DeepSec 2013 Workshop: Exploiting Web Applications Protected By $WAFs

René Pfeiffer/ October 11, 2013/ Conference, Security, Training

We all use web applications on a daily basis. Search engines, portals, web sites, blogs, information pages and various other content accessible by web browsers accompany us every day. This means that web server are the first exposed systems you will have to protect when deploying web applications. Usually you would add filters to your network that inspect access to the software and block any malicious requests. Packet filters were the tool of choice. Now we have application level firewalls to deal with content and protocols used. In the case of web applications the market has introduced a new kind of device: the web application firewall (WAF).

In theory WAFs understand HTTP and know how a web browser talks to a web server. In practice no two web applications are alike, because they may be developed in-house, modified by additional modules, adapted to special requirements, or in different versions. Furthermore you or your WAF needs to know which requests are normal, which are anomalous and which are malicious. So in case you have some web-based assets Out There™ you might want to investigate what your web apps and the measures to protect them really do. This is where the training Exploiting Web Applications Protected By $WAFs by Florian Brunner comes into play.
The workshop will enable you to see how unprotected web applications can be attacked and exploited. Mr Brunner will show you typical methods attackers employ.First, participants will get the opportunity to try out what attackers will do to your exposed applications in a lab environment. The second part illustrates how to protect against these attacks by the use of a rule-based WAF software. Exercises will be configured for the mod security module in Apache web server. You can apply the concepts of the example configuration to any rule-based WAF. The session will demonstrate how filters can be used, what they protect against, and how web applications as a whole can be hardened to work in an untrusted environment such as the Internet.

The workshop is targeted at anyone who deploys, maintains or develops web applications. Even if you already have protection mechanisms in place, you will gain in-depth knowledge on how to deploy them correctly, adapt the rules to your needs, or even test the rules you are currently using. A defender’s job is never done, that’s why you have to keep up with the bad guys and girls.

Share this Post

About René Pfeiffer

System administrator, lecturer, hacker, security consultant, technical writer and DeepSec organisation team member. Has done some particle physics, too. Prefers encrypted messages for the sake of admiring the mathematical algorithms at work.