Sometimes your endpoint is a server (or a couple thereof). Very often your server is a web server. A lot of interesting, dangerous, and odd code resides on web servers these days. In case you have ever security-tested web applications, you know that these beasts are full of surprises. Plus the servers get lots of requests, some trying to figure out where the weaknesses are. This is how web application firewalls (WAF) come into play. Firewalls have come a long way from inspecting layer 3/4 traffic up to all the peculiarities of layer 7 protocols. Once your firewall turns ALG and more, things get complicated. Since security researchers love complexity Ashar Javed has taken a look at WAF systems. Here is his presentation held at DeepSec 2015.
He found 50 ways to bypass the default signatures dealing with the detection of cross-site scripting (XSS). He concentrated on appliances / cloud-based solutions from two vendors. The bypasses can be used for other WAF products as well, so don’t relax.
Make sure you know your web applications inside out when exposing them to untrusted networks. Be thorough and don’t deploy code you don’t fully understand.