Testing the security of the corporate applications is a part of every-day life for Ops and DevOps professionals. Larger companies have whole teams dedicated to independent security testing, called Red Teams. These folks use various tools at their disposal to discover the flaws in both applications and infrastructure. These teams often take the same approach as pen testers — external contractors that are hired to penetrate the company defences. More recently, many companies are supplementing their internal…
Ah-ha, we like this much. sqlmap, which is an incredibly popular tool that automates the process of detecting and exploiting SQL injection flaws, is now able to identify applications and API protected by Wallarm. When WAF is detected, sqlmap even proposes to activate tamper scripts and try to bypass security checks. But as Wallarm doesn’t use regular expressions for attack detection and more relies on statistical profiles, it won’t help, sorry 🙂 Thanks @stamparm. Appreciate this…
An important difference between Wallarm and many other products, including the famous WAF, is its detection not only of hacker attacks, but also web application vulnerabilities. To make a truly quality vulnerability detector, we had to consider all the approaches that already exist — and develop our own. A crawling problem An efficient vulnerability search is impossible without an understanding of how web applications are structured. However, many of today’s applications use an asynchronous work model with clients,…
