The Wide World of WAFs

Presented at DEF CON 16 (2008), Aug. 8, 2008, 10 a.m. (50 minutes)

With webapp protection now mandated by the PCI standard, web-application firewalls (WAFs) have received newfound interest from both consumers of security technologies, as well as from security researchers and potential attackers. Now that WAFs are a PCI-approved substitute for code reviews, expect many vendors to opt for this potentially less costly route to compliance. Of course, security researchers and potential attacks will increasingly train their sights on this lucrative and expanding target. This talk will explore the ModSecurity Apache module and how it is being used as a WAF to meet the PCI 6.6 webapp protection requirement. The relative strengths and weaknesses of WAFs in general and ModSecurity in particular will be highlighted. Common deployment scenarios will be discussed, including both in-the-cloud, stand-alone and Apache server embedded deployments. The ModSecurity rules language will be covered and several ModSecurity Core Rules that are representative of its capabilities will be dissected in depth. Finally, some interesting uses of ModSecurity's content injection capabilities will be discussed. Anyone up for hacking the hacker via scripting injected into your webapp's response to an attempted attack? This talk will show you how!

Presenters:

• Ben Feinstein - Security Researcher, SecureWorks Counter Threat Unit
  Ben Feinstein is a researcher on the Counter Threat Unit (CTU) at SecureWorks, working behind the scenes to support Agent Jack Bauer and the GWOT. He first became involved with information security in 2000 while working on a DARPA / USAF contract instead of going to his college classes. Since then, Ben has worked designing and implementing security-related software and appliances at a series of since acquired or failed start-ups. In his spare time Ben authored RFC 4765 and RFC 4767. His experience is in the areas of IDS/IPS, digital forensics, next-gen firewall systems, log analysis and viz, secure messaging, security appliances, small caliber arms and right-wing rhetoric. Ben has presented at Black Hat USA, DEFCON, ACSAC and others.

Links:

• https://defcon.org/html/defcon-16/dc-16-speakers.html#Feinstein2
• https://infocon.org/cons/DEF CON/DEF CON 16/DEF CON 16 video/DEF CON 16 - Ben Feinstein - Wide World of WAFs - Video.mp4
• https://www.youtube.com/watch?v=pUlBjliv0KE

Similar Presentations:

• Black Hat USA 2012 / Confessions of a WAF Developer: Protocol-Level Evasion of Web Application Firewalls
• AppSec USA 2017 / WAFs FTW! A modern devops approach to security testing your WAF
• Black Hat USA 2012 / ModSecurity as Universal Cross-platform Web Protection Tool