Bypassing Waf

download Bypassing Waf

of 39

  • date post

  • Category


  • view

  • download


Embed Size (px)



Transcript of Bypassing Waf

www.nethemba.comwww.nethemba.comBypassing Web Application Firewalls (WAFs)Ing. Pavol Luptk, CISSP, CEHLead Security Consultant Nethemba All About SecurityHighly experienced certified IT security experts (CISSP, C|EH, SCSecA)Core business: All kinds of penetration tests, comprehensive web application security audits, local system and wifi security audits, security consulting, forensic analysis, secure VoIP, ultra-secure systemsOWASP activists: Leaders of Slovak/Czech OWASP chapters, co-authors of the most recognized OWASP Testing Guide v3.0, working on new version We are the only one in Slovakia/Czech Republic that offer:Penetration tests and security audits of SAPSecurity audit of smart RFID cardsUnique own and sponsored security research in many areas (see our references Vulnerabilities in public transport SMS tickets, cracked the most used Mifare Classic RFID cards) What are WAFs?Emerged from IDS/IPS focused on HTTP protocol and HTTP related attacksUsually contain a lot of complex reg-exp rules to matchSupport special features like cookie encryption, CSRF protection, etc.Except of free mod_security they are quite expensive (and often there is no correlation between the price and their filtering capabilities) WAFs implementationsUsually they are deployed in blacklisting mode that is more vulnerable to bypasses and targeted attacksApplication context (type of allowed inputs) is necessary to know for deploying of more secure whitelisting modeAll WAFs can by bypassedWAF is just a workaround, but from the security point of view it can be cost-effective WAF filter rulesDirectly reflects WAF effectivenessFor most WAF vendors they are closely guarded secrets most determined attackers are able to bypass them without seeing the actual rulesOpen-source WAFs (mod_security, PHPIDS) have open source rules which is better for more scrutiny by skilled penetration testers Typical WAF bypassesBlocked Attack Undetected modification'or 1=1 ' or !=!alert"#$ %##alert"#$&script'alert"#$&(script' &script type=v)script'*sg+o,"#$&(script'' or ''''='r '(--(./(--(''''='&script'alert"#$&(script' &i0g src=1,2,1 onerror=1alert"#$1'&(i0g'&i0g src=,2, onerror=alert"#$(('&(i0g' &i0g src=3ttp2((url onload=alert"#$(('&(i0g'1 or 1=1 "1$or"1$="1$eval"na0e$ ,=t3is.na0e4"#562na0e71$ Yes, WAF may be also be vulnerable!WAF also increases the attack surface of a target organizationWAF may be the target of and vulnerable to malicious attacks, e.g. XSS, SQL injection, denial-of-service attacks, remote code execution vulnerabilitiesThese vulnerabilities have been found in all types of WAF products(!) Typical bypass flow 1. Find out which characters / sequences are allowed by WAFs2. Make an obfuscated version of your injected payload3. Test it and watch for the WAF/application response4. If it does not work, modify it and try step 2. Javascript obfuscationJavascript has very powerful featuresJavascript payload is used in XSS attacksIt is full of evals, expression closures, generator expressions, iterators, special characters and shortcutsSupports a lot of encodings (unicode multibyte characters, hexadecimal, octal, combination of all of them)Supports XOR, Encryption, Base64 Non-alphanumeric javascript codeEven if only few characters are allowed it is possible to construct fully functional code:_=[]|[];$=_++;__=(_