TL;DR: There was a bug in jsoncpp regarding null-bytes. It was fixed a year ago, but most packet managers still ship affected versions. This makes it possible to bypass the shadowd tests with null-bytes. Discovery of the bug I operate a large amount of honeypots to observe and study attacks on web applications. Recently I noticed that one of the web applications (vBulletin 5.1.2) was successfully compromised, but strangely enough the attack was not detected by Shadow Daemon.
At the next OWASP Ruhrpott meeting I will present the current state of the web application firewall Shadow Daemon. The main topics of my talk will be the architecture and attack detection of the system, but you can also expect comparisons with other free web application firewalls like mod_security and naxsi. After the talk I will demonstrate the installation and configuration of Shadow Daemon from scratch. I will also use the example installation to show the protection at work by attacking it.
It is my pleasure to announce the release of shadowd 1.1.0 as well as shadowd_ui 1.1.0 of the Shadow Daemon web application firewall. This update improves the performance, attack detection and ease of use. There are five major changes: A native flood protection. It is no longer necessary to use fail2ban to prevent flooding of the logs, it happens automatically now. A storage queue. This removes a huge bottleneck from Shadow Daemon, the permanent storage of requests.