Penetrating web application firewalls

As we have discussed previously, it can be a challenge to evade detection, and this is on the same lines as other methods, and it will depend on how the administrator has configured the policy. There are excellent references on the Internet you can use to see whether your obfuscation technique will work. The free and open source WAF ModSecurity provides a site where you can test the string to see if it might be detected by a WAF. You will find the site at http://www.modsecurity.org/demo.html.

Once the site has opened, you will see that they have a list of websites that many of the commercial vendors use to demonstrate their tools. An example of this is shown in the following screenshot:

Click on the ModSecurity ...

Get Building Virtual Pentesting Labs for Advanced Penetration Testing - Second Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.