Reversing Engineering Web Applications for Security - Behavior Analysis and WAF Detection

Explore reverse engineering techniques for web applications, focusing on behavior analysis and WAF detection in this 47-minute conference talk from AppSecUSA 2014. Delve into the challenges of screening HTTP traffic and learn about a new approach to mitigate complex attacks on popular CMS platforms. Discover how to integrate traffic analysis with log correlation for improved protection, generating millions of alerts daily with low false positive rates. Follow the speaker's journey through reverse engineering CMS applications, setting up honeypots, identifying attacker behavior, and creating effective countermeasures. Gain insights into live analysis techniques that merge various security strategies to block specific attacks efficiently. Learn from an experienced security professional about the latest developments in web application security, including practical examples and real-world scenarios.

Intro
About Sucuri Security
A Note on the Examples
Motivations
Agenda
Reverse Engineering
Whitelisting
Our Scope: Waf Detection
Detection steps Analyze Application Structure
The HTTP Protocol
Traffic Analysis
Crawling the Application
GET Request
Oh wait! Get a job from the headers...
Full Request
What's wrong here?
What about here?
Summary of Flow Parsing
File Structure
WordPress Tarball
The Basic WP Structure
xmlrpc.php
XMLRPC Login Attempt
Brute forcing New Brute Force Attacks Exploiting XMLRPC in
Pingback
wp-admin/ "Access"
Restriction Samples: .htaccess
Mitigating Attack Surface
Realtime Monitoring w/ OSSEC
Threshold Ideas
Special File Permissions
Counter Intelligence
Behavior: How you look at problems
GEO IP Block: Top Attack Countries
Top Methods
HTTP Version 1.0
In summary...