A presentation and demonstration of issues that apply to Web application firewalls. Talks about how easy it is to fingerprint some web application firewalls, how bypassing them is possible. Finally it talks about how they can be used against your organization if they get compromised.
This document contains the results of a second comparative penetration test conducted by a team of security specialists at Zero Science Lab against two cloud-based Web Application Firewall (WAF) solutions: Incapsula and Cloudflare. This test was designed to bypass security controls in place, in any possible way, circumventing whatever filters they have. Given the rise in application-level attacks, the goal of the test was to provide IT managers of online businesses with a comparison of these WAFs against real-world threats in simulated real-world conditions.
General Waf detection and bypassing techniques. Main focus to demonstrate that how to take right approach to analyse the behaviour of web application firewall and then create test cases to bypass the same.
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4hackers.com
Presentation slides of Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified At XSS by Rafay Baloch. Ask all your question's related to the webcast here http://goo.gl/Vv10hJ. Don't forget to leave you feedback here https://goo.gl/YrBeic.
This document contains the results of a comparative penetration test conducted by a team of security specialists at Zero Science Lab against three ‘leading’ web application firewall solutions. Our goal was to bypass security controls in place, in any way we can, circumventing whatever filters they have. This report also outlines the setup and configuration process, as well as a detailed security assessment.
Ведущий: Халил Бидджу
На мастер-классе вы узнаете, как провести атаку на приложение, защищенное файрволом. Ведущий расскажет о техниках обхода WAF и представит систематизированный и практический подход к их применению. Мастер-класс будет интересен даже начинающим специалистам. Вниманию слушателей будет представлен новый инструмент для поиска уязвимостей межсетевых экранов — WAFNinja.
This document contains the results of a second comparative penetration test conducted by a team of security specialists at Zero Science Lab against two cloud-based Web Application Firewall (WAF) solutions: Incapsula and Cloudflare. This test was designed to bypass security controls in place, in any possible way, circumventing whatever filters they have. Given the rise in application-level attacks, the goal of the test was to provide IT managers of online businesses with a comparison of these WAFs against real-world threats in simulated real-world conditions.
General Waf detection and bypassing techniques. Main focus to demonstrate that how to take right approach to analyse the behaviour of web application firewall and then create test cases to bypass the same.
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4hackers.com
Presentation slides of Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified At XSS by Rafay Baloch. Ask all your question's related to the webcast here http://goo.gl/Vv10hJ. Don't forget to leave you feedback here https://goo.gl/YrBeic.
This document contains the results of a comparative penetration test conducted by a team of security specialists at Zero Science Lab against three ‘leading’ web application firewall solutions. Our goal was to bypass security controls in place, in any way we can, circumventing whatever filters they have. This report also outlines the setup and configuration process, as well as a detailed security assessment.
Ведущий: Халил Бидджу
На мастер-классе вы узнаете, как провести атаку на приложение, защищенное файрволом. Ведущий расскажет о техниках обхода WAF и представит систематизированный и практический подход к их применению. Мастер-класс будет интересен даже начинающим специалистам. Вниманию слушателей будет представлен новый инструмент для поиска уязвимостей межсетевых экранов — WAFNinja.
Wireless Pentesting: It's more than cracking WEPJoe McCray
This presentation walks you through the fundamentals of attacking and defending wireless networks.
Attacking WEP, WPA, WPA2, WPA Enterprise and captive portals is covered, and this presentation will be updated periodically. So keep checking back for updates.
OWASP CSRF Protector has been implemented as a php library and an Apache 2.2.x module which helps web developer/ system administrator to mitigate CSRF vulnerability in their web application with ease.
Presentation of my talk at FOSSASIA 2015
OWASP CSRF Protector has been implemented as a php library and an Apache 2.2.x module which helps web developer/ system administrator to mitigate CSRF vulnerability in their web application with ease.
OWASP - Open Web Applications Security Project to fundacja której celem jest eliminacja problemów bezpieczeństwa aplikacji. OWASP działa w duchu "open source" i dostarcza narzędzi, informacji i wiedzy pozwalających podnieść poziom bezpieczeństwa aplikacji. W trakcie wykładu przedstawię krótko OWASP Top 10 w wydaniu dla programistów, czyli "Top 10 Proactive Controls" a więc najważniejsze zalecenia pozwalające na uniknięcie kluczowych błędów bezpieczeństwa.
Wireless Pentesting: It's more than cracking WEPJoe McCray
This presentation walks you through the fundamentals of attacking and defending wireless networks.
Attacking WEP, WPA, WPA2, WPA Enterprise and captive portals is covered, and this presentation will be updated periodically. So keep checking back for updates.
OWASP CSRF Protector has been implemented as a php library and an Apache 2.2.x module which helps web developer/ system administrator to mitigate CSRF vulnerability in their web application with ease.
Presentation of my talk at FOSSASIA 2015
OWASP CSRF Protector has been implemented as a php library and an Apache 2.2.x module which helps web developer/ system administrator to mitigate CSRF vulnerability in their web application with ease.
OWASP - Open Web Applications Security Project to fundacja której celem jest eliminacja problemów bezpieczeństwa aplikacji. OWASP działa w duchu "open source" i dostarcza narzędzi, informacji i wiedzy pozwalających podnieść poziom bezpieczeństwa aplikacji. W trakcie wykładu przedstawię krótko OWASP Top 10 w wydaniu dla programistów, czyli "Top 10 Proactive Controls" a więc najważniejsze zalecenia pozwalające na uniknięcie kluczowych błędów bezpieczeństwa.
Lie to Me: Bypassing Modern Web Application FirewallsIvan Novikov
The report considers analysis of modern Web Application Firewalls. The author provides comparison of attack detection algorithms and discusses their advantages and disadvantages. The talk includes examples of bypassing protection mechanisms. The author points out the necessity of discovering a universal method of masquerading for vectors of various attacks via WAFs for different algorithms.
SSRF vs. Business-critical applications. XXE tunneling in SAPERPScan
Any information an attacker might want is stored in a company’s ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. Industrial espionage, sabotage and fraud or insider embezzlement may be very effective if targeted at the victim’s ERP system and cause significant damage to the business.
The presentation describes the history of SSRF attack, or Server Side Request Forgery, its types and different kinds of attacks on SAP.
Sql injection bypassing hand book blackroseNoaman Aziz
In this book I am not gonna teach you Basics of SQL injection, I will assume that you already know them, because cmon every one talks about it, you will find tons and tons of posts on forums related to basics of SQL Injection, In this post I will talk about common methods of used by hackers and pentesters for evading IDS, IPS, WAF's such as Modsecurity, dotdefender etc .
These are the slides from a talk "Spot the Web Vulnerability" held at Hacktivity 2012 conference (Hungary / Budapest 12th–13th October 2012) by Miroslav Stampar.
Secure Code Review is the best approach to uncover the most security flaws, in addition to being the only approach to find certain types of flaws like design flaws. During this session, you will learn how to perform security code review and uncover vulnerabilities such as OWASP Top 10: Cross-site Scripting, SQL Injection, Access Control and much more in early stages of development. You will use a real life application. You will get an introduction to Static Code Analysis tools and how you can automate some parts of the process using tools like FxCop.
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities Braindev Kyiv
Sergey Kochergan is QA Engineer at Luxoft with extensive experience in software engineering and security field. As an independent consultant, he has provided strategic expertise to business clients with frameworks for SCADA security policy, organazied hackatons and ctf events. Sergey was involved into R&D projects of System Design for SDR communication hardware, network forensics with IDS.
In this lecture Sergey will tell the audience about Security in general, will make overview of nowadays Web Testing Environment and also will present his vision of Risk Rating Methodology and Vulnerability Patterns.
For our next events join us:
http://www.meetup.com/Kyiv-Dev-Meetup-SmartMonday/
https://www.facebook.com/braindevkyiv
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...PaloAltoNetworks
Palo Alto Networks Live Community Senior Engineers Tom and Joe present best security practices at the Fuel Spark event in London. For more details, please visit: https://live.paloaltonetworks.com/t5/Community-Blog/Live-Community-team-at-Spark-User-Summit-London/ba-p/153182
A look at computer network defense techniques and strategies that actually work in a world of blinky light sales. Strait up defense served with a side of sarcasm.
Should I buy product $x from $vendor_y or product $y from $vendor_x? Probably neither. Come hear how you can get back to security basics to keep your organization from getting owned and discover when you are owned with a lot of tools you already have. No sales, no magic, just real world security for people that want to defend their organization.
A presentation delivered at WordCamp Miami 2016 about security best practices in web development by SiteLock Director of Products & Technology Binod Purushothaman and Lead Security Analyst Logan Kipp.
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Tom Eston
Over the years web services have become an integral part of web and mobile applications. From critical business applications like SAP to mobile applications used by millions, web services are becoming more of an attack vector than ever before. Unfortunately, penetration testers haven't kept up with the popularity of web services, recent advancements in web service technology, testing methodologies and tools. In fact, most of the methodologies and tools currently available either don't work properly, are poorly designed or don't fully test for real world web service vulnerabilities. In addition, environments for testing web service tools and attack techniques have been limited to home grown solutions or worse yet, production environments.
In this presentation Tom, Josh and Kevin will discuss the new security issues with web services and release an updated web service testing methodology that will be integrated into the OWASP testing guide, new Metasploit modules and exploits for attacking web services and a open source vulnerable web service for the Samurai-WTF (Web Testing Framework) that can be used by penetration testers to test web service attack tools and techniques.
DOM Based XSS (or as it is called in some texts, “type-0 XSS”) is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner. Certain vulnerabilities in JavaScript code cannot be tracked by standard IDS or perimeter security measures, which leads to a huge potential vulnerability, the code can be abused to steal data or bypass authentication mechanisms in web interfaces. This presentation will demonstrate vulnerabilities and also present Minded Security’s latest countermeasure DOMinatorPro.
Similar to Web Application Firewalls Detection, Bypassing And Exploitation (20)
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...Sandro Gauci
WebRTC is often considered to be secure by default - with most security concerns being around IP address leakage which is more of a privacy issue than anything. Well, I have news for you - the applications and infrastructure that handles WebRTC can be attacked. It may indeed have various types of security vulnerabilities which are often overlooked. This presentation is based on experiences gained through security testing of WebRTC applications with anecdotal stories to illustrate the dangers. We will also take a peek at Video Delivery mechanisms such as RIST and SRT and discuss what could possibly go wrong there too!
TADSummit 2022 - How to bring your own RTC platform downSandro Gauci
Running DDoS simulations on your own.
Why would you want to do such a thing?
Preparing for destruction
Running the tests – best practices
What happens after the fact
Moving forward towards more robust RTC
If you have been following news from the OpenSIPS community, you probably heard of the OpenSIPS security audit. Why is this a useful exercise and how will it be done? In this talk, Sandro will try to answer these questions, give some background and details on what will be tested and his team's penetration testing methodology as it applies to the OpenSIPS project.
Tools for offensive RTC Security: introducing SIPVicious PRO and the demo serverSandro Gauci
In his previous talk for TADSummit, Sandro spoke about why it is critical to take an offensive approach when dealing with SIP security. In this one, he shows how tools can help in testing RTC security as well as in learning more about offensive security for RTC. After a general overview of the landscape, he will focus on the work that his team has done on SIPVicious PRO and the target demo server that helps learn and show vulnerabilities in a lab environment.
The various ways your RTC may be crushedSandro Gauci
A presentation about Denial of Service on Real-time Communications systems. This presentation covers the following:
The presentation, in parts:
- DoS on Signalling, including SIP Flood, TCP and TLS Flooding, TLS certificate flooding and a WebRTC proprietary signalling protocol attacked via malformed message
- DoS on the Media, including RTP Bleed and Invalid DTLS certificate
- DoS on RTC monitoring tools including DoS on Recording systems, on PCAP monitoring and Flooding the firewall
- DoS on callbacks including random input and Slowloris attack
- DoS on security protection including IP spoofing to block trusted peers and flooding the intrusion prevention system
- Tips on evasion of security protection, on rate limiting, distributing attacks and slowing down attacks
- Discussion on solutions and mitigation, on rate limiting again, increasing resources, and various other techniques
If you'd rather watch this presentation: https://www.youtube.com/playlist?list=PLfoovPTqAipVGa__xPSatN9qKC22nTKl7
A presentation describing two different approaches that we took when making use of fuzzing to discover vulnerabilities in VoIP or Real-time communications software and libraries.
We describe our failures and also our successful findings when using AFL and also our custom fuzzer, gasoline against Asterisk, Kamailio, PJSIP, RTP proxy and other solutions.
Presentation can be found at https://www.youtube.com/watch?v=CuxKD5zljVI
Most research and publications talk about layer 2 issues when it comes to VoIP. Over here we talk about VoIP security flaws that can be exploited without having physical access to the target network, i.e. attacks that can be, and are being launched through the Internet.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
2. $ whois WendelGH
PT Consultant at Trustwave's SpiderLabs
Over 7 years in the security industry
Vulnerability discovery Webmails, AP, Citrix, etc
Spoke in YSTS 2.0, Defcon 16, H2HC and others
Affiliated to Hackaholic team
OWASP 2
Friday, 4 December 2009
3. $ whois SandroGauci
Founder and CSO EnableSecurity
From .mt
Security software
VOIPPACK (CANVAS addon)
Surfjack - insecure cookies
SIPVicious
Security research papers
Been around for > 9 years
OWASP 3
Friday, 4 December 2009
4. Introduction
WAF - Web Application Firewall
next generation protection
what can we do?
can be identified, detected
bypassing the rules
exploit WAFs
OWASP 4
Friday, 4 December 2009
5. What is WAF?
Attack signatures or abnormal behavior based
WAFs products: software or hardware appliance.
Flavors:
a reverse proxy
embedded
connected in a switch (SPAN or RAP)
WAF products detect both inbound
Some also detect outbound attacks
OWASP 5
Friday, 4 December 2009
6. Who uses WAFs?
Many banks around the world
Companies which need high protection
Many companies in compliance with PCI DSS
(Payment Card Industry - Data Security
Standard)
OWASP 6
Friday, 4 December 2009
7. Operation Modes
Negative model (blacklist based)
Positive model (whitelist based)
Mixed / Hybrid
OWASP 7
Friday, 4 December 2009
8. The negative model
Relies on a database of known attacks
Eg. XSS strings like <script>, </script>,
String.fromCharCode, etc.
Often regular expressions
OWASP 8
Friday, 4 December 2009
9. Whitelist model
Whitelist based
Learning mode to create a security policy of
known “good” HTTP traffic
Known as dynamic profiling technology by some
Example:
Page news.jsp, the field "id" only accept
numbers [0-9] and starting at 0 until 65535
news.jsp?id=-1 would not be allowed
OWASP 9
Friday, 4 December 2009
10. Common Weaknesses
Design issues
WAFs have to be similar to the web apps and http
servers that they need to protect
Blacklists are by design “flawed”
Bad implementation
Parsing issues
Again - a WAF needs to do a lot of things that
the web app and http server does
ergo they can have similar security flaws!
OWASP 10
Friday, 4 December 2009
11. Detection
A number of products can be detected
sometimes by design
Detection is not a big deal but
... sometimes we’re told that WAFs are ‘invisible’
the better you know your enemy (or client), the
better
helps in a penetration test or targeted attack
shows that stealth attacks are possible
OWASP 11
Friday, 4 December 2009
12. Detection
Cookies
Reason: some WAFs are also load balancers
Headers
Header rewriting
Most obvious would be "Server"
Sometimes is a feature called “server cloaking”
“Connection” header might be changed to Cneonction
or nnCoection
Response codes
404 error codes for existent scripts
and 403 for non existent ones
OWASP 12
Friday, 4 December 2009
13. Detection via response codes
404 error codes for existent scripts
Different error codes (404, 400, 401, 403, 501,
etc) for hostile parameters (even non existent
ones) in valid pages.
OWASP 13
Friday, 4 December 2009
16. Automating WAF detection
WAFW00F
Detect 20 different WAF products
the number keeps changing thanks to contributions :-)
Options to detect multiple WAFs in place
Generic detection methods included!
Get your copy
waffit.googlecode.com
Please contribute
OWASP 16
Friday, 4 December 2009
18. Bypassing a WAF
Fingerprint the rules
Detect allowed / denied strings
Combinations of allowed or denied strings
Modify your attack to not match the blacklist
OWASP 18
Friday, 4 December 2009
19. More on bypassing WAFs
Encoding and language support, character sets
Spaces, comments, case sensitive mutation,
Unicode (%uc0af and %c0%af), etc
The web server may parse, decode and interpret
and HTTP request differently from the WAF
HTML and JS is very flexible
Various methods to split and encode your strings
OWASP 19
Friday, 4 December 2009
20. Bypassing rules
“Our Favorite XSS Filters and how to Attack
Them” by Eduardo Vela & David Lindsay
Bypass the rules by splitting the attack
(eval('al'%2b'lert(0)')
“Shocking News in PHP Exploitation” by Stefan
Esser
Using “malformed” multipart/form-data to bypass
most Modsecurity rules
F5 BIG-IP ASM could be bypassed by sending it
multipart/form-data that was interpreted differently
by PHP than ASM
OWASP 20
Friday, 4 December 2009
22. The positive model
It’s well known that the negative model is
broken
What about positive model?
They are really secure?
If we find a positive model should we give up?
OWASP 22
Friday, 4 December 2009
24. Testing WAFs for bypasses is a tedious job
Which is why we automate it :-)
WAFFUN - works in progress
Checks if the script echos back (esp in the case of
xss)
Can check if error suppression is supported
Finds out how the WAF responds when a it reacts to
an attack
Goes through a list of well known blacklisted strings
If any were blocked, it tries different encoding
methods, null characters, unicode
OWASP 24
Friday, 4 December 2009
26. WAFFUN: XSS constructor
Tries a number of tags to find out which are
allowed through
Tries a number of DHTML event handlers
Tries a number of Javascript methods
OWASP 26
Friday, 4 December 2009
28. WAFs may be vulnerable too!
Security software is not necessarily secure
Web Application specific issues: XSS, SQLi
Overflows
DoS
OWASP 28
Friday, 4 December 2009
29. Known issues
ModSecurity 2.5.9
addresses 2 vulnerabilities
"Fixed PDF XSS issue where a non-GET request for a PDF file
would crash the Apache httpd process."
"Fixed parsing multipart content with a missing part header
name which would crash Apache."
Profense 2.6.3
Profense Web Application Firewall Cross-Site Scripting
and Cross-Site Request Forgery
DotDefender 3.8-5 (this week)
Command Execution in dotDefender Site Management
(requires authentication)
seems like it is vulnerable to XSRF OWASP 29
Friday, 4 December 2009
31. Thank you
Do you have ideas / resources to improve our
tools?
wsguglielmetti [em] gmail [ponto] com
sandro [em] enablesecurity [ponto] com
Questions?
OWASP 31
Friday, 4 December 2009