Monday, December 5, 2022

Hackfest 2022: Web Application Firewall (Bypasses) Workshop

Last month, I presented a workshop on Web Application Firewall (WAF) bypasses at Québec's Hackfest security conference.

The workshop gather examples I came accross in various assesments of the last few years. Testers (including myself) tend to go for the more complex techniques. I am hoping it will help put the spotlight on ideas that are not encoding related.

Workshop Material

If want to review its content, here are the slides and material to reproduce the exercises.

Slides : The slides I use to present the theory and exercises.

Workshop mini site : A more detailed version of the exercises.

Github Repository: All docker instances can be rebuild from the source

This was the first workshop that I built with MkDocs. I really liked its simplicity to get started and the features available to create rich content. It was easier and more reliable than Google Code Labs (which I used for workshops on XXE, Template Injection and Request Smuggling).


Remember that there are no silver bullets. Even with the most complete checklist, it is likely that you will encounter a case where you can't find a bypass. Hopefully, with that information, you will be more methodical and more efficient the next time you encounter a WAF.

No comments:

Post a Comment