2018 BASC Presentations

We would like to thank our speakers for donating their time and effort to help make this conference successful.

ModSecurity Evader (MSeVader) is a tool that assists offensive security testers in crafting payloads that evade ModSecurity WAF rules. A Burp Suite extension providing visual feedback in real time to rule violations, the attacker can tweak payloads before submitting them to the web server, ensuring they are not blocked. The demonstration of the tool will include techniques of fingerprinting the WAF, to determine specific threshold settings of the WAF rules, allowing the attacker to know whether the payload will be blocked without sending packets. This tool has been used to successfully discover WAF evading payloads to execute SQL injection, XSS, and inject web shells to a site behind a popular commercial cloud-based WAF solution, at maximum paranoia settings.