Many assume that a web application firewall is enough to protect web applications from malicious attacks. Therefore fixing security vulnerabilities is not necessary thanks to the WAF’s blacklist of functions, keywords or characters. However, expectations are very different from reality.
Watch episode 526 of Paul’s Security Weekly during which our security researcher Sven busts the myths and demos how attackers can bypass web application firewalls and all kinds of blacklist filters to attack and exploit security holes in vulnerable websites. In his demo Sven shows how to:
- Bypass Cross Site Scripting, Command Injection and Code Evaluation filters that were meant to protect your web applications
- Avoid being caught by WAFs
- And how to generally approach them.
During the demo, Sven also explains why it is not possible to have one payload that bypasses all filters, and why less is often more when it comes to bypassing such security mechanisms.