DeepSec 2017 Talk: Bypassing Web Application Firewalls – Khalil Bijjou

Everyone has firewalls or filters. They are now called application-level gateway (ALG) and have lots of features included. Algorithms, signatures, heuristics, protocol checks, verification; you name it. It’s all in there. But does it work? Obfuscation and evading technology has been around since the first filter was created. Anticipating what data might look like is hard, and some protocols were designed to be as ambivalent as possible, one might think. At DeepSec 2017 Khalil Bijjou will show you what can be done being evasive in the web.

Security experts perform security assessments of web applications in order to identify vulnerabilities that could be exploited by malicious users. Web Application Firewalls add a second layer of protection to web applications in order to mitigate these vulnerabilities.

The attempt to bypass Web Application Firewalls is an important aspect of a security assessment and is necessary to ensure accurate results. This talk describes bypass techniques and offers a systematic approach for security experts on how to bypass Web Application Firewalls based on these techniques.

In order to facilitate this approach, the tool WAFNinja will be introduced. The outcomes of this tool have significantly contributed to finding multiple bypasses as these bypasses have been reported to the particular Web Application Firewall vendors and were fixed.

We recommend this presentation for anyone dealing with HTTP/HTTPS. Or the web. Or web applications.

Khalil Bijjou is an enthusiastic ethical hacker, bug hunter and penetration tester for the german IT security consulting firm EUROSEC. He performs security assessments for major companies especially in the field of web, mobile and SAP security. Khalil reached the 2nd place in the German Post IT Security Cup 2015 and was a speaker at PHDays, Moscow and DefCamp Bucharest.

Tags: , , ,

Leave a Comment