Bypassing web application firewalls using HTTP headers

(Originally Posted on the HP blog, written by me)

Web application firewalls (WAF’s) are part of the defense in depth model for web applications. While not a substitute for secure code, they offer great options for filtering malicious input. Below is a story from a real assessment where an enterprise deployment of such a device was vulnerable to being bypassed. The vulnerability is one of a bad design and/or configuration and as an attacker it was very useful.

Continue reading “Bypassing web application firewalls using HTTP headers”

Hackers Use This: Satish Bommisetty

 Satish Bommisetty

Security Analyst, Author, Bug Bounty Participant 

Who are you, and what do you do?

I am Satish Bommisetty (@satishb3). I work as a security analyst for Pramati technologies, a product development company in India. As part of my job, I assess the security of web & mobile applications and train developers. I used to spent a lot of time on the mobile space, especially on iOS hacking & forensics. Now I am participating in bug bounty programs in my free time. I authored a book named Practical Mobile Forensics . I’m also a blogger and a family man.
Continue reading “Hackers Use This: Satish Bommisetty”

Hackers Use This: Dominic Chell

Dominic Chell

Author, Consultant, MDSec Consulting and Training

Who are you, and what do you do?

Hi, my name is Dominic Chell (@domchell) and I live in the North West UK. I work for MDSec (@MDSecLabs), a boutique security consultancy that I helped found in 2011. Prior to that I spent just over 6 years consulting at other UK based security firms. I spend a lot of my time working in app sec, particularly in the mobile space as I head up this practice area at MDSec.
Continue reading “Hackers Use This: Dominic Chell”

Hackers Use This: Richard De Vere

Richard De Vere

Who are you, and what do you do?

I am Richard De Vere (@rfdevere), I work as a social engineering consultant for my small company ‘The AntiSocial Engineer Ltd’. On a day to day basis I perform all kinds of SE related tasks such as Phishing assessments, Vishing calls, and a little bit of the traditional network/forensics on the side. I have previously worked for a beautiful UK based IT company but decided to recently start up one my own. It is a hard but rewarding first few months. If you have a secure place, be it a bank or a data center, I will probably get in there and I will probably steal data.
Continue reading “Hackers Use This: Richard De Vere”

Hackers Use This: Johnathan Kuskos

Johnathan Kuskos

Manager of Belfast Threat Research Center, WhiteHat Security

Who are you, and what do you do?

Hi, I’m Johnathan Kuskos and I’ve just recently moved to a management role for WhiteHat Security’s Northern Ireland based Threat Research Center.  Before that, I had slowly grinded up to a Senior Application Security Engineer position primarily focused on winning bakeoff’s vs. other respected security vendors =).  Prior to WhiteHat life, I was just another college kid with a CS/EE background trying to figure out what I wanted to do with my life.  The earliest I can remember really hacking was using a hex editor on earliest versions of NES roms in the late 90’s while in middle school. Today, I’m spending most of my time teaching young engineers the tricks of our trade.
Continue reading “Hackers Use This: Johnathan Kuskos”

Hackers Use This: Craig Smith

Craig Smith

Senior Security Researcher, (Fortify on Demand – an HP Company)

Who are you, and what do you do?

My name is Craig Smith (@craigz28 on the twitter). I’m a Senior Security Researcher for a Dynamic/Static security testing group within HP. I have been in IT for over 20 years and in InfoSec for over 10 years. In the past, I have been a developer, a manager, a penetration tester and all around good guy. My primary areas of security focus are web applications, networks and Internet of Things. I have a gaming rig that is seriously underutilized and an extensive network. I can be found on the twitter (@craigz28) and my blog site (craigsmith.net).
Continue reading “Hackers Use This: Craig Smith”

Hackers Use This: Ryan Dewhurst

Ryan Dewhurst

Freelance Security Consultant, Tool developer

Who are you, and what do you do?

My name is Ryan Dewhurst (@ethicalhack3r), I live in France but I’m originally from the UK. I recently started freelancing at Dewhurst Security where I mainly carry out Web Application Security Assessments and External Penetration Tests. Before that I worked as a consultant for 5 years for a British security company. And before that I did a BSc in Ethical Hacking for Computer Security.

I’m probably most known for the work I did on Damn Vulnerable Web App (DVWA) back when I was still at university. I don’t actively develop DVWA anymore but over the past few years I have been working on another project called WPScan and the WPScan Vulnerability Database with a small team of awesome people.

I have partaken in some bug bounty programs but haven’t really spent too much time on them. I have been known to blog, contribute to other security related projects and some small work on the OWASP wiki and testing guide.
Continue reading “Hackers Use This: Ryan Dewhurst”

Hackers Use This: Jason Haddix

Welcome to a new blog series call “Hackers use This.” This is an attempt at a low maintenance, interview-esque series aimed at security folk. I’ll be inviting all sorts of hackers asking them questions about their preferred software, hardware, etc. Basically what they use to get their jobs done.

This site is almost directly inspired by the author of usesthis.com. Thanks Daniel!

I’ll be posting the 1st article to showcase the type of content hopefully seen here in the future. Here we go:

 

Jason Haddix

Senior Security Researcher (Fortify on Demand – an HP Company)

Who are you, and what do you do?

My name is Jason Haddix (jhaddix). I am a Senior Security Researcher at a dynamic/static security testing SaaS. I currently architect and develop solutions and methodologies to address security problems. Before this I was the director of penetration testing and before that I was a penetration tester. I focus on several areas including web application testing, static code analysis, mobile hacking, and anything else that is needed. I’m a former prolific bug bounty addict, current gamer (Destiny and DOTA2 atm), (former-ish) blogger, sometimes CTF player, and family man.

You can find me on twitter ranting, github (hardly coding), several sites blogging, and LinkedIn barely paying attention.  I have a “soft CV” here.

Continue reading “Hackers Use This: Jason Haddix”

OMG He Haxx! : an introduction to the game hacking framework

I like games… I also like hacking.

Some of the most prolific apps these days are video games. They are sponsored, scrutinized, monetized, and celebrated, just like many sports. They handle clients, servers, monetary transfers, social interactions, etc, with every bit the need of security that most internet hosted apps have (if not more in some cases). The aim is to design NEW OWASP project to help classify the diverse types of game hacks that exist for some of the world’s biggest games. This will benefit the game industry as a whole. We’ll use history as an example, and break down those flaws as much as possible, creating a do-not-do list of flaws new game companies can reference when creating new games. This is very much an alpha project.