Bypassing Web App Firewalls
Content
Metho Me thods ds to Bypa Bypass ss a Web Web Applic Applicati ation on Firewall
Dmitri Evteev Positi Pos itive ve Tec Techno hnologi logies es
Subjects in Question Unsafe world of web-applications What can save us from the threats Web Application Firewall: what is that and what's it for? Methods Method s to byp bypass ass a Web App Applicat lication ion Fi Firewall rewall Practice Practi ce of byp bypassin assing g a Web App Applicat lication ion Fi Firewall rewall Real-world example, or why the CC’09 was not cracked Conclusions
Unsafe World of Web-Applications
OWASP Top-10 SANS Top-20
Web-application security stat statistics istics 2 2008 008 by Positive Technologies (Whitebox (White box Sites Sites %) - http:/ http://www.pt /www.ptsecur security.r ity.ru/an u/analytic alytics.asp s.asp
Unsafe World of Web-Applications
Web-applicati Web-appl ication on security security statis statistics tics 2008 by WASC (Whitebox (Whit ebox Sites %) - http:/ http://www.w /www.webapps ebappsec.or ec.org/pro g/projects/ jects/statis statistics/ tics/
Methods to Reduce the Threats
Directive approach •
Software Development Life Cycle (SDLC); «paper security»; organ organizat ization ion of high-le high-level vel processes processes
Detective approach •
Black/white-box testing of functions; fuzzing; Black/white-box static/dynamic/manual analysis of program code
Preventive approach •
Intrusion Detection/Prevention Detection/Prevention Systems (IDS/IPS), Web Appli Applicati cation on Firewall Firewall (WAF (WAF) )
Dmitri Evteev Positi Pos itive ve Tec Techno hnologi logies es
Subjects in Question Unsafe world of web-applications What can save us from the threats Web Application Firewall: what is that and what's it for? Methods Method s to byp bypass ass a Web App Applicat lication ion Fi Firewall rewall Practice Practi ce of byp bypassin assing g a Web App Applicat lication ion Fi Firewall rewall Real-world example, or why the CC’09 was not cracked Conclusions
Unsafe World of Web-Applications
OWASP Top-10 SANS Top-20
Web-application security stat statistics istics 2 2008 008 by Positive Technologies (Whitebox (White box Sites Sites %) - http:/ http://www.pt /www.ptsecur security.r ity.ru/an u/analytic alytics.asp s.asp
Unsafe World of Web-Applications
Web-applicati Web-appl ication on security security statis statistics tics 2008 by WASC (Whitebox (Whit ebox Sites %) - http:/ http://www.w /www.webapps ebappsec.or ec.org/pro g/projects/ jects/statis statistics/ tics/
Methods to Reduce the Threats
Directive approach •
Software Development Life Cycle (SDLC); «paper security»; organ organizat ization ion of high-le high-level vel processes processes
Detective approach •
Black/white-box testing of functions; fuzzing; Black/white-box static/dynamic/manual analysis of program code
Preventive approach •
Intrusion Detection/Prevention Detection/Prevention Systems (IDS/IPS), Web Appli Applicati cation on Firewall Firewall (WAF (WAF) )
