Live Demo of How to Bypass Web Application Firewalls & Filters

Watch our security researcher’s live demo, during which he explains how attackers can bypass filters in web application firewalls to exploit security issues in vulnerable web applications.

This is an archive post from the Netsparker (now Invicti) blog. Please note that the content may not reflect current product names and features in the Invicti offering.

Many assume that a web application firewall is enough to protect web applications from malicious attacks. Therefore fixing security vulnerabilities is not necessary thanks to the WAF’s blacklist of functions, keywords or characters. However, expectations are very different from reality.

Watch episode 526 of Paul’s Security Weekly during which our security researcher Sven busts the myths and demos how attackers can bypass web application firewalls and all kinds of blacklist filters to attack and exploit security holes in vulnerable websites. In his demo Sven shows how to:

  • Bypass Cross Site Scripting, Command Injection and Code Evaluation filters that were meant to protect your web applications
  • Avoid being caught by WAFs
  • And how to generally approach them.

During the demo, Sven also explains why it is not possible to have one payload that bypasses all filters, and why less is often more when it comes to bypassing such security mechanisms.