WAF tuning made easy

  • Path traversal: http://some_site.com.br/../../../../some dir/some file¹
    http://testsite.com/get.asp?f=/etc/passwd²
  • LFI vulnerabilities: An attacker is trying to get access to sensitive files on the server, such as .ini. The Edgecast WAF blocks this and many other critical filesystem extensions by default.³
  • Cross-site scripting: http://testsite.test/<script>alert("TEST");</script>⁴
    <img src=”http://url.to.file.which/not.exist" onerror=alert(document.cookie);>⁵
  • SQL injection: SELECT * FROM items WHERE ‘a’=’a’;⁶
    SELECT 1;⁷
  • Remote code execution: eval(“\$$user = ‘$regdate’);⁸
  • Time-based attacks: select 1 and sleep(2);⁹
    select BENCHMARK(2000000,MD5(‘A’));¹⁰

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store