Paid Advertising is
ha.ckers sla.cking
Whether this is about, or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Web Application Firewall Assessment
Posted by: bin4ry
Date: May 04, 2009 02:32PM

Hi together,

Hope this is the right section. I'm a student at a german university and i'm working on my
bachelorthesis. The subject is Web Application Firewalls.
One practical part of this work is an assessment of one of those
wafs. Since i can choose which product i'm going to test, i think
i'll stick to modsecurity.
I'll place some vulnerable apps behind modsecurity (some selfmade ones
+ webgoat, or similar) and try to get through modsecurity with some
malicious requests / payload.

Before doing so i'd like to ask you guys if you can give me some
advice concerning this assessment. Did some of you already made
similar stuff? If so, would you mind sharing experiences? Are there
any best practices setting up the scene? Do you know of some attack
vectors WAFs are facing problems with? I guess XSS in combination with
CSS will be hard to recognize. Already tried some DOM-XSS in
combination with url-fragments:

Some javascript uses the document.location-object to extract the
'name'-parameter and to echo it to the user.

I thought that, if i pass something like this:


the whole fragment won't be sent to the server therefore making it
hard for modsecurity to sanitize it. But i failed. It was sanitized well.

I guess i'll need to checkout some alternative encodings to circumvent

Anyway, some input would be appreciated.

Have a nice evening,

Options: ReplyQuote
Re: Web Application Firewall Assessment
Posted by: lightos
Date: May 04, 2009 03:25PM

Quite a few of the bypasses I've posted for Mario's PHPIDS, regarding sql injections, also work for modsecurity.
Since it relies on regex patterns and JavaScript is very flexible, it's not that hard to come up with a XSS injection that won't be detected.

Later when I get home, I can send you some SQL INJ that are not detected by the latest version of modsecurity.

Options: ReplyQuote
Re: Web Application Firewall Assessment
Posted by: wireghoul
Date: May 04, 2009 08:08PM

Mod_security is a signature based waf, depending on how tight or loosely defined the signatures are you can cause mismatches simply by padding spaces. Other techniques such as encoding attacks may be possible if the optional supporting rules are not in place (Like the ones created following this It is also almost impossible for some rules to exist without impacting on functionality so you will most likely find that a vulnerable script like:
Cannot effectively be protected, other issues like session fixation, SQL injection, local file inclusion and friends are also preventable through a waf. Please feel free to ask specific questions if you need to.

I believe Stefan Esser and/or Amit Klein published a paper on this, but I'm not sure it meets your academic standards for referencing. Good luck with your thesis!


Edited 1 time(s). Last edit at 05/04/2009 08:12PM by wireghoul.

Options: ReplyQuote
Re: Web Application Firewall Assessment
Posted by: Matt Presson
Date: May 05, 2009 08:31AM

The OWASP project have a special project regarding modsecurity and webgoat. You can find it at []


Edited 1 time(s). Last edit at 05/05/2009 08:31AM by Matt Presson.

Options: ReplyQuote
Re: Web Application Firewall Assessment
Posted by: bin4ry
Date: May 05, 2009 10:09AM

Thanks to all you guys.

I'll check out the ressources you provided me when i am back home. And i'll definitely engange your offer to ask specific question when it's time to perform practical things.

I guess i'll assess the core rules since it is quiet realistic that modsecurity users will have them in place.

At first thanks again.

Options: ReplyQuote
Re: Web Application Firewall Assessment
Posted by: Gareth Heyes
Date: May 05, 2009 11:03AM

You might want to check this thread out:-,8085

as well as the js techniques mentioned here:-,15812

"People who say it cannot be done should not interrupt those who are doing it.";
labs : []
blog : []
Hackvertor : []

Options: ReplyQuote

Sorry, only registered users may post in this forum.