Sandro Gauci & Wendel Guglielmetti Henrique, The Truth about Web Application Firewalls: What the vendors do not want you to know.
Web Application Firewalls (WAFs) are quickly taking their place within the network in order to protect web applications against common security holes such as Cross Site Scripting and SQL injection. They are known by other names such as 'Deep Packet Inspection Firewalls'
because they look at every request and response within the TLS, HTTP, SOAP, XML-RPC, Web Service layers. Web Application Firewalls can be either software, or hardware appliance based and are typically installed in front of a webserver in an effort to try and shield it from incoming attacks. Today WAF systems are considered the next generation product to protect websites against web hacking attacks.
During this presentation we will show in practice how the big names of Web Application Firewalls can be identified, detected and we will introduce new attacks to evade specific products. Additionally, we will show how Web Application Firewalls can be vulnerable to the same vulnerabilities that they try to protect Web Applications from.
Bonus: we will be releasing a new tool and a new exploit.
Learn more about Sandro Gauci.
Learn more about Wendel Guglielmetti Henrique.