Farewell, WAF - Exploiting SQL Injection from Mutation to Polymorphism

Presented at Global AppSec - DC 2019, Sept. 13, 2019, 11:30 a.m. (45 minutes).

In this talk, we'll not only go through the core ideas and concepts of the Web application firewall (WAF) and also some background information about mutation testing against web applications, but introduce a promising direction of automatically generating SQL Injection attacks with Polymorphism. We'll be giving out some case studies and bypasses for the ModSecurity's latest version alongside our demonstrations and explain why common detections cannot help in this place as well. The audience will then realize the power of this concept and the beauty of the SQL language after the talk.

Presenters:

• Boik Su
  Boik Su has five-year experience in Web development, and actively using Open Source Software to create and manage applications or tools for his research in Web Security. He has received some awards from CTFs, been the speaker at AVTokyo 2017 and 2018, Taiwan Modern Web 2017, OSCON 2018, and the lecturer at Taiwan HITCON Training and National Center for Cyber Security Technology.

Links:

• https://globalappsecdc2019.sched.com/event/TgPM/farewell-waf-exploiting-sql-injection-from-mutation-to-polymorphism

Similar Presentations:

• DEF CON 20 (2012) / SQL ReInjector - Automated Exfiltrated Data Identification
• DEF CON 10 (2002) / SQL Injection
• DerbyCon 2.0 Reunion (2012) / SQL Injection 101