The Truth about Web Application Firewalls: What the vendors do not want you to know.

April 23, 2009 (at 11 a.m.) in

Web Application Firewalls (WAFs) are quickly taking their place within the network in order to protect web applications against common security holes such as Cross Site Scripting and SQL injection. They are known by other names such as ‘Deep Packet Inspection Firewalls’ because they look at every request and response within the TLS, HTTP, SOAP, XML-RPC, Web Service layers. Web Application Firewalls can be either software, or hardware appliance based and are typically installed in front of a webserver in an effort to try and shield it from incoming attacks. Today WAF systems are considered the next generation product to protect websites against web hacking attacks.

During this presentation we will show in practice how the big names of Web Application Firewalls can be identified, detected and we will introduce new attacks to evade specific products. Additionally, we will show how Web Application Firewalls can be vulnerable to the same vulnerabilities that they try to protect Web Applications from.

Bonus: we will be releasing a new tool and a new exploit.

Sandro Gauci

Sandro Gauci is the owner and Founder of EnableSecurity ( where he performs R&D and security consultancy for mid-sized companies. Sandro has over 8 years experience in the security industry and is focused on analysis of security challenges and providing solutions to such threats. His passion is vulnerability research and has previously worked together with various vendors such as Microsoft and Sun to fix security holes. Sandro is the author of the free VoIP security scanning suite SIPVicious (

Henrique Wendel Guglielmetti

Wendel Guglielmetti Henrique is a consultant for penetration testing at Trustwave’s SpiderLabs, the advanced security team within Trustwave focused on forensics, ethical hacking, and application security testing for premier clients. He has worked with IT since 1997, during the last 7 years he has worked in the computer security field. He found vulnerabilities in many softwares like Webmail systems, Access Points, Citrix Metaframe, etc. Some tools he wrote already were used as examples in articles in national magazines like PCWorld Brazil and international ones like Hakin9 Magazine. Recently spoke in YSTS 2.0, Defcon 16, H2HC and others. During the past 3 years he has been working as a Penetration Tester.