ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]](https://image.slidesharecdn.com/filterevasion-090310145239-phpapp02/75/filter-evasion-houdini-on-the-wire-23-2048.jpg?cb=1667937510)
![Evasions in RSnake’s XSS Cheat Sheet ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]](https://image.slidesharecdn.com/filterevasion-090310145239-phpapp02/75/filter-evasion-houdini-on-the-wire-24-2048.jpg?cb=1667937510)
![Encoding ,[object Object],[object Object],[object Object],[object Object]](https://image.slidesharecdn.com/filterevasion-090310145239-phpapp02/75/filter-evasion-houdini-on-the-wire-25-2048.jpg?cb=1667937510)
![70 Unique Ways to Encode < ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]](https://image.slidesharecdn.com/filterevasion-090310145239-phpapp02/75/filter-evasion-houdini-on-the-wire-26-2048.jpg?cb=1667937510)
![Still Partying Like It’s 1999 ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]](https://image.slidesharecdn.com/filterevasion-090310145239-phpapp02/75/filter-evasion-houdini-on-the-wire-27-2048.jpg?cb=1667937510)
![ASPROX (SQL Injection) Worm ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]](https://image.slidesharecdn.com/filterevasion-090310145239-phpapp02/75/filter-evasion-houdini-on-the-wire-28-2048.jpg?cb=1667937510)
![Regular Expressions Are Hard ,[object Object],[object Object]](https://image.slidesharecdn.com/filterevasion-090310145239-phpapp02/75/filter-evasion-houdini-on-the-wire-29-2048.jpg?cb=1667937510)
![Catastrophic Backtracking ,[object Object],[object Object],[object Object],[object Object],[object Object]](https://image.slidesharecdn.com/filterevasion-090310145239-phpapp02/75/filter-evasion-houdini-on-the-wire-30-2048.jpg?cb=1667937510)
![Backtracking Example ,[object Object],[object Object],[object Object],[object Object],[object Object]](https://image.slidesharecdn.com/filterevasion-090310145239-phpapp02/75/filter-evasion-houdini-on-the-wire-31-2048.jpg?cb=1667937510)
![White lists are good, but… ,[object Object],[object Object],[object Object],[object Object]](https://image.slidesharecdn.com/filterevasion-090310145239-phpapp02/75/filter-evasion-houdini-on-the-wire-34-2048.jpg?cb=1667937510)
![Regex Libs Can Have Vulnerabilities ,[object Object],[object Object],[object Object],[object Object]](https://image.slidesharecdn.com/filterevasion-090310145239-phpapp02/75/filter-evasion-houdini-on-the-wire-35-2048.jpg?cb=1667937510)
![Biggest Target: Application Layer ,[object Object],[object Object],[object Object]](https://image.slidesharecdn.com/filterevasion-090310145239-phpapp02/75/filter-evasion-houdini-on-the-wire-36-2048.jpg?cb=1667937510)
![Session Splicing ,[object Object],[object Object],[object Object],[object Object],[object Object]](https://image.slidesharecdn.com/filterevasion-090310145239-phpapp02/75/filter-evasion-houdini-on-the-wire-37-2048.jpg?cb=1667937510)
![IP Fragmentation vs Session Splicing ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]](https://image.slidesharecdn.com/filterevasion-090310145239-phpapp02/75/filter-evasion-houdini-on-the-wire-38-2048.jpg?cb=1667937510)
![State of the Evasion ,[object Object],[object Object],[object Object]](https://image.slidesharecdn.com/filterevasion-090310145239-phpapp02/75/filter-evasion-houdini-on-the-wire-39-2048.jpg?cb=1667937510)
![Session Splicing 1999 vs 2009 ,[object Object],1999 2009](https://image.slidesharecdn.com/filterevasion-090310145239-phpapp02/75/filter-evasion-houdini-on-the-wire-40-2048.jpg?cb=1667937510)
![Bypass Snort ,[object Object],[object Object],[object Object],[object Object]](https://image.slidesharecdn.com/filterevasion-090310145239-phpapp02/75/filter-evasion-houdini-on-the-wire-41-2048.jpg?cb=1667937510)
![Time Splicer ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]](https://image.slidesharecdn.com/filterevasion-090310145239-phpapp02/75/filter-evasion-houdini-on-the-wire-42-2048.jpg?cb=1667937510)
![Snort Preprocessors ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]](https://image.slidesharecdn.com/filterevasion-090310145239-phpapp02/75/filter-evasion-houdini-on-the-wire-43-2048.jpg?cb=1667937510)
![[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]](https://image.slidesharecdn.com/filterevasion-090310145239-phpapp02/75/filter-evasion-houdini-on-the-wire-44-2048.jpg?cb=1667937510)
![Default Session Timeouts ,[object Object],[object Object],[object Object],Server Type Timeout Apache/PHP 10 minutes IIS 5.0/ASP 15 minutes IIS 6.0/ASP.NET 20 minutes IIS 7.0/ASP.NET 20 minutes](https://image.slidesharecdn.com/filterevasion-090310145239-phpapp02/75/filter-evasion-houdini-on-the-wire-46-2048.jpg?cb=1667937510)
![DEMO ,[object Object]](https://image.slidesharecdn.com/filterevasion-090310145239-phpapp02/75/filter-evasion-houdini-on-the-wire-47-2048.jpg?cb=1667937510)
![Rob Ragan ( [email_address] ) ,[object Object],[object Object]](https://image.slidesharecdn.com/filterevasion-090310145239-phpapp02/75/filter-evasion-houdini-on-the-wire-49-2048.jpg?cb=1667937510)
Filter Evasion: Houdini on the Wire
Today security filters can be found on our network perimeter, on our servers, in our frameworks and applications. As our network perimeter becomes more secure, applications become more of a target. Security filters such as IDS and WAF are relied upon to protect applications. Intrusion detection evasion techniques were pioneered over a decade ago. How are today's filters withstanding ever evolving evasion tactics? The presentation will examine how evasion techniques worked in the past and provide insight into how these techniques can still work today; with a focus on HTTP attacks. A practical new way to bypass Snort will be demonstrated. A tool to test other IDS for the vulnerability in Snort will be demonstrated. (Outerz0ne 2009) Video of this presentation at Outerz0ne 5: http://www.irongeek.com/i.php?page=videos/rob-ragan-filter-evasion-houdini-on-the-wire
More Related Content
What's hot
What's hot(20)
Similar to Filter Evasion: Houdini on the Wire
Similar to Filter Evasion: Houdini on the Wire(20)
More from Rob Ragan
More from Rob Ragan(10)
Recently uploaded
Recently uploaded(20)
Filter Evasion: Houdini on the Wire
- 1. Filter Evasion Houdini on the Wire Rob Ragan ( [email_address] ) HP Application Security Center
- 6. HTTP Filters Are Everywhere Filter Example Intrusion Detection Systems (IDS) Snort Web Application Firewall (WAF) ModSecurity Server Add-on IIS UrlScan Framework ASP.NET Request Validation Browser IE8 XSS Filter Application custom sanitizer See your code
- 8. Filter Responsibility in the OSI Model
- 48. Questions?