ja3 JA3 on guard against bots A while ago I was researching JA3 hashes and how it may help with bot mitigation. The first problem I met - even if many By Mikhail Golovanov 30 May 2022
honeypot Sandbox for HoneyPot I monitor bots activity for a while and often see such behavior: * [SUCCESS] Robot comes to the page * [SUCCESS ..?] Robot exploits known vulnerability * [FAIL :(] Robot By Mikhail Golovanov 1 Nov 2018
waf ModSecurity rules verification ModSecurity [https://www.modsecurity.org/] is open-source WAF. It protects web applications with libinjection and regular expressions. The first one detects SQL-injections by tokenizing parameters By Mikhail Golovanov 15 Oct 2018
tools How to turn any website into Wordpress/Drupal honeypot When new exploit to popular CMS's vulnerability appears, same day someone will send it all around the web, trying to compromise vulnerable systems. By Mikhail Golovanov 28 May 2018
libinjection Part 2. libinjection: different databases fuzzing It is sequel of previous article [https://waf.ninja/libinjection-fuzz-to-bypass/], where I was fuzzing MariaDB 10.2.5, trying to bypass libinjection library. This time By Mikhail Golovanov 9 Oct 2017
libinjection libinjection: fuzz to bypass libinjection is a library that parses parameter value to SQL elements (tokens) and check if tokens combination (fingerprint) is familiar to SQL-injection attack. This library By Mikhail Golovanov 24 Sep 2017
rce Showcase: Struts2 vulnerability evolution Apache Struts 2 [https://en.wikipedia.org/wiki/Apache_Struts_2] is used as framework for Java EE applications development. During time there were found By Mikhail Golovanov 22 Sep 2017
xss Showcase: DOM-based XSS Cross-Site Scripting (XSS) vulnerabilities are divided into three types: * Reflected: when payload is injected from user-provided payloads, e.g. user clicks on malicious link * Stored: By Mikhail Golovanov 18 Sep 2017
waf Review: wtt OWASP CRS 3.0 bypass A while ago I had to make comparison of different Web Application Firewalls based on their security level protection. And as result made WAF Testing By Mikhail Golovanov 17 Sep 2017
waf Review: WAFNinja WAFNinja was presented by Khalil Bijjou at OWASP Stammtisch Frankfurt 2015 and PHDays 2016. This tool is cli python script which allows to fuzz parameters By Mikhail Golovanov 16 Sep 2017
waf Review: WAF Testing Framework WAF Testing Framework is developed by Imperva employees (Yaniv Azaria, Amichai Shulman) and was presented at OWASP AppSec USA in 2012. To work properly it By Mikhail Golovanov 16 Sep 2017