Dropsafe

by Alec Muffett

“Wat Behaviour” in Programming Languages – Security Impact /ht @jimfinnis #EPIC #MUSTWATCH #SHORT #WAT

Via Jim I discovered this four minutes of delight:

…and the mid-section about Javascript behaviour is relevant to WAF bypass (previously, previously) – regarding which there are many presentations and blog posts on the web, but I still delight in this sort of thing so here are a couple of extracts:

Screen Shot 2013-02-18 at 09.17.12

From http://www.slideshare.net/nethemba/bypassing-web-application-firewalls

Screen Shot 2013-02-18 at 09.21.14

From http://security.bleurgh.net/javascript-without-letters-or-numbers

Understanding this is possible is essential for web security work because this is how you inject code that walks straight past a web application firewall.

Comments

2 responses to ““Wat Behaviour” in Programming Languages – Security Impact /ht @jimfinnis #EPIC #MUSTWATCH #SHORT #WAT”

  1. Dave Walker

    Quite an eye-opener; and it doesn’t even get into the realms of true self-modifying or otherwise polymorphic code, but keeps with simple character substitution.

    There’ll be a proof knocking around somewhere that all this turns into the Halting Problem – or at least, I’d like to think so.

    Bottom line: there has to be a better way to do this stuff, which doesn’t involve client-side execution of server-supplied code. I’ve also picked up a copy of “Tangled Web”, and am finding it a real page-turner.

    Reply
  2. Dave Walker

    For readers who like this, I think you’ll also appreciate Rob Kendrick’s interesting examples of creative C abuse at https://docs.google.com/presentation/d/1h49gY3TSiayLMXYmRMaAEMl05FaJ-Z6jDOWOz3EsqqQ/edit?usp=sharing .

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts