[Owasp-slovakia] Presentation - Bypassing Web Application Firewalls (WAF)

Pavol Luptak pavol.luptak at nethemba.com
Tue Feb 8 09:56:13 EST 2011


Hi all,
I would like to invite you to my presentation 
Bypassing Web Application Firewalls (WAF) to Progressbar on Thursday 3.3.2011
at 19:00.

If you want to understand advanced obfuscation techniques like creating this
nonalphanumeric javascript code:

_=[]|[];$=_++;__=(_<<_);___=(_<<_)+_;____=__+__;_____=__+___;$$=({}+"")[_____]+({}+"")[_]+({}[$]+"")[_]+(($!=$)+"")[___]+(($==$)+"")[$]+(($==$)+"")[_]+(($==$)+"")[__]+({}+"")[_____]+(($==$)+"")[$]+({}+"")[_]+(($==$)+"")[_];$$$=(($!=$)+"")[_]+(($!=$)+"")[__]+(($==$)+"")[___]+(($==$)+"")[_]+(($==$)+"")[$];$_$=({}+"")[_____]+({}+"")[_]+({}+"")[_]+(($!=$)+"")[__]+({}+"")[__+_____]+({}+"")[_____]+({}+"")[_]+({}[$]+"")[__]+(($==$)+"")[___]; ($)[$$][$$]($$$+"('"+$_$+"')")() 

just come to Progressbar!

More info
http://www.progressbar.sk/blog/-/blogs/bypassing-web-application-firewalls-wafs

Abstract:

The goal of the presentation is to describe typical obfuscation attacks that   
allow attacker to bypass standard security measures such as various input      
filters, output encoding mechanisms used in web-based intrusion detection sys  
tems (IDS), intrusion prevention systems (IPS) and web application firewalls   
(WAFs). These attacks include different networking tricks, polymorphic         
shellcode and various code techniques.                                         
At the beginning we analyze and compare different HTML parsing and             
interpretation approaches used by most-common browsers that can lead to unique 
attack vectors.                                                                
Javascript with full range of features represents another effective way that   
can be used to obfuscate or de-obfuscate code – some existing obfuscation      
tools are mentioned.                                                           
We describe how it is possible to construct a “nonalphanumeric Javascript code”
which does not contain alphabetic or numeric characters, but still can contain 
malicious executable code. CSS (Cascading Style Sheets) have also many         
features that can be abused in very interesting ways (for example CSS history  
hack used against weak CSRF tokens).                                           
However most of current applications are immune against SQL injection attacks, 
it is still possible to find many vulnerable applications. We focus on         
different fuzzy techniques (and useful open source SQL injection tools that    
implement them) which can be still used to bypass weak input validation        
controls.                                                                      
We conclude our presentation with demonstration of the most basic obfuscation  
techniques that can be successfully used to bypass traditional web application 
firewalls (WAFs).                                                              
Finally we briefly describe current mitigation techniques that are recommended 
for an efficient malicious Javascript code analysis and sanitizing user input  
containing untrusted code.
-- 
Pavol Luptak, CISSP, CEH
OWASP Slovakia chapter leader
http://www.owasp.org/index.php/Slovakia
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3609 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-slovakia/attachments/20110208/ebb29d88/attachment.bin 


More information about the Owasp-slovakia mailing list