Extending WAFs at the Application Layer

Explore the evolution, purpose, and limitations of Web Application Firewalls (WAFs) in this 38-minute OWASP Foundation conference talk. Learn about WAF bypassing techniques and discover Sanwaf, an application-level security control. Dive into Sanwaf's structure, functionality, and implementation, including global settings, shield settings, regex settings, and metadata settings. Examine various datatype examples and performance considerations. Gain insights on sanitizing data, implementing filters and logging, and handling error messages. Access a sample application and learn where to find Sanwaf for implementation in your own projects.

Syllabus

Intro
Brief History of WAF's
Purpose of WAF's
Problems with WAF's
Bypassing WAF'S
Sanwaf: Application-Level Security Control
Purpose of Sanwaf
Bypass Example A cookie is being blocked by a WWF and is causing an issue, so
Sanwaf Does Not Replace WAF's
Sanitizing Data
How Sanwaf Works
Sanwaf Structure
Global Settings
Shield Settings
Regex Settings
Metadata Settings
Sanwaf Datatypes
Sanwaf: How it works
Sanwaf: How Strings Work
Sanwaf Datatype Performance
Example - Delimited Set of Numbers
Datatype Example: Delimited Set of Numbers (RegEx)
Datatype Example: Alphanumeric and Whitelisted
Datatype Example: Using a lava Class
Datatype Example: String & Regex
Implementing Sanwaf
Sample Implementation: Filter
Sample Implementation: Logging
Error Message Example
Rending Error to End User
Sample Application
Where to Git Sanwaf
Contact Information