This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "2018 BASC Presentations"
Tom Conner (talk | contribs) (fix link) |
m (Starting to add Presentation Descriptions) |
||
| Line 3: | Line 3: | ||
| − | |||
| − | |||
__FORCETOC__ | __FORCETOC__ | ||
We would like to thank our speakers for donating their time and effort to help make this conference successful. | We would like to thank our speakers for donating their time and effort to help make this conference successful. | ||
| − | {{2018_BASC:Presentaton_Info_Template| | + | {{2018_BASC:Presentaton_Info_Template|MSeVader: Outsmarting the WAF|Brent Dukes| | | }} |
| + | |||
| + | ModSecurity Evader (MSeVader) is a tool that assists offensive security testers in crafting payloads that evade ModSecurity WAF rules. A Burp Suite extension providing visual feedback in real time to rule violations, the attacker can tweak payloads before submitting them to the web server, ensuring they are not blocked. The demonstration of the tool will include techniques of fingerprinting the WAF, to determine specific threshold settings of the WAF rules, allowing the attacker to know whether the payload will be blocked without sending packets. This tool has been used to successfully discover WAF evading payloads to execute SQL injection, XSS, and inject web shells to a site behind a popular commercial cloud-based WAF solution, at maximum paranoia settings. | ||
| − | |||
| − | |||
| − | |||
{{2018_BASC:Footer_Template|Workshops}} | {{2018_BASC:Footer_Template|Workshops}} | ||
Revision as of 02:27, 2 October 2018
Gold Sponsors
Please help us keep BASC free by viewing and visiting all of our sponsors.
We would like to thank our speakers for donating their time and effort to help make this conference successful.
MSeVader: Outsmarting the WAF
ModSecurity Evader (MSeVader) is a tool that assists offensive security testers in crafting payloads that evade ModSecurity WAF rules. A Burp Suite extension providing visual feedback in real time to rule violations, the attacker can tweak payloads before submitting them to the web server, ensuring they are not blocked. The demonstration of the tool will include techniques of fingerprinting the WAF, to determine specific threshold settings of the WAF rules, allowing the attacker to know whether the payload will be blocked without sending packets. This tool has been used to successfully discover WAF evading payloads to execute SQL injection, XSS, and inject web shells to a site behind a popular commercial cloud-based WAF solution, at maximum paranoia settings.
