HF 2022 - Call for Papers

Web Application Firewall Workshop
2022-10-30, 10:00–12:00, Track Workshop
Language: English

Web Application Firewalls usage is controversial in the field of application security. Some consider them useless since they are imperfect. Others consider them an interesting ally for virtual patching and for defense in depth. Beyond this debate, firewalls are a reality in several organizations to defend edge services.

Testers may find the presence of such protection to be a drag on their security assessment. As these firewalls cannot always be disabled for testing, it is important to be able to quickly assess whether a circumvention method is possible. We have designed a workshop featuring different scenarios where a firewall is used to block certain attacks or features.


The workshop will consist of 4 main bypass categories:
- Syntax alternatives for table names, keywords and URLs.
- Encoding (URL, Unicode, case mapping)
- SQLi bypass (for mod_security and libinjection)
- Switching protocol (WebSocket, H2C)

For each of the exercises, an in-depth explanation of the technique will be discussed. Then a demonstration application will be available to participants to apply their new knowledge.

In order to do the exercises, you will need Docker, Burp Suite Pro / OWASP ZAP and Python installed.

Was this talk already given? – yes Are you releasing a tool? – no

Philippe is a security engineer working for ServiceNow. His work and research are focusing on Web application security. His past work experience includes pentesting, secure code review and software development. He is the author of the widely used Java static analysis tool OWASP Find Security Bugs (FSB). He is also a contributor to the static analysis tool for .NET called Security Code Scan. He built many plugins for Burp and ZAP proxy tools: Retire.js, Reissue Request Scripter, CSP Auditor and many others. Philippe has presented at several conferences including Black Hat Arsenal, SecTor, AppSec USA, ATLSecCon, NorthSec, and 44CON.