[WEB SECURITY] WAF XSS Fuzzer?!
rcbarnett at gmail.com
Wed Feb 2 17:06:09 EST 2011
On a related note the never ending obfuscation techniques to bypass any
filtering mechanism (WAF or otherwise) lead me to use additional WAF
techniques to help mitigate XSS attacks. I recently gave my "XSS
Street-Fight" presentation at Blackhat DC
which outlined these items. The preso slides aren't up on the BH site yet
so I posted them on them here -
The short of it is that you need to things like -
1. Generic Attack Payload Detection highly obfuscated payloads often have
tell-tail signs that something is abnormal with it.
2. Dynamic Taint Propagation to compare inbound/outbound data to identify
possible areas where the app isn't applying output escaping/encoding of
3. Counting the number of iframes/scripts on a page successful XSS attacks
will often result in new tags
4. Adding a JS Sandbox pushing a JS sandbox (like Active Content
Signatures) down to the client so you can combat XSS there.
Anyways this is a topic that we will be discussing at the upcoming OWASP
Summit in Portugal next week. http://www.owasp.org/index.php/Summit_2011
Should be interesting to hash all these concepts out further.
Sorry for the thread hijack
From: Ryan Dewhurst <ryandewhurst at gmail.com>
Date: Wed, 2 Feb 2011 21:36:44 +0000
To: <websecurity at lists.webappsec.org>
Subject: [WEB SECURITY] WAF XSS Fuzzer?!
> Hi list,
> I was wondering if such a thing existed and if not, would such a thing be
> Or does WAF evasion always need some degree of intelligence to produce a
> viable payload?
> I must admit my WAF evasion knowledge is quite poor. I am awaiting The Web
> Application Obfuscation book as a starting point.
> Ryan Dewhurst
> blog www.ethicalhack3r.co.uk <http://www.ethicalhack3r.co.uk>
> projects www.dvwa.co.uk <http://www.dvwa.co.uk> | www.webwordcount.com
> twitter www.twitter.com/ethicalhack3r <http://www.twitter.com/ethicalhack3r>
> _______________________________________________ The Web Security Mailing List
> WebSecurity RSS Feed http://www.webappsec.org/rss/websecurity.rss Join WASC on
> LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA WASC on Twitter
> http://twitter.com/wascupdates websecurity at lists.webappsec.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the websecurity