Exploiting Web Applications Protected By $WAFs

Presented at DeepSec 2013 „Secrets, Failures, and Visions“, Unknown date/time (Unknown duration)

Web application firewalls are now used as mitigation devices to prevent exploitation of web based assets. During this workshop the audience will learn how to exploit web applications that are deployed without any protection of web application firewalls. Typical attack vectors based on OWASP's Top Ten 2013 are explained and experienced during several hands-on sessions. The second day will introduce possible mitigations scenarios using standard mod_security WAF rule sets. The workshop participants shall learn how to configure mod_security on their own and why the default configuration or the out-of-box $WAF is an illusion. The experienced attacks of the first day shall be repeated and prevented by the participants themselves. During hands-on sessions the workshop trainer will advise and outline certain rules and evasion techniques. At the end of the second workshop day the audience is confronted with a highly customized mod_security ruleset to demonstrate the capabilities and the effort required to build secure web applications with $WAF and why secure coding and security requirements engineering is still required for web applications with or without $WAFs.

Presenters:

  • Florian Brunner - Holistic Security Consulting GmbH / Board Member OWASP Austria
    My name is Florian Brunner and I work as security consultant at HolisticSec, a company I founded. Before the foundation of my own company back in 2011, I was working as a software engineer for an international MES vendor. I have a bachelors degree in Secure Information Systems at the University of Applied Sciences Upper Austria, Campus Hagenberg and I will graduate my master's degree in the winter of 2013. Alongside my studies at university I was chairman of "Hagenberger Kreis zur Förderung der digitalen Sicherheit", a students association founded back in 2002 with the aim of enhancing the security awareness within Austria. The yearly ICT security conference "Security Forum" is organized by this association. The main activities within my own company focus on penetration testing, social engineering and secure software development. Since 2008 I was part of the CTF team h4ck!nb3rg.

Links:

Similar Presentations: