三个皮匠报告
最新
报告分类 研报
热门标签
BETA
政策库
new
入驻
搜索
Qi Wang & Jianjun Chen & Run Guo & Chao Zhang & Haixin Duan_Break the Wall from Bottom Automated Discovery of Protocol-Level Evasion Vulnerabilities in Web Application Firewalls.pdf 报告预览

Qi Wang & Jianjun Chen & Run Guo & Chao Zhang & Haixin Duan_Break the Wall from Bottom Automated Discovery of Protocol-Level Evasion Vulnerabilities in Web Application Firewalls.pdf

编号:175501 PDF 50页 4.39MB 下载积分:VIP专享
下载报告请您先登录!

Qi Wang & Jianjun Chen & Run Guo & Chao Zhang & Haixin Duan_Break the Wall from Bottom Automated Discovery of Protocol-Level Evasion Vulnerabilities in Web Application Firewalls.pdf

1、#BHUSA BlackHatEventsBreak the Wall from Bottom:Automated Discovery of Protocol-Level Evasion Vulnerabilities in Web Application FirewallsSpeaker:Qi Wang(Eki)Contributors:Jianjun Chen,Run Guo,Chao Zhang,Haixin Duan#BHUSA BlackHatEvents2Talk RoadmapvWhat are WAFs and how do they work?vHow do we disco

2、ver new evasion cases automatically?vHow to bypass WAF at the protocol-level like a Pro?vBonus:Three useful tactics to bypass WAFs at the protocol-level#BHUSA BlackHatEvents3WebApps Security RiskvWebApp uses parameters in HTTP request messages as user inputsvMalicious user inputs can hijack the cont

3、rol flow of the WebAppA code snippet from a PHP WebApp with SQL injection vulnerability?id=0 union select*from secret#BHUSA BlackHatEvents4How WAF Protect WebApp from Security Risk?vWAFs monitor WebApp traffic to block malicious HTTP requestsVirtual Patch:protect the WebApp before the developers rel

4、ease the patch.?id=0 union select*from secret UserAttackerWebAppWAF#BHUSA BlackHatEvents5The never-ending battle between hackers and WAFsvCloudflare research*shows lots of activity since Log4jShellHackers have been looking for ways to bypass WAFAfter$jdni got blocked,the hackers applied encoding met

5、hods&log4j features*https:/ BlackHatEvents6The Working Principle of WAFsvParse-Match-ApplyAttackerWebAppGET/HTTP/1.1Content-Type:application/json”id”:”1or(1=1)#”Deny requestARGS:Key:id Value:1or(1=1)#WAF ParsingARGS contains or(1=1)#denyVariableOperatorActionWont send to server Matching#BHUSA BlackH

6、atEvents7Wait a minute?Looks like a weak rule!vJust change the case of keywords and use instead of=vNow you find payload-level evasion tacticsAttackerWebAppGET/HTTP/1.1Content-Type:application/json“id”:“1Or(10)#”Response with leaked dataARGS:Key:id Value:1Or(10)#WAFParsingARGS contains or(1=1)#denyF

友情提示

1、下载报告失败解决办法
2、PDF文件下载后,可能会被浏览器默认打开,此种情况可以点击浏览器菜单,保存网页到桌面,就可以正常下载了。
3、本站不支持迅雷下载,请使用电脑自带的IE浏览器,或者360浏览器、谷歌浏览器下载即可。
4、本站报告下载后的文档和图纸-无水印,预览文档经过压缩,下载后原文更清晰。

本文(Qi Wang & Jianjun Chen & Run Guo & Chao Zhang & Haixin Duan_Break the Wall from Bottom Automated Discovery of Protocol-Level Evasion Vulnerabilities in Web Application Firewalls.pdf)为本站 (张5G) 主动上传,三个皮匠报告文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知三个皮匠报告文库(点击联系客服),我们立即给予删除!

温馨提示:如果因为网速或其他原因下载失败请重新下载,重复下载不扣分。
全行业研究报告分享下载平台
  • 0731-84720580
  • 商务合作:really158d
  • 友链申请 (QQ):1737380874
关于我们
更多
关于我们
三个皮匠报告微信公众号
三个皮匠报告微信小程序
扫码咨询网站充值下载问题
友情链接:
营销自动化 亿欧智库 微播易 阿里妈妈
copyright@2008-2013 长沙景略智创信息技术有限公司版权所有        网站备案/许可证号:湘B2-20190120 | 工信部备案号:湘ICP备17000430号-2 | 公安备案号:湘公网安备43010402001071号
客服
商务合作
小程序
服务号
折叠