|
|
|
|
|
|
The Truth about Web Application Firewalls: What the vendors do not
want you to know.
Abstract
Today WAF systems are considered the next generation product to
protect websites against web hacking attacks.
During this presentation we will show in practice how well known Web
Application Firewalls can be identified, detected and we will
introduce new attacks to evade specific products. Additionally, we
will show how Web Application Firewalls can be vulnerable to the same
vulnerabilities that they try to protect Web Applications from.
Finally we will introduce new tools that will help automate most of
what is described in the session.
Speaker
Sandro Gauci is the owner and Founder of EnableSecurity
(www.enablesecurity.com) where he performs R&D and security
consultancy for mid-sized companies. Sandro has over 8 years
experience in the security industry and is focused on analysis of
security challenges and providing solutions to such threats. His
passion is vulnerability research and has previously worked together
with various vendors such as Microsoft and Sun to fix security holes.
Sandro is the author of the free VoIP security scanning suite
SIPVicious (sipvicious.org) and CANVAS addon VOIPPACK.
Wendel Guglielmetti Henrique is a consultant for penetration testing
at Trustwave's SpiderLabs, the advanced security team within Trustwave
focused on forensics, ethical hacking, and application security
testing for premier clients. He has worked with IT since 1997, during
the last 7 years he has worked in the computer security field. He
found vulnerabilities in many softwares like Webmail systems, Access
Points, Citrix Metaframe, etc. Some tools he wrote already were used
as examples in articles in national magazines like PCWorld Brazil and
international ones like Hakin9 Magazine. Recently spoke in YSTS 2.0,
Defcon 16, H2HC and others. During the past 3 years he has been
working as a Penetration Tester.
|
|
|
|
|