Breaking Security Defenses - SQL Injections that Aren't Detected by Filters
Breaking Security Defenses - SQL Injections that Aren't Detected by Filters
Breaking Security Defenses - SQL Injections that Aren't Detected by Filters
File Size:
2.03 MB
Rubén V. Piña
Date:
29 November 2024
Nowadays Web Application Firewalls are used by the government sector, law enforcement agencies, banks, financial institutions, telecommunication companies and countless industries and entities in the private sector. Many of the most popular WAFs in the market were engineered by some of the world's leading IT companies. After a sample study of all the websites listed in HackerOne and Bugcrowd it was determined that between 40% and 50% of those websites use a WAF to protect their infrastructure against intrusions and attacks.
The security rules against SQL injection of 20 of the most popular WAF were thoroughly tested; the result was that all of them were broken, except for only one brand. The cross-site scripting security rules proved to be much more challenging than in previous years, but in the end most of them were bypassed (sometimes only partially i.e. user interaction) and only a small fraction appear to be secure.
Bypassing WAFs is not only a matter of obfuscating and encoding attack vectors anymore. Nowadays WAFs implement code parsers that attempt to distinguish dangerous code from safe to execute statements. I think it is fun to find ways to fool these parsers, to craft attack vectors that appear to be safe and that actually aren't.
Given the fact that WAFs are widely considered as a trustful security solution, the goal of this talk is to evaluate and measure the security level provided by different WAF products by showing various attack vectors that are able to bypass almost all of these products (SQLi and XSS). Attendees will acquire the necessary knowledge to be able to evaluate these security products and make better decisions regarding investment and implementation, and will learn the skills to know how to deal with these defenses when performing security audits.
Powered by Phoca Download
Copyright © 2024 CISSE™. All rights reserved.