The workshop gather examples I came accross in various assesments of the last few years. Testers (including myself) tend to go for the more complex techniques. I am hoping it will help put the spotlight on ideas that are not encoding related.
Workshop Material
If want to review its content, here are the slides and material to reproduce the exercises.
Slides : The slides I use to present the theory and exercises.
Workshop mini site : A more detailed version of the exercises.
Github Repository: All docker instances can be rebuild from the source
This was the first workshop that I built with MkDocs. I really liked its simplicity to get started and the features available to create rich content. It was easier and more reliable than Google Code Labs (which I used for workshops on XXE, Template Injection and Request Smuggling).
Conclusion
Remember that there are no silver bullets. Even with the most complete checklist, it is likely that you will encounter a case where you can't find a bypass. Hopefully, with that information, you will be more methodical and more efficient the next time you encounter a WAF.
No comments:
Post a Comment