Conclusion

This is the end of the workshop! Congratulations if you manage to reproduce most of the exercises.

General Principles

Remember that this presentation was not a exhaustive list of patterns but, an attempt to do a overview at the most common bypass patterns.

We saw that transformations (decoding, nested encoding and replacement) done server-side could allow numerous variation on the same request. Finding such transformation can oriented the technique to used. Parsers implementation differences between the web application and the firewall are a common trait of bypass.

Suggested Presentations

• Breaking Parser Logic! Take Your Path Normalization Off and Pop 0days Out by Orange Tsai
• SQLi Optimization and Obfuscation Techniques by Roberto Salgado
• Farewell, WAF - Exploiting SQL Injection from Mutation to Polymorphism by Boik Su