Defending Black Box Web Applications: Building an Open Source Web Security Gateway presented at BlackhatUSA 2006

by Shawn Moyer,

Summary : Web apps continue to be the soft, white underbelly of most corporate IT environments. While the optimal path is to fix your code, it's not always an option, especially for closed-source, black-box web apps or apps hosted on servers that you can't harden directly.
If you have an app in your data center that your CIO thinks is the greatest thing since Microsoft Golf, but is really the HTTP equivalent of a big flashing own me sign, this talk is for you.
We'll walk through the process of configuring a caching, content filtering / scanning (POST/GET/header/HTML/XHTML/XML) and traffic sanitizing / rewriting front end HTTP gateway that also tries to frustrate web scans and HTTP fingerprinting. I'm releasing some build scripts to do most of the heavy lifting as well.