The presentation will highlight the core of Web Application Firewall (WAF): detection logic, with a slight accent on regular expressions detection mechanism. In order to analyse regular expressions of well-known open source WAFs, a methodology will be proposed. Using the proposed methodology, rules from popular opensource WAFs will be examined using program methods. Manual analysis method will be used by applying own industrial knowledge and best practices. In order to discover new Cross-Site Scripting and SQL-Injection vectors which will bypass existing regular expressions, fuzz testing framework will be released. New attack vectors will be discovered using fuzz testing framework after run across multiple browsers (for Cross-Site Scripting) and databases (for SQL-Injection). Obtained from fuzz testing framework attack vectors will be clustered and represented as look-up tables. Such tables can be used by both attackers and defenders in order to understand the purpose of characters in various parts of attack vector, which are allowed by appropriate browsers or databases.
A total of 30 new bypass vectors for 6 trending opensource WAFs (ModSecurity versions 2,3, Comodo, PHP-IDS, QuickDefense, NAXSI) will be described, with an indication of 500 potential weakness in regular expression detection logic of WAFs.