SecDocs Feed for author Ryan C. Barnett

[Slides] Checkmate with Denial of Service

Mon, 11 Apr 2011 22:16:00 +0200

Authors: Ryan C. Barnett Tom Brennan
Tags: DDoS DoS
Event: Black Hat DC 2011
Abstract: Denial-Of-Service is an attempt to make a computer resource unavailable to its intended users and is not new. In recent history April 2009, government and financial sites in the U.S. and South Korea were attacked by DDOS and were brought offline for days. This incident followed the Georgian DDOS attacks in 2008 and Estonian DDOS attacks in 2007. Common attack methods include systems infected with malware that are controlled and all connect to the target host at the same time using Layer 4 (Transport) which are already addressed by anti-DDOS solutions when employed. In 2009 a lethal form of Layer 7 (Application) attack techniques were being examined by Wong Onn Chee of OWASP Foundation Singapore and in 2010 together with Tom Brennan of OWASP Foundation presented the findings publicly for the first time with code samples. Tom Brennan will walk through the history and details of how this lethal HTTP POST DOS technique works, interesting findings in the protocol and the challenges in defending critical infrastructure against targeted attacks and demonstrate and release his open-source tool that can be used to test your own production systems -- or render others useless with the touch of a button from a single laptop.

[Paper] XSS Street-Fight: The Only Rule Is There Are No Rules

Mon, 11 Apr 2011 21:11:01 +0200

Authors: Ryan C. Barnett
Tags: XSS
Event: Black Hat DC 2011
Abstract: Defending web applications from Cross-Site Scripting (XSS) attacks is extremely challenging, especially when the application's code can not be updated to fix the issue. This presentation will provide a walk-through of various XSS attack/defense/evasion lessons learned by Trustwave's SpiderLabs Research Team while working with commercial WAF customers, as well as, by receiving thousands of attacks against our public ModSecurity demonstration page. We will highlight cutting-edge XSS protection methods that are external to the web application's code such as Defensive Javascript Content Injection.

[Slides] XSS Street-Fight: The Only Rule Is There Are No Rules

Mon, 11 Apr 2011 21:10:34 +0200

[Slides] WAF Virtual Patching Challenge: Securing WebGoat with ModSecurity

Wed, 01 Sep 2010 15:14:00 +0200

Authors: Ryan C. Barnett
Tags: WAF
Event: Black Hat DC 2009

[Audio] WAF Virtual Patching Challenge: Securing WebGoat with ModSecurity

Wed, 01 Sep 2010 15:14:00 +0200

Authors: Ryan C. Barnett
Tags: WAF
Event: Black Hat DC 2009

[Video] WAF Virtual Patching Challenge: Securing WebGoat with ModSecurity

Wed, 01 Sep 2010 15:14:00 +0200

Authors: Ryan C. Barnett
Tags: WAF
Event: Black Hat DC 2009

[Paper] WAF Virtual Patching Challenge: Securing WebGoat with ModSecurity

Thu, 19 Feb 2009 12:46:00 +0100

Authors: Ryan C. Barnett
Tags: WAF
Event: Black Hat DC 2009