Most discussions of WAF evasion focus on bypassing detection via attack payload obfuscation. These techniques target how WAFs detect specific attack classes, and that's fine. Protocol-level evasion techniques target a lower processing layer, which is designed to parse HTTP streams into meaningful data. A successful evasion at this layer makes the WAF see a request that is different from that seen by the victim application. Through evasion, attacks become virtually invisible. The technique can be used with any class of attack.
Especially vulnerable to this type of attack are virtual patches, which are, somewhat ironically, the most successful use case for WAFs today. I will show how, through the combination of WAF design and implementation issues, inadequate documentation and inadequate user interfaces, many virtual patches can be trivially bypassed.
In this talk I will share the lessons learned from 10 years of web application firewall development. The focus will be on demonstrating the problems that exist today, including a previously unknown flaw in ModSecurity that remained undetected for many years. In addition, I will discuss many evasion techniques that are countered in ModSecurity, but which may be effective against other tools.
As part of this talk, I will release a catalogue of protocol-level evasion techniques and a complete testing suite.