Bypassing WAF Anti-automation Using Burp’s Cookie Jar | Daniel ceramic owl Miessler
I m testing a number of cloud WAFs right now for how they handle various injection attacks. Pretty fun project. ceramic owl One layer of their defense is anti-automation, so if you start hitting it hard with a scanner ceramic owl it ll label you as malicious and ban you.
Anyway, ceramic owl with Burp it s pretty easy to control what cookies you send through the Cookie Jar . Importantly, you can choose to not send certain cookies by name (or ONLY send certain ones by name) for any given tool within Burp, e.g. Proxy, Spider, Scanner, etc.
In this case I told the session handler to ONLY send the JSESSIONID cookie, and not any of the other crap the WAF tries to load you up with. The image up top is an example request from the scanner after this configuration.
Popular Technical A vim Primer A tcpdump Primer Information Security Interview Questions Vulnerability Assessment vs. Penetration Test An lsof Primer A Subnetting Primer ceramic owl List of Less Commonly Used Unix Commands An Encoding ceramic owl Primer A git Primer 9 Enhancements to Shell and Vim Productivity My Tech Primer Series A Security-focused HTTP Primer iOS vs. Android Security A find Primer URLs vs. URIs Positional Number Systems Using Active Directory Authentication ceramic owl for Wireless How Airplanes Actually Fly WebAppSec Testing Resources Encoding vs. Encryption vs. Hashing Popular ceramic owl Thought The Two-lever Argument Against Free Will Profit vs. the Middle Class Quality is Subtle The Irony of Opposing Government ceramic owl Programs Your Relationship With Failure Determines Your Potential Embracing the Illusion of Free Will Two Things I Learned in My Thirties The Main Difference I See Between Today's Liberals and Conservatives A Simple Answer to the Question of Whether Guns Make Us More or Less Safe Albert Camus' Absurdism The Future of Happiness An Evolutionary Explanation ceramic owl of Our Experience of Free Will Identifying ceramic owl the Source of my Bias for Obama Whuffie and Wireless Power 3 Reasons the Future Will Think Us Primitive Don't Conflate the Actions of Manning and Snowden Interesting Analysis of Karl Marx' Writing 1984 Was Against the Right Wing, Not the Left 3 Trends for an Advancing Human Civilization Is It Wrong to Have Children? My Current Thoughts on Gun Control The Difference Between Pursuing Happiness and Pursuing Meaning 10 Facts About the Middle ceramic owl East :: See /popular for more. Twitter
Connect with me @danielmiessler : A good way to start a political discussion between those on opposite sides is to agree that both extremes are bad, e.g. 0 guns and nukes. Yes, Obscurity ceramic owl is a Valid Security Control | http://t.co/IXo5h7zzKW #infosec @obruchez I agree. I think a couple of downsides are fragmented comments ceramic owl and lack of persistence (if the original ceramic owl post isn't updated). Some sort of stick-based based striking game on TV. It's astounding what a little ceramic owl exercise and coffee will do for you. Well, probably just exercise, too. But I like coffee. Visualization of a Million Lines of Code | http://t.co/CfiUSYC3z4 @tbwolfe Yeah, I think that's one downside. It may be up to the author to update the post with an afterword that summarizes the interaction. Blog Categories Technology Information Security Science Politics Health Creativity Productivity Philosophy Beauty Art Love Culture ceramic owl Design Business Healthcare Coffee Intelligence Humor Education ceramic owl Morality Civilization Blog Archives 2012 2011 2010 2009 2008 2007 2006 2005 2004 2003 2002 2001 2000 1999 1998 1997 1996
Powered by Stack using Setup
I m testing a number of cloud WAFs right now for how they handle various injection attacks. Pretty fun project. ceramic owl One layer of their defense is anti-automation, so if you start hitting it hard with a scanner ceramic owl it ll label you as malicious and ban you.
Anyway, ceramic owl with Burp it s pretty easy to control what cookies you send through the Cookie Jar . Importantly, you can choose to not send certain cookies by name (or ONLY send certain ones by name) for any given tool within Burp, e.g. Proxy, Spider, Scanner, etc.
In this case I told the session handler to ONLY send the JSESSIONID cookie, and not any of the other crap the WAF tries to load you up with. The image up top is an example request from the scanner after this configuration.
Popular Technical A vim Primer A tcpdump Primer Information Security Interview Questions Vulnerability Assessment vs. Penetration Test An lsof Primer A Subnetting Primer ceramic owl List of Less Commonly Used Unix Commands An Encoding ceramic owl Primer A git Primer 9 Enhancements to Shell and Vim Productivity My Tech Primer Series A Security-focused HTTP Primer iOS vs. Android Security A find Primer URLs vs. URIs Positional Number Systems Using Active Directory Authentication ceramic owl for Wireless How Airplanes Actually Fly WebAppSec Testing Resources Encoding vs. Encryption vs. Hashing Popular ceramic owl Thought The Two-lever Argument Against Free Will Profit vs. the Middle Class Quality is Subtle The Irony of Opposing Government ceramic owl Programs Your Relationship With Failure Determines Your Potential Embracing the Illusion of Free Will Two Things I Learned in My Thirties The Main Difference I See Between Today's Liberals and Conservatives A Simple Answer to the Question of Whether Guns Make Us More or Less Safe Albert Camus' Absurdism The Future of Happiness An Evolutionary Explanation ceramic owl of Our Experience of Free Will Identifying ceramic owl the Source of my Bias for Obama Whuffie and Wireless Power 3 Reasons the Future Will Think Us Primitive Don't Conflate the Actions of Manning and Snowden Interesting Analysis of Karl Marx' Writing 1984 Was Against the Right Wing, Not the Left 3 Trends for an Advancing Human Civilization Is It Wrong to Have Children? My Current Thoughts on Gun Control The Difference Between Pursuing Happiness and Pursuing Meaning 10 Facts About the Middle ceramic owl East :: See /popular for more. Twitter
Connect with me @danielmiessler : A good way to start a political discussion between those on opposite sides is to agree that both extremes are bad, e.g. 0 guns and nukes. Yes, Obscurity ceramic owl is a Valid Security Control | http://t.co/IXo5h7zzKW #infosec @obruchez I agree. I think a couple of downsides are fragmented comments ceramic owl and lack of persistence (if the original ceramic owl post isn't updated). Some sort of stick-based based striking game on TV. It's astounding what a little ceramic owl exercise and coffee will do for you. Well, probably just exercise, too. But I like coffee. Visualization of a Million Lines of Code | http://t.co/CfiUSYC3z4 @tbwolfe Yeah, I think that's one downside. It may be up to the author to update the post with an afterword that summarizes the interaction. Blog Categories Technology Information Security Science Politics Health Creativity Productivity Philosophy Beauty Art Love Culture ceramic owl Design Business Healthcare Coffee Intelligence Humor Education ceramic owl Morality Civilization Blog Archives 2012 2011 2010 2009 2008 2007 2006 2005 2004 2003 2002 2001 2000 1999 1998 1997 1996
Powered by Stack using Setup
No comments:
Post a Comment