‚¾ °·°» «WAF»?

download ‚¾ °·°» «WAF»?

of 138

  • date post

    21-Feb-2017
  • Category

    Software

  • view

    240
  • download

    2

Embed Size (px)

Transcript of ‚¾ °·°» «WAF»?

PowerPoint

WAF? Positive Technologies

ptsecurity.com

, . . .,

https://twitter.com/dnkolegov

dkolegov@ptsecurity.com

# whoami

WAF

WAF -

#

- - , -, -, -

-- /

-GET / HTTP/1.1Host: www.example.comConnection: closeHTTP/1.1 200 OKServer: nginxContent-Type: text/htmlContent-Length: 51Date: Mon, 29 Aug 2016 10:36:58 GMTConnection: close

Hello, World!

/ -

1990-

: ,

. -

?

LegacyThird-party

?

WAF

An appliance, server plugin, or filter that applies a set of rules to an HTTP conversation

A security solution on the web application level which does not depend on the application itself

A security policy enforcement point positioned between a web application and the client end point. This functionality can be implemented in software or hardware, running in an appliance device, or in a typical server running a common operating system. It may be a stand-alone device or integrated into other network components

WAF?Web Application Firewall Evaluation Criteria

WAF

(detection) (, , , ) (mitigation) , RFC (URL, ) IP, , (prevention)

LangSec

-

WAF (recognizer) -

0 -- - -

LangSec: Language-theoretic security

() (insufficient recognition) - (parser differentials) - -

M. Patterson, S. Bratus, etc. The Seven Turrets of Babel: A Taxonomy of LangSec Errors and How to Expunge Them

- WAF /

(abuse / misuse)

HTTP (0.9, 1.0, 1.1, 1.2), WebSocketsSSL (2.0, 3.0), TLS (1.0, 1.1, 1.2, 1.3), HSTS, HPKP, OCSPLoad Balancers: F5 BIG-IP, Citrix NetScaler, Web-servers: Apache, Nginx, IIS, GWS, Frameworks: ASP.NET, RoR, Django, Symfony, GWT, ExpressJS, SQL Databases: MySQL, MS SQL, PostgreSQL, Oracle, noSQL Databases: MongoDB, ElasticSearch, Redis, Browsers: Chrome, IE, Opera, Firefox, Safari, Yandex Browser, JavaScript libraries: jQuery, lodash, JavaScript Frameworks: Angular, React, Ext.js, Ember.js, HTML, CSS, XML/SOAP, JSON

WAF

WAFCATS /app?pageId=1 HTTP/1.1Host: example.comConnection: closeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Safari/537.36Accept-Encoding: gzip, deflate, sdchAccept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4Cookie: JSESSIONID=EAEC35B5E8741B4BA1524F25301A5E10HTTP/1.1 403 ForbiddenServer: waf.example.comContent-Type: text/html; charset=utf-8Content-Length: 9Connection: close

Forbidden

WAFCATS /app?pageId=1 HTTP/1.1Host: example.comConnection: closeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Safari/537.36Accept-Encoding: gzip, deflate, sdchAccept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4Cookie: JSESSIONID=EAEC35B5E8741B4BA1524F25301A5E10HTTP/1.1 403 ForbiddenServer: waf.example.comContent-Type: text/html; charset=utf-8Content-Length: 9Connection: close

Forbidden

WAFGET /app?pageId= HTTP/1.1Host: example.comConnection: closeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflate, sdchAcunetix-Product: WVS/7 (Acunetix Web Vulnerability Scanner NORMAL)Acunetix-Scanning-agreement: Third Party Scanning PROHIBITEDAcunetix-User-agreement:http://www.acunetix.com/wvs/disc.htmHTTP/1.1 403 ForbiddenServer: waf.example.comContent-Type: text/html; charset=utf-8Content-Length: 9Connection: close

Forbidden

WAFGET /app?pageId= HTTP/1.1Host: example.comConnection: closeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflate, sdchAcunetix-Product: WVS/7 (Acunetix Web Vulnerability Scanner NORMAL)Acunetix-Scanning-agreement: Third Party Scanning PROHIBITEDAcunetix-User-agreement:http://www.acunetix.com/wvs/disc.htmHTTP/1.1 403 ForbiddenServer: waf.example.comContent-Type: text/html; charset=utf-8Content-Length: 9Connection: close

Forbidden

WAFGET /app?pageId=alert(1) HTTP/1.1Host: example.comConnection: closeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Safari/537.36Accept-Encoding: gzip, deflate, sdchAccept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4Cookie: JSESSIONID=EAEC35B5E8741B4BA1524F25301A5E10HTTP/1.1 403 ForbiddenServer: waf.example.comContent-Type: text/html; charset=utf-8Content-Length: 9Connection: close

Forbidden

WAFGET /app?pageId=alert(1) HTTP/1.1Host: example.comConnection: closeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Safari/537.36Accept-Encoding: gzip, deflate, sdchAccept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4Cookie: JSESSIONID=EAEC35B5E8741B4BA1524F25301A5E10HTTP/1.1 403 ForbiddenServer: waf.example.comContent-Type: text/html; charset=utf-8Content-Length: 9Connection: close

Forbidden

WAFGET /app/?id=50484e6a636d6c776444356862475679644367784b54777663324e796158423050673d3d HTTP/1.1Host: example.comConnection: closeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Accept-Encoding: gzip, deflate, sdchAccept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4Cookie: JSESSIONID=EAEC35B5E8741B4BA1524F25301A5E10

WAFGET /app/?id=50484e6a636d6c776444356862475679644367784b54777663324e796158423050673d3d HTTP/1.1Host: example.comConnection: closeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Accept-Encoding: gzip, deflate, sdchAccept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4Cookie: JSESSIONID=EAEC35B5E8741B4BA1524F25301A5E10functiongetID(request){varrawID=request.getValue('id');varid = hexdecode(base64decode(rawID));returnid;}

// rawID = 50484e6a636d6c776444356862475679644367784b54777663324e796158423050673d3d// id = alert(1)

WAFGET /app/?id=50484e6a636d6c776444356862475679644367784b54777663324e796158423050673d3d HTTP/1.1Host: example.comConnection: closeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Accept-Encoding: gzip, deflate, sdchAccept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4Cookie: JSESSIONID=EAEC35B5E8741B4BA1524F25301A5E10HTTP/1.1 200 OKX-XSS-Protection: 0Content-Type: text/html; charset=utf-8Date: Wed, 15 Jun 2016 12:34:25 GMTContent-Length: 26Connection: close

alert(1)

WAFGET /app?pageId=a HTTP/1.1Host: example.comConnection: closeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Safari/537.36Accept-Encoding: gzip, deflate, sdchAccept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4Cookie: JSESSIONID=EAEC35B5E8741B4BA1524F25301A5E10HTTP/1.1 200 OKX-XSS-Protection: 1Content-Type: text/html; charset=utf-8Date: Wed, 15 Jun 2016 12:34:25 GMTContent-Length: 26Connection: close

a({"c":"user@goodmail.com"})

WAFGET /app?pageId=a HTTP/1.1Host: example.comConnection: closeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Safari/537.36Accept-Encoding: gzip, deflate, sdchAccept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4Cookie: JSESSIONID=EAEC35B5E8741B4BA1524F25301A5E10HTTP/1.1 200 OKX-XSS-Protection: 1Content-Type: text/html; charset=utf-8Date: Wed, 15 Jun 2016 12:34:25 GMTContent-Length: 26Connection: close

a({"c":"user@goodmail.com"})

WAFGET /app?page=1&page=alert(1) HTTP/1.1Host: example.comConnection: closeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Safari/537.36Accept-Encoding: gzip, deflate, sdchAccept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4Cookie: JSESSIONID=EAEC35B5E8741B4BA1524F25301A5E10

WAFGET /app?page=1&page=alert(1) HTTP/1.1Host: example.comConnection: closeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Safari/537.36Accept-Encoding: gzip, deflate, sdchAccept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4Cookie: JSESSIONID=EAEC35B5E8741B4BA1524F25301A5E10

WAFPOST /download?document_id=1123123&user_id=234123423 HTTP/1.1Host: example.comConnection: closeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Safari/537.36Accept-Encoding: gzip, deflate, sdchAccept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4Cookie: JSESSIONID=EAEC35B5E8741B4BA1524F25301A5E10

WAFPOST /download?document_id=1123123&user_id=234123423 HTTP/1.1Host: example.comConnection: closeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Sa