AppSecEU | Soroush Dalili (@irsdl) Blog

I had presented a conference talk in AppSec EU 2018 about WAF bypass techniques.

Some screenshots and my original tweet about it can be seen below:

Here are my WAF bypass talk slides at @appseceu 2018: https://t.co/LSWL9wdjSt Next to the slides here is the Burp Suite HTTP Smuggler extension: https://t.co/1wN3TRX7Y6 #appseceu @NCCGroupInfosec pic.twitter.com/EB1VcOhgoO

— Soroush Dalili (@irsdl) July 6, 2018

The SlidShare was URL was:

WAF Bypass Techniques – Using HTTP Standard and Web Servers’ Behaviour from Soroush Dalili

I had also created a SQL injection challenge for my Twitter followers before the talk but the solution can be seen below (from Twitter):

As some people couldn't quite solve the CTF (https://t.co/g0wZBAfsMc) using the AppSec EU slides, I have attached this slow video that shows how the sqli could be exploited – I used HTTP Smuggler but that could be done manually. It was hard to type while recording ;-) pic.twitter.com/qEkOxKJZhP

— Soroush Dalili (@irsdl) July 9, 2018

The Burp Suite HTTP Smuggler extension can be downloaded from: https://github.com/nccgroup/BurpSuiteHTTPSmuggler

Soroush Dalili (@irsdl) Blog

A web application security ninja 🥷, a semicolon enthusiast!

Tag Archives: AppSecEU

WAF Bypass Techniques – Using HTTP Standard and Web Servers’ Behaviour