waf – Page 4 – WindowsTechs.com

Nginx 1.18.0. ModSecurity WAF installation ./configure error [migrated]

Posted on November 17, 2022 by Cybersplunk

I am trying to install modsecurity in nginx 1.18.0 in ubuntu jammy 22.04.1 for a project by following hackersploit’s tutorial:
https://www.linode.com/docs/guides/securing-nginx-with-modsecurity/
When building the modsecurity module for ngi… Continue reading Nginx 1.18.0. ModSecurity WAF installation ./configure error [migrated]→

Check for special characters in request parameters

Posted on November 8, 2022 by Abc123

Our system is accepting requests including special characters, see parameter2.
Request [
{
"reqHeader": {
"parameter1": "abc",
"parameter2": "123456 script&gt… Continue reading Check for special characters in request parameters→

WAF checking username/password before passing to app [closed]

Posted on October 11, 2022 by Alex

I want to protect a web app behind some other application.
This application should only let users through after they authenticated. While this is a common use case for Web Application Firewalls it seems. I want the WAF to try out filling u… Continue reading WAF checking username/password before passing to app [closed]→

String in JSON message body blocked by Azure WAF with OWASP 3.1 returning 403

Posted on October 4, 2022 by FilBot3

Details
I have an application running behind an Azure Web Application Firewall (WAF) on an Azure Application Gateway (AppGW) that was previously on an on-premises server. Since moving it to Azure, users and testers are now getting 403 Forb… Continue reading String in JSON message body blocked by Azure WAF with OWASP 3.1 returning 403→

Website do not give permission to intercept using any interceptor tools

Posted on July 13, 2022 by Rudra Sarkar

Recently I have encountered that a website I am trying to intercept using Burp suite doesn’t let me process any requests even the API, I wanted to know what kind of WAF or how they managed to do it for blocking intercepted requests. Screen… Continue reading Website do not give permission to intercept using any interceptor tools→

Writing effective UFW & IpTable rules

Posted on April 13, 2022 by Krellex

I am quite new to UFW and IpTables and I am trying to understand what kind of rules we should look to implement to keep a web-application secure. The current scenario I am testing myself in is that I am writing rules for an application lik… Continue reading Writing effective UFW & IpTable rules→

Should I set "Ignore" cookie headers flagged from Akamai WAF or change its severity to Informational?

Posted on April 8, 2022 by offsecgirl

I’ve been seeing our AppScan tools tagging cookie headers from Akamai in low severity.
Mostly tagged as missing attributes of "HTTPOnly" and "Secure" flag.
The question here is should I fully ignore those flagged issues… Continue reading Should I set "Ignore" cookie headers flagged from Akamai WAF or change its severity to Informational?→

Doubts about WAFs

Posted on March 24, 2022 by hyogy

Do WAFs block/ trigger alerts when they just read base64/ hex encoded stuff as suspicious input?
Or do they decode the strings ( the ones which can do that ), analyze the result and just then evetually block/ trigger some alerts?

Continue reading Doubts about WAFs→

Bypass sql injection filtering (whitespace, /, *)

Posted on February 26, 2022 by Mahdi

I want to bypass a sql injection waf that replaces /,* and whitespaces.
This is a payload I want use :
?parameter=22321’union select CAST(normal_column AS bigint),’a’,’b’ from normal_table–

But the website replaces the whitespaces with n… Continue reading Bypass sql injection filtering (whitespace, /, *)→

Bypassing "OR" SQLi filter

Posted on February 11, 2022 by Jeff Bencteux

I am trying to bypass a filter on a black-box SQL injection CTF that likely looks like /or/i. I suspect the filter is in a WAF somewhere in between me and the target.
To get the OR keyword, I use ||.
Instead of using the ORD() function, I … Continue reading Bypassing "OR" SQLi filter→