Web Application Obfuscation: ‘-/WAFs..Evasion..Filters//alert(/Obfuscation/)-’
by Mario Heiderich, Eduardo Alberto Vela Nava, Gareth Heyes, David Lindsay
In penetration testing there’s nothing worse than knowing there’s a vulnerability there for the taking, only to be blocked by a filter (WAF, Server-Side, IDS/IPS.. .take your pick!). That’s when obfuscation comes into play…
Web Application Obfuscation takes a look at common Web infrastructure and security controls from an attackers perspective, allowing the reader to understand the shortcomings of their security systems.
A noble cause indeed, and one that I think the authors have achieved, at least in part. Why do I say in part. Well if I had to give one reason to explain that statement it would be that it’s not an easy read. Now don’t misunderstand me, the book is well written, concise, and well presented. All the information is there for the taking.With the concise nature of the topic and its excellent coverage, I sometimes found it hard to follow the thought processes behind things. Sometimes understand came straight off, and other times it took a few re-reads of a section and a bit of tinkering to really get the facts straight in my head. With that said, with a topic is broad and complex as this, I’d be surprised to find a book out there that explains the information any better… and in-case you want to look, good luck… I doubt you’ll find anything more than a few specialist articles on the topics this book covers. This book takes an already highly specialised area of IT (Information Security), takes it down past the more specialised Penetration Tester level into a unique area of highly focused individuals who call themselves Web Application Security Specialists… (yes I’m aware that’s dangerously close to ASS, but I couldn’t think of a better way to describe this –> See ASS Cert for more information).
Contents in brief
Chapter 1: Introduction
Chapter 2: HTML
Chapter 5: CSS
Chapter 6: PHP
Chapter 7: SQL
Chapter 8: Web Application Firewalls and Client-side Filters
Chapter 9: Mitigating Bypasses and Attacks
Chapter 10: Future Developments
This book isn’t something you’ll be reading cover to cover anytime quickly… I like to sit down in the garden and crank my way through a book, but I never really got anywhere using that strategy with this title. There’s so many occasions where the use of a computer is
needed advised to follow some of the context of things. Plus to get the most of this book, I feel that it’s better to dip in and out as needed. Specific examples are complex enough that without a refresher, things don’t stick that well. At least, at my age they don’t. Still if you’re new to Web Application testing and want to drink from the fire-hose of whats possible in obfuscation, I couldn’t think of a better place to get it.
One thing I found myself missing in the book was more focus on how developers can deal with these issues. As a tester I came out the other end wondering if developers ever stood a chance. I can only think what a developer would feel after dipping into this book. Hopelessness piled on uselessness, with a spoonful of not a chance! Chapter 9, that covers mitigations tries to give some useful examples, but at a mere 18 pages, even the authors seem to be a little depressed about their chances.
When all is said and done, if you’re into Web App testing, this is a great book to have on your bookshelf… If you’re not, as a tester, trying these tactics to get past filters, then you’re doing both yourself and your customers a real dis-service. How can you say an application is secure if you’re not trying the same tactics that the bad guys are using day in and day out. Be warned though, it’s not really a weekend read. Too much detail, but we like that, don’t we ;)
Overall Score: 8/10