Back To Schedule
Friday, September 19 • 10:30am - 11:15am
Reversing Engineering a Web Application - For Fun, Behavior & WAF Detection

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Screening HTTP traffic can be something really tricky and attacks to applications are becoming increasingly complex day by day. By analyzing thousands upon thousands of infections, we noticed that regular blacklisting is increasingly failing and we started research on a new approach to mitigate the problem. Initially reverse engineering the most popular CMS applications such as Joomla, vBulletin and WordPress, which led to us creating a way to detect attackers based on whitelist protection in combination with behavior analysis. Integrating traffic analysis with log correlation, resulting in more than 2500 websites now being protected, generating 2 to 3 million alerts daily with a low false positive rate. In this presentation we will share some of our research, their results and how we have maintained WAF (Web Application Firewall), using very low CPU processes and high detection rates.

Detailed Outline:

- Current method of detection (We'll show how WAF operates today, allowing us to emphasize our unique approach)
- Reverse engineering a CMS application (In this step we'll show how we reverse engineered a CMS Application to understand its fragility and common attack vectors)
- Setting up honeypots (We'll share our work with honeypots which gathered data in real time during massive attacks on popular CMS applications)
- Identifying behavior (analyzing data to understand points to be considered when creating counter measures and evaluating the best approach to each type of attack type)
- Creating countermeasures (using behaviour information, CMS vulnerabilities and attack methods spreading in the wild, we'll show how we created better signatures specific to each CMS based on the knowledge acquired during research on each one of them)
- Live analysis (merging everything together and seeing the tool operate live, well-tuned, blocking specific attacks, with improving low false-positive rate in an effective and efficient manner)

avatar for Rodrigo Montoro

Rodrigo Montoro

Security Researcher
Rodrigo “Sp0oKeR” Montoro has 15 years of experience deploying open source security software (firewalls, IDS, IPS, HIDS, log management) and hardening systems. Currently he is Security Researcher/ SOC. Prior to joining Clavis he worked as a Senior Security administrator at Sucuri... Read More →

Friday September 19, 2014 10:30am - 11:15am MDT
Colorado Ballroom E [Defenders] Denver Marriott City Center