Security

Modern WAF Bypass Scripting Techniques for Autonomous Attacks

Is this a workshop? A code walkthrough?

I do teach it as a workshop, but we don't have time for the full four to eight hours as it requires. This is a workshop distilled into a run through of all of the most effective techniques out there for bypassing not only the WAFs that exists but also automation detection is becoming a huge thing these days because WAFs for the most part operate on really archaic 1990s methodology of IP reputation and HTTP header inspection, all of which is easy to spoof, bypass, generate fake stuff. That's generated a need for new technologies to come forth to defend against these attacks that are coming in. That's become this automation detection field, automation that has become very large because when you're dealing with economies of scale of attacking you're never going to be able to stop an intelligent human attacker who's really dedicated, who really wants to get it. For the most part they're eventually going to find their way.

Is this talk solely be on the offensive or will you also talk and once you go through the offensive how to actually catch all?

This talk will solely be on the offensive. However, by the nature of how I'm presenting it, anybody who develops in-house defensive systems for what we're doing here, for the offensive attacks, is going to be able to see how the attacks work and go, oh, I should also be looking for this, I should also be looking for that. I should have a HTTP header rotation and my inspections should care about the case of the HTTP headers, and I should stop caring about IP reputation because new IP are easy to get. Things like that. So it's going to be very easily translatable to the defensive side.