Presentation: Modern WAF Bypass Scripting Techniques for Autonomous Attacks

Track: Trust, Safety, & Security

Location: Empire Complex, 7th fl.

Duration: 2:55pm - 3:45pm

Day of week: Tuesday

Share this on:


#Scripting and automation are absolutely critical to many aspects of an attacker’s effectiveness, whether you're scraping data from a competitors website, or arbitraging March Madness bets. Modern WAFs and “bot detections” often add a small layer of intelligence to their monitoring, attempting to determine whether or not an attack is being automated, and shut the bot/botnet down. This presentation will be a mini-tutorial on how the various forms of “bot detection” out there work, and the philosophies behind how to modify/spoof the necessary client environments to bypass nearly all of them using anything from Python and Javascript to Selenium, Puppeteer and beyond.

Speaker: Johnny Xmas

Blade Runner & Director of Field Engineering (NA / EU) @kasada_io

#Johnny Xmas is a predominant personality in the Information Security community, most well-known for his work on the TSA Master Key leaks between 2014 and 2018. Currently working with the Australian firm ‘Kasada’ to defend against the automated abuse of web infrastructure, he was previously the lead consultant on Uptake’s Industrial Cybersecurity Platform. Prior to this, he spent many years in the field as a penetration tester, focusing heavily on both IT and physical security of financial and medical facilities, Security Engineer for a global Fortune 500 retail corporation, and Mainframe auditor and Systems Engineer for several IT asset recovery firms.

Find Johnny Xmas at


Monday, 24 June

Tuesday, 25 June

Wednesday, 26 June