2022-10-30, 10:00–12:00, Track Workshop
Web Application Firewalls usage is controversial in the field of application security. Some consider them useless since they are imperfect. Others consider them an interesting ally for virtual patching and for defense in depth. Beyond this debate, firewalls are a reality in several organizations to defend edge services.
Testers may find the presence of such protection to be a drag on their security assessment. As these firewalls cannot always be disabled for testing, it is important to be able to quickly assess whether a circumvention method is possible. We have designed a workshop featuring different scenarios where a firewall is used to block certain attacks or features.
The workshop will consist of 4 main bypass categories:
- Syntax alternatives for table names, keywords and URLs.
- Encoding (URL, Unicode, case mapping)
- SQLi bypass (for mod_security and libinjection)
- Switching protocol (WebSocket, H2C)
For each of the exercises, an in-depth explanation of the technique will be discussed. Then a demonstration application will be available to participants to apply their new knowledge.
In order to do the exercises, you will need Docker, Burp Suite Pro / OWASP ZAP and Python installed.