DNS Tunneling is a well known technique, and various free tools are available to play with it. However, its full power has not been fully unleashed yet: several of the existing tools are mostly targeted to read email for free from an airport lounge and not to be used as a deadly post‐exploitation weapon. Also, they all suffer from the fact that a DNS tunnel is painfully slow and quite easy to detect and locate. In this talk we will introduce a few new tricks that will allow us to: ‐ Improve the tunnel speed, by leveraging the fact that most DNS servers are happy to process packets that are not exactly 100% compliant to the RFCs ‐ Make the DNS tunnel a lot harder to detect, by spoofing the source IP address of the queries, therefore spreading the traffic signature among all the hosts of the subnet. Of course there will be a demo, in which we will release the first official version of Heyoka, a brand new tool implementing these ideas. The Truth About Web Application Firewalls: What the Vendors Do Not Want You To Know Sandro Gauci N/A N/A Web Application Firewalls (WAFs) are quickly taking their place within the network in order to protect web applications against common security holes such as Cross Site Scripting and SQL injection. They are known by other names such as 'Deep Packet Inspection Firewalls' because they look at every request and response within the TLS, HTTP, SOAP, XML‐RPC, Web Service layers. Web Application Firewalls can be either software or hardware appliance‐based and are typically installed in front of a webserver in an effort to try and shield it from incoming attacks. Today WAF systems are considered the next generation product to protect websites against web hacking attacks. During this presentation Sandro will show in practice how the big names of Web Application Firewalls can be identified, detected and will introduce new attacks to evade specific products. Additionally, he will show how Web Application Firewalls can be vulnerable to the same vulnerabilities that they try to protect Web Applications from. Bonus: Sandro will be releasing a new tool and a new exploit.