New Article: Web Application Firewall Bypassing -- An Approach for Penetration Testers

A new article has been published in the Magdeburger Journal zur Sicherheitsforschung:

Web Application Firewall Bypassing -- An Approach for Penetration Testers
by Khalil Bijjou
Security experts perform security assessments of web applications in order to identify vulnerabilities that could be exploited by malicious users. Web Application Firewalls add a second layer of protection to web applications in order to mitigate these vulnerabilities. The attempt to bypass Web Application Firewalls is an important aspect of a security assessment and is necessary to ensure accurate results. This thesis describes bypass techniques and offers a systematic approach for security experts on how to bypass Web Application Firewalls based on these techniques. In order to facilitate this approach a tool has been developed. The outcomes of this tool have significantly contributed to finding multiple bypasses. These bypasses will be reported to the particular Web Application Firewall vendors and will presumably improve the security level of these Web Application Firewalls.
Keywords: web application firewalls, penetration testing, bypass techniques, ethical hacking, red team
This article appears in the special edition „In Depth Security – Proceedings of the DeepSec Conferences Vol. 3“. Edited by Stefan Schumacher and René Pfeiffer