1 00:00:06,730 --> 00:00:07,750 - [Narrator] There are different ways 2 00:00:07,750 --> 00:00:12,280 that an attacker can bypass different types of protections, 3 00:00:12,280 --> 00:00:15,290 including web application firewalls, 4 00:00:15,290 --> 00:00:17,230 different type of filtering capabilities 5 00:00:17,230 --> 00:00:19,450 in different frameworks, and so on, 6 00:00:19,450 --> 00:00:22,640 by introducing different evasion techniques. 7 00:00:22,640 --> 00:00:24,620 Now, in the website that I'm highlighting here, 8 00:00:24,620 --> 00:00:29,620 which is basically a section of the owasp.org website, 9 00:00:29,930 --> 00:00:32,530 it includes different examples 10 00:00:32,530 --> 00:00:36,420 on how to perform different methods of evasion 11 00:00:36,420 --> 00:00:39,020 for bypassing security controls, 12 00:00:39,020 --> 00:00:40,830 like web application firewalls. 13 00:00:40,830 --> 00:00:44,010 I am not gonna go over every single example here, 14 00:00:44,010 --> 00:00:46,900 but in short, you know, this list includes 15 00:00:46,900 --> 00:00:50,430 the concatenation of different SQL statements 16 00:00:50,430 --> 00:00:52,480 that can be sent to a web application 17 00:00:52,480 --> 00:00:54,320 for the purpose of evasion 18 00:00:54,320 --> 00:00:57,100 and also different types of encoded mechanisms 19 00:00:57,100 --> 00:01:01,110 that you can use for performing this type of attacks. 20 00:01:01,110 --> 00:01:02,110 Now, a few of them 21 00:01:02,110 --> 00:01:06,710 are using HTTP parameter pollution attacks, or HPP, 22 00:01:06,710 --> 00:01:09,320 and there are a few examples in here, 23 00:01:09,320 --> 00:01:12,490 Using that HTTP parameter pollution, 24 00:01:12,490 --> 00:01:14,440 or where you see the vulnerable code, 25 00:01:14,440 --> 00:01:18,410 and the actual request from that hacker, right? 26 00:01:18,410 --> 00:01:22,680 Now, there's also using parameter fragmentation. 27 00:01:22,680 --> 00:01:24,910 So, fragmenting the different parameters 28 00:01:24,910 --> 00:01:26,900 of the SQL statements 29 00:01:26,900 --> 00:01:29,840 that the attacker can actually send to a web application, 30 00:01:29,840 --> 00:01:33,580 and you see a few examples down below as well. 31 00:01:33,580 --> 00:01:35,170 So, I strongly recommend for you 32 00:01:35,170 --> 00:01:38,240 to become familiar with these techniques. 33 00:01:38,240 --> 00:01:41,460 They go beyond what the scope of the exam is. 34 00:01:41,460 --> 00:01:42,293 What you need to know 35 00:01:42,293 --> 00:01:45,120 is the different encoding and evasion mechanisms 36 00:01:45,120 --> 00:01:48,630 that an attacker can use to bypass security controls 37 00:01:48,630 --> 00:01:51,473 and security tools, like a web application firewall.