CENSUS will be participating at the Black Hat Europe 2016 conference, in London with a presentation by George Argyros and Ioannis Stais on the theme of automated evasion of Web Application Firewalls (WAFs). The presentation's title is Another Brick Off the Wall: Deconstructing Web Application Firewalls using Automata Learning and will take place on Thursday November 3rd 2016 at 14:30 in the Auditorium room of the Business Design Center venue.
George and Ioannis are using automata learning to first identify the rules used by a remote web application firewall and then to automatically generate XSS or SQL injection payloads that bypass the previously identified rules. This is essentially an automated way of testing web application firewalls. The authors have used this method to identify
weaknesses in commonly used web application firewall software, examples of which will be shown during the Black Hat talk.
A few words about the authors:
George Argyros is a security researcher currently pursuing a PhD at Columbia university in NYC. In the past he has worked as an intern at CENSUS S.A. His research revolves around the development of machine learning algorithms for analyzing complex software, debugging tools for machine learning models and making symbolic execution practical for interpreted languages. Previously he has worked in the area of applied cryptography where he developed a suite of tools for exploiting weak randomness vulnerabilities in web applications. Beyond research, George has also worked on code auditing, cryptographic protocol auditing and penetration testing projects.
Ioannis Stais is an IT security consultant at CENSUS S.A. Ioannis has participated in more than 50 security assessment projects, including the assessment of communication protocols, web and mobile banking services, NFC payment systems, ATMs/POS, critical medical appliances and MDM solutions. His research currently focuses on the development of machine learning algorithms for improving vulnerability research, the enhancement of fuzzing frameworks and exploration of the current threats in mobile and web applications.