Bypassing Waf

download Bypassing Waf

of 39

  • date post

    22-Jun-2015
  • Category

    Documents

  • view

    38
  • download

    4

Embed Size (px)

description

interesting

Transcript of Bypassing Waf

www.nethemba.comwww.nethemba.comBypassing Web Application Firewalls (WAFs)Ing. Pavol Luptk, CISSP, CEHLead Security Consultant www.nethemba.com Nethemba All About SecurityHighly experienced certified IT security experts (CISSP, C|EH, SCSecA)Core business: All kinds of penetration tests, comprehensive web application security audits, local system and wifi security audits, security consulting, forensic analysis, secure VoIP, ultra-secure systemsOWASP activists: Leaders of Slovak/Czech OWASP chapters, co-authors of the most recognized OWASP Testing Guide v3.0, working on new version We are the only one in Slovakia/Czech Republic that offer:Penetration tests and security audits of SAPSecurity audit of smart RFID cardsUnique own and sponsored security research in many areas (see our references Vulnerabilities in public transport SMS tickets, cracked the most used Mifare Classic RFID cards) www.nethemba.com What are WAFs?Emerged from IDS/IPS focused on HTTP protocol and HTTP related attacksUsually contain a lot of complex reg-exp rules to matchSupport special features like cookie encryption, CSRF protection, etc.Except of free mod_security they are quite expensive (and often there is no correlation between the price and their filtering capabilities) www.nethemba.com WAFs implementationsUsually they are deployed in blacklisting mode that is more vulnerable to bypasses and targeted attacksApplication context (type of allowed inputs) is necessary to know for deploying of more secure whitelisting modeAll WAFs can by bypassedWAF is just a workaround, but from the security point of view it can be cost-effective www.nethemba.com WAF filter rulesDirectly reflects WAF effectivenessFor most WAF vendors they are closely guarded secrets most determined attackers are able to bypass them without seeing the actual rulesOpen-source WAFs (mod_security, PHPIDS) have open source rules which is better for more scrutiny by skilled penetration testers www.nethemba.com Typical WAF bypassesBlocked Attack Undetected modification'or 1=1 ' or !=!alert"#$ %##alert"#$&script'alert"#$&(script' &script type=v)script'*sg+o,"#$&(script'' or ''''='r '(--(./(--(''''='&script'alert"#$&(script' &i0g src=1,2,1 onerror=1alert"#$1'&(i0g'&i0g src=,2, onerror=alert"#$(('&(i0g' &i0g src=3ttp2((url onload=alert"#$(('&(i0g'1 or 1=1 "1$or"1$="1$eval"na0e$ ,=t3is.na0e4"#562na0e71$ www.nethemba.com Yes, WAF may be also be vulnerable!WAF also increases the attack surface of a target organizationWAF may be the target of and vulnerable to malicious attacks, e.g. XSS, SQL injection, denial-of-service attacks, remote code execution vulnerabilitiesThese vulnerabilities have been found in all types of WAF products(!) www.nethemba.com Typical bypass flow 1. Find out which characters / sequences are allowed by WAFs2. Make an obfuscated version of your injected payload3. Test it and watch for the WAF/application response4. If it does not work, modify it and try step 2. www.nethemba.com Javascript obfuscationJavascript has very powerful featuresJavascript payload is used in XSS attacksIt is full of evals, expression closures, generator expressions, iterators, special characters and shortcutsSupports a lot of encodings (unicode multibyte characters, hexadecimal, octal, combination of all of them)Supports XOR, Encryption, Base64 www.nethemba.com Non-alphanumeric javascript codeEven if only few characters are allowed it is possible to construct fully functional code:_=[]|[];$=_++;__=(_