Web Application Firewalls: Analysis of Detection Logic
by Vladimir Ivanov
This presentation highlights the core of Web Application Firewall detection logic and accentuates the regular expressions detection mechanism. Other highlights include the use of the Static Application Security Testing (SAST) tool for Regular Expressions analysis, aiming to find security flaws in the syntax of regular expressions. Using the proposed “regex security cheat sheet”, rules from popular WAFs will be examined. Logical flaws in regular expressions will be demonstrated by applying author’s bug hunting experience and best practices.