WebApp Sec mailing list archives
Re: [WEB SECURITY] Bypassing WAF via HTTP Pollution
From: Ivan Ristic <ivan.ristic () gmail com>
Date: Mon, 8 Oct 2012 20:55:29 +0100
On Mon, Oct 8, 2012 at 10:51 AM, Robin Wood <robin () digininja org> wrote:
On 4 October 2012 10:40, Ivan Ristic <ivan.ristic () gmail com> wrote:I guess this would be a good opportunity for me to mention my research on the topic: Protocol-level evasion of web application firewalls http://blog.ivanristic.com/2012/07/protocol-level-evasion-of-web-application-firewalls.htmlI like the table Danux has showing what order the various languages/technologies parse the parameters and was wondering if anyone had a table like this for WAFs, that way it would be a lot easier to match the language and the WAF and know what ordering to use to bypass it.
According to my reading of the blog post, the "WAF" in question was a simulation. In reality, I wouldn't expect that you'd be able to bypass a WAF by providing multiple instances of the same parameter. The expected behaviour is that all such values are inspected. Where it gets tricky is when you are able to split the payload across two or more parameter instances, and you're attacking an application that will combine the values into a single string. That could be handy for bypassing WAFs, but it depends entirely on being able to craft a payload that will not be detected in "pieces".
RobinOn Wed, Oct 3, 2012 at 10:55 AM, Danux <danuxx () gmail com> wrote:By playing CSAW CTF you always learn something new (at least myself). Hope you enjoy it: http://danuxx.blogspot.com/2012/10/bypassing-waf-via-http-parameter.html -- DanUx _______________________________________________ The Web Security Mailing List WebSecurity RSS Feed http://www.webappsec.org/rss/websecurity.rss Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA WASC on Twitter http://twitter.com/wascupdates websecurity () lists webappsec org http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org-- Ivan Ristić This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
-- Ivan Ristić This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- Bypassing WAF via HTTP Pollution Danux (Oct 07)
- Re: [WEB SECURITY] Bypassing WAF via HTTP Pollution Ivan Ristic (Oct 07)
- Re: [WEB SECURITY] Bypassing WAF via HTTP Pollution Robin Wood (Oct 08)
- Re: [WEB SECURITY] Bypassing WAF via HTTP Pollution Ivan Ristic (Oct 08)
- RE: [WEB SECURITY] Bypassing WAF via HTTP Pollution Dave Wichers (Oct 08)
- Re: [WEB SECURITY] Bypassing WAF via HTTP Pollution Rcbarnett (Oct 08)
- Re: [WEB SECURITY] Bypassing WAF via HTTP Pollution Robin Wood (Oct 08)
- Re: [WEB SECURITY] Bypassing WAF via HTTP Pollution Ivan Ristic (Oct 07)