Most discussions of WAF evasion focus on bypassing detection via attack payload obfuscation. These techniques target how WAFs detect specific attack classes, and that's fine. Protocol-level evasion techniques target a lower processing layer, which is designed to parse HTTP streams into meaningful data. A successful evasion at this layer makes the WAF see a request that is different from that seen by the victim application. Through evasion, attacks become virtually invisible. The technique can be used with any class of attack.
Especially vulnerable to this type of attack are virtual patches, which are, somewhat ironically, the most successful use case for WAFs today. I will show how, through the combination of WAF design and implementation issues, inadequate documentation and inadequate user interfaces, many virtual patches can be trivially bypassed.
In this talk I will share the lessons learned from 10 years of web application firewall development. The focus will be on demonstrating the problems that exist today, including a previously unknown flaw in ModSecurity that remained undetected for many years. In addition, I will discuss many evasion techniques that are countered in ModSecurity, but which may be effective against other tools.
As part of this talk, I will release a catalogue of protocol-level evasion techniques and a complete testing suite.
Ivan Ristic is a respected security expert and author, known especially for his contribution to the web application firewall field and the development of ModSecurity, an open source web application firewall. He is also the author of Apache Security, a comprehensive security guide for the Apache web server, and ModSecurity Handbook. He founded SSL Labs, a research effort focused on the analysis of the real-life usage of SSL and the related technologies. A frequent speaker at computer security conferences, Ivan is a member of the Open Web Application Security Project (OWASP), and an officer of the Web Application Security Consortium (WASC).