
Evading all web-application firewalls XSS filters [pdf] - ebarock
http://mazinahmed.net/uploads/Evading%20All%20Web-Application%20Firewalls%20XSS%20Filters.pdf
======
davvolun
The title sounds misleading to me; this paper is about evading the set of WAFs
which may include the universal set at this point in time, and further only
including specific versions and rulesets of those WAFs. I don't know...the
title made me think "well, then why bother using a WAF at all?", the paper
actually implies that I should use a WAF as one line of defense, but I don't
think anyone ever got the warm fuzzies thinking their app was fully protected
behind a WAF.

If the game is to survive the bear, I don't have to out-run the bear, I need
to out-run you. A WAF is a nice pair of sneakers against your flip flops--
doesn't help me much if my legs are broken.

------
tootie
Good thing I never bother installing one.

~~~
spydum
If a dedicated WAF can't protect you, how confident are you that your own
application is doing appropriate level of escaping/santization?

