Web Application Security
Re: [WEB SECURITY] Bypassing WAF via HTTP Pollution Oct 04 2012 09:40AM
Ivan Ristic (ivan ristic gmail com) (1 replies)
Re: [WEB SECURITY] Bypassing WAF via HTTP Pollution Oct 08 2012 09:51AM
Robin Wood (robin digininja org) (1 replies)
Re: [WEB SECURITY] Bypassing WAF via HTTP Pollution Oct 08 2012 07:55PM
Ivan Ristic (ivan ristic gmail com) (1 replies)
On Mon, Oct 8, 2012 at 10:51 AM, Robin Wood <robin (at) digininja (dot) org [email concealed]> wrote:
> On 4 October 2012 10:40, Ivan Ristic <ivan.ristic (at) gmail (dot) com [email concealed]> wrote:
>> I guess this would be a good opportunity for me to mention my research
>> on the topic:
>>
>> Protocol-level evasion of web application firewalls
>> http://blog.ivanristic.com/2012/07/protocol-level-evasion-of-web-applica
tion-firewalls.html
>
> I like the table Danux has showing what order the various
> languages/technologies parse the parameters and was wondering if
> anyone had a table like this for WAFs, that way it would be a lot
> easier to match the language and the WAF and know what ordering to use
> to bypass it.

According to my reading of the blog post, the "WAF" in question was a
simulation. In reality, I wouldn't expect that you'd be able to bypass
a WAF by providing multiple instances of the same parameter. The
expected behaviour is that all such values are inspected.

Where it gets tricky is when you are able to split the payload across
two or more parameter instances, and you're attacking an application
that will combine the values into a single string. That could be handy
for bypassing WAFs, but it depends entirely on being able to craft a
payload that will not be detected in "pieces".

> Robin
>
>
>>
>> On Wed, Oct 3, 2012 at 10:55 AM, Danux <danuxx (at) gmail (dot) com [email concealed]> wrote:
>>> By playing CSAW CTF you always learn something new (at least myself).
>>>
>>> Hope you enjoy it:
>>>
>>> http://danuxx.blogspot.com/2012/10/bypassing-waf-via-http-parameter.html

>>>
>>> --
>>> DanUx
>>>
>>> _______________________________________________
>>> The Web Security Mailing List
>>>
>>> WebSecurity RSS Feed
>>> http://www.webappsec.org/rss/websecurity.rss
>>>
>>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>>
>>> WASC on Twitter
>>> http://twitter.com/wascupdates
>>>
>>> websecurity (at) lists.webappsec (dot) org [email concealed]
>>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.
org
>>
>>
>>
>> --
>> Ivan RistiÄ?
>>
>>
>>
>> This list is sponsored by Cenzic
>> --------------------------------------
>> Let Us Hack You. Before Hackers Do!
>> It's Finally Here - The Cenzic Website HealthCheck. FREE.
>> Request Yours Now!
>> http://www.cenzic.com/2009HClaunch_Securityfocus
>> --------------------------------------
>>

--
Ivan RistiÄ?

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

[ reply ]
RE: [WEB SECURITY] Bypassing WAF via HTTP Pollution Oct 08 2012 09:09PM
Dave Wichers (dave wichers aspectsecurity com) (1 replies)
Re: [WEB SECURITY] Bypassing WAF via HTTP Pollution Oct 08 2012 10:40PM
Rcbarnett (rcbarnett gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus