• LOGIN
    • No products in the cart.

Login

Retrieve Password
Back to login/register

Nowadays, the number of web application firewalls (or simply WAFs) is increasing, which results in a more difficult penetration test from our side. So, it becomes a necessity and really important to be able to bypass WAFs in a penetration test. In this course, we are going to examine practical approaches in bypassing WAFs as a part of our penetration test, and, of course, the theory behind WAFs and how they work.
Course starting date: December 12th 2016
What will students learn (learning outcome – knowledge)?
WAF Bypassing
How WAFs work
How to implement WAF Bypassing to our penetration test
What skills will students gain (learning outcome – skill)?
WAF Bypassing and Hacking
WAF Hardening and Securing
What will students need (course requirements)?
PC with a preferred operating system (Mac OSX 10.5+, Windows 7+, Linux)
At least 4gb of RAM for the VMs to work properly
At least 10gb of free storage for VMs
What should students know before they join (student requirements)?
Basics and understanding of penetration testing
Basics and understanding of web applications and how they work
Basic understanding of programming (Python scripts will be examined, and HTML and SQL pieces, too)
Instructor’s Bio & Picture:
8 years of experience in the Security sector
Java, C++, Python
Editor of “Penetration Testing with Android Devices”, “Penetration Testing with Kali 2.0” courses of PenTest Magazine.
Editor of “Web Application Hacking: Data Store attacks and Advanced SQL Injection”, “Android Malware Analysis” courses on eForensics Magazine.
Editor on DeltaHacker Magazine
4 years of blogging on Penetration Testing topics (Cr0w’s Place)
Hacking and Android Enthusiast
Blog: https://cr0wsplace.wordpress.com
YouTube channel: https://www.youtube.com/user/Cr0wsPlace

Syllabus:

Introduction WAFs, WAF Bypassing and techniques:
Module 1
In this module, we will quickly examine how WAFs work in a web server, and we will be introduced to WAF Bypassing and some interesting methods with practical examples, attacking web application firewalls with conventional methods.
Introduction to WAFs, WAF types and WAF Bypassing
Introduction to web application servers, how they work and where WAFs live
Introduction to WAF Bypassing logic and techniques
WAF Fingerprinting Introduction and practical examples
Practical Introductory examples to WAF Bypassing

WAF Bypassing with SQL Injection:
Module 2
In module 2, we examine how we can bypass WAF by exploiting SQL Injection vulnerabilities, with various ways such as normalization and HTTP Parameter Pollution.
Basics of SQL Injection
SQL Injection -Normalization
SQL Injection with HTTP Parameter Pollution
Advanced SQL Injection techniques for bypassing WAF (encoding, concatenation, etc.)

WAF Bypassing with XSS and RFI:
Module 3
In module 3, we will examine more ways of WAF Bypassing, this time containing the Remote File Inclusion and the Cross-Site Scripting and more.
Introduction to XSS
Exploiting XSS for WAF Bypassing
Introduction to RFI
Exploiting RFI for WAF Bypassing

Securing WAF and Conclusion:
Module 4
Finally, in module 4, we will see some final methods for bypassing WAFs, and prevention methods with practical examples for our WAF implementations.
Automated attacks
Selecting the best approach for your penetration test
Bypassing WAF finale
Securing WAF
Conclusion

Will the course discuss how to identify which technique is best suited for each identified firewall?
Yes.

Will they be discussing the layers in the Application Server? The Web app? The database server?
Yes.

Will the course discuss binary and Hex encoding to bypass?
Yes.

Will the course discuss any of the CLI tools used by penetration testers to bypass WAFs?
Yes.

Is the course demonstrating how to bypass commercial grade or open source WAF?
Both, but I may not reveal each WAF that I will test, because of copyrights.

Is the course demonstrating how to bypass WAF with default or extensive configuration?
If the time allows it, in each case.

Nowadays, the number of web application firewalls (or simply WAFs) is increasing, which results in a more difficult penetration test from our side. So, it becomes a necessity and really important to be able to bypass WAFs in a penetration test. In this course, we are going to examine practical approaches in bypassing WAFs as a part of our penetration test, and, of course, the theory behind WAFs and how they work.

18 CPE Credits

Self-paced


Course format:

  • The course is self-paced – you can visit the training whenever you want and your content will be there.
  • Once you’re in, you keep access forever, even when you finish the course. 
  • There are no deadlines, except for the ones you set for yourself. 
  • We designed the course so that a diligent student will need about 18 hours of work to complete the training.
  • Your time will be filled with reading, videos, and exercises. 


What will you learn?

  • WAF Bypassing
  • How WAFs work
  • How to implement WAF Bypassing to our penetration test

What skills will you gain?

  • WAF Bypassing and Hacking
  • WAF Hardening and Securing

What will you need?

  • PC with a preferred operating system (Mac OSX 10.5+, Windows 7+, Linux)
  • At least 4gb of RAM for the VMs to work properly
  • At least 10gb of free storage for VMs

What should you know before joining?

  • Basics and understanding of penetration testing
  • Basics and understanding of web applications and how they work
  • Basic understanding of programming (Python scripts will be examined, and HTML and SQL pieces, too)

Your instuctor: Thomas Sermpinis

  • tomsermpinis-310x3108 years of experience in the Security sector
  • Java, C++, Python
  • Editor of “Penetration Testing with Android Devices”, “Penetration Testing with Kali 2.0” courses of PenTest Magazine.
  • Editor of “Web Application Hacking: Data Store attacks and Advanced SQL Injection”, “Android Malware Analysis” courses on eForensics Magazine.
  • Editor on DeltaHacker Magazine
  • 4 years of blogging on Penetration Testing topics (Cr0w’s Place)
  • Hacking and Android Enthusiast
  • Blog: https://cr0wsplace.wordpress.com
  • YouTube channel: https://www.youtube.com/user/Cr0wsPlace

Syllabus


Module 1

Introduction WAFs, WAF Bypassing and techniques

In this module, we will quickly examine how WAFs work in a web server, and we will be introduced to WAF Bypassing and some interesting methods with practical examples, attacking web application firewalls with conventional methods.

    1. Introduction to WAFs, WAF types and WAF Bypassing

    2. WAF Fingerprinting

    3. Automating WAF Fingerprinting with Burp, Nmap and wafw00f

    4. WAF Bypassing

Exercises:

    1. Fingerprinting a WAF with Burp Suite. 

    2. Using automated tools for testing

    3. Polluting a URL

    4. Bypassing the WAF in DVWA


Module 2

WAF Bypassing with SQL Injection

In module 2, we examine how we can bypass WAF by exploiting SQL Injection vulnerabilities, with various ways such as normalization and HTTP Parameter Pollution.

    1. HTTP Parameter Pollution – HPP

    2. Encoding Techniques for Bypassing WAF

    3. Bypassing WAF with SQL Injection

    4. HTTP Parameter Fragmentation – HPF

    5. Bypassing WAFs with SQL Injection Normalization

    6. Buffer Overflow + SQL Injection = Bypass WAF

Exercises: 

    1. Bypassing WAF with encoded queries

    2. Advanced Techniques for blind SQL injection

    3. Blind SQL Injection Example in DVWA

    4. HPP and HPF vulnerable websites


Module 3

WAF Bypassing with XSS and RFI

In module 3, we will examine more ways of WAF Bypassing, this time containing the Remote File Inclusion and the Cross-Site Scripting and more.

    1.  Cross Site Scripting – XSS

    2. Reflected Cross Site Scripting

    3. Stored Cross-site Scripting

    4. Path Traversal

    5. Remote and Local File Inclusion

Exercises: 

    1. Encoded XSS strings

    2. Advanced XSS Examples

    3. Upload Example from DVWA exloitation

    4. Path traversal attacks


Module 4

Securing WAF and Conclusion

Finally, in module 4, we will see some final methods for bypassing WAFs, and prevention methods with practical examples for our WAF implementations.

  • DOM Based XSS

  • Bypassing Blacklists with JavaScript

  • Automating WAF Bypassing

  • Bypassing WAF Practical Examples ( Imperva WAF, Aqtronix WebKnight WAF, ModSecurity WAF, and others)

  • Conclusion and final exam

Frequently Asked Questions

  1. Will the course discuss how to identify which technique is best suited for each identified firewall?
    Yes.
  2. Will they be discussing the layers in the Application Server? The Web app? The database server?
    Yes.
  3. Will the course discuss binary and Hex encoding to bypass?
    Yes.
  4. Will the course discuss any of the CLI tools used by penetration testers to bypass WAFs?
    Yes.
  5. Is the course demonstrating how to bypass commercial grade or open source WAF?
    Both, but I may not reveal each WAF that I will test, because of copyrights.
  6. Is the course demonstrating how to bypass WAF with default or extensive configuration
    If the time allows it, in each case.

Contact

If you have any questions, drop us a line:

Reach Hakin9’s Product Manager Marta Sienicka at [email protected]

Reach our Training Coordinator Marta Strzelec at [email protected]


Course Reviews

N.A

ratings
  • 5 stars0
  • 4 stars0
  • 3 stars0
  • 2 stars0
  • 1 stars0

No Reviews found for this course.

TAKE THIS COURSE
  • $219.00
  • UNLIMITED ACCESS
  • Course Certificate
70 STUDENTS ENROLLED
  • Profile photo of Marta Strzelec
  • Profile photo of joanna_kretowicz
  • Profile photo of Marek
  • Profile photo of documentation
  • Profile photo of daffydaffy
  • Profile photo of faycnet

Who’s Online

There are no users currently online

Certificate Code