Re: [WEB SECURITY] Bypassing WAF via HTTP Pollution

[Robin Wood <robin () digininja org>]

On 4 October 2012 10:40, Ivan Ristic <ivan.ristic () gmail com> wrote:
> I guess this would be a good opportunity for me to mention my research
> on the topic:
>
> Protocol-level evasion of web application firewalls
> http://blog.ivanristic.com/2012/07/protocol-level-evasion-of-web-application-firewalls.html

I like the table Danux has showing what order the various
languages/technologies parse the parameters and was wondering if
anyone had a table like this for WAFs, that way it would be a lot
easier to match the language and the WAF and know what ordering to use
to bypass it.

Robin


> On Wed, Oct 3, 2012 at 10:55 AM, Danux <danuxx () gmail com> wrote:
> > By playing CSAW CTF you always learn something new (at least myself).
> >
> > Hope you enjoy it:
> >
> > http://danuxx.blogspot.com/2012/10/bypassing-waf-via-http-parameter.html
> >
> > --
> > DanUx
> >
> > _______________________________________________
> > The Web Security Mailing List
> >
> > WebSecurity RSS Feed
> > http://www.webappsec.org/rss/websecurity.rss
> >
> > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> >
> > WASC on Twitter
> > http://twitter.com/wascupdates
> >
> > websecurity () lists webappsec org
> > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>
>
>
> --
> Ivan Ristić
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now!
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------