Tweet
Tweet

Slide 1

Slide 1 text

OWASP Meetup Russia 12 Oct 2016 Web Application Firewalls: Advanced analysis of detection logic mechanisms Vladimir Ivanov @httpsonly

Slide 2

Slide 2 text

OWASP Meetup Russia 12 Oct 2016 MSc Information Security (merit) - RHUL (UK) Web App penetration tester at Positive Technologies (ptsecurity.com) Blog (bugbounty writeups): https://httpsonly.blogspot.com /whoam/i

Slide 3

Slide 3 text

OWASP Meetup Russia 12 Oct 2016 1. Introduction 2. Detection logic in WAFs 3. METHOD I: Syntax bypass 4. METHOD II: Unexpected by primary logic bypass 5. Takeaways Agenda

Slide 4

Slide 4 text

OWASP Meetup Russia 12 Oct 2016 The Standoff: 1. Attackers. Mix of various techniques, rarely understand root cause. 2. Defenders. WAFs protect against automative testing, every vendor implements additional functionality. Result: No careful whitebox analysis Motivation

Slide 5

Slide 5 text

OWASP Meetup Russia 12 Oct 2016 WAF workflow example Stage 1: Parse HTTP(s) packet from client Stage 2: Chose rule set depending on type of incoming parameter Stage 3: Normalise data Stage 4: Apply detection logic Stage 5: Make detection decision

Slide 6

Slide 6 text

OWASP Meetup Russia 12 Oct 2016 WAF workflow: Detection logic OWASP CRS 2 OWASP CRS 3dev OWASP CRS 3rc PHPIDS Comodo rules QuickDefenceWaf Vultureproject Waf.red ShadowD etc… Tokenizer libinjection Reputation repsheet Score Builder NAXSI Anomaly detection HMM

Slide 7

Slide 7 text

OWASP Meetup Russia 12 Oct 2016 Regular expression… …is a sequence of characters that define a search pattern (с) Wikipedia (?i)(]*>.*?) 1 2 3

Slide 8

Slide 8 text

OWASP Meetup Russia 12 Oct 2016 Sources 500+ regular expressions: • OWASP CRS2 (modsecurity) • OWASP CRS3dev (modsecurity) • OWASP CRS3rc1 (modsecurity) • PHPIDS • Comodo WAF • QuickDefense 317 321 94 XSS SQL Other: LFI/RFI, PHP, OS exec, etc

Slide 9

Slide 9 text

OWASP Meetup Russia 12 Oct 2016 300+ potential bypasses Most “vulnerable”: PHPIDS (E = 1,15) Less “vulnerable”: Comodo WAF (E = 0,32) Most “exploitable”: OWASP CRS3-rc (E = 0,89) E = Potential bypasses / Total rules Results

Slide 10

Slide 10 text

OWASP Meetup Russia 12 Oct 2016 Not only WAFs use Reg Exp Detection Logic: • XSS Auditors • Backend parsers • Front-end analyzers Developers, security auditors, bughunters Target audience

Slide 11

Slide 11 text

OWASP Meetup Russia 12 Oct 2016 Of regular expressions Enumerate all possible and invent all impossible mistakes METHOD I: Syntax bypass

Slide 12

Slide 12 text

OWASP Meetup Russia 12 Oct 2016 What’s wrong with regexp? Level: Easy (?i: ) ^ $ {1,3} 1. atTacKpAyloAd 2. attackpayload 3. attackpayloadattackpayloadattackpayloadatt… ! !

Slide 13

Slide 13 text

OWASP Meetup Russia 12 Oct 2016 What’s wrong with regexp? Level: Medium ReDoS Repetitions: + * Blacklisting wildcards in a set 1. 2. 3.

Slide 14

Slide 14 text

OWASP Meetup Russia 12 Oct 2016 What’s wrong with regexp? Level: Advanced Non-standard diapasons 1. POSIX character classes 2. Operators 3. Backlinks, wildcards 4.

Slide 15

Slide 15 text

OWASP Meetup Russia 12 Oct 2016 2 parts: theoretical "whitepaper" and practical "code". Hack regular expressions with regular expressions! + SAST: Assists with whitebox analysis of regular expressions in source code of your projects + Low false positives: Focused on finding high severity security issues + Opensource on Github! - Does not dynamically analyze lexis (yet). Regular expressions: Security cheatsheet

Slide 16

Slide 16 text

OWASP Meetup Russia 12 Oct 2016 https://github.com/attackercan/ REGEXP-SECURITY-CHEATSHEET

Slide 17

Slide 17 text

OWASP Meetup Russia 12 Oct 2016 Regex Security Cheatsheet DEMO + «CVE generator» DEMO

Slide 18

Slide 18 text

OWASP Meetup Russia 12 Oct 2016 ^(?:ht|f)tps?://(.*)$

Slide 19

Slide 19 text

Comodo WAF: Att4ck is bl0cked!

Slide 20

Slide 20 text

OWASP Meetup Russia 12 Oct 2016 JavaScript checker in real-life web app We can make ReDoS on client-side by supplying specially crafted email as input. But what if backend also has same regex for checking?

Slide 21

Slide 21 text

OWASP Meetup Russia 12 Oct 2016 XSS Auditor: EdgeHTML.dll

Slide 22

Slide 22 text

OWASP Meetup Russia 12 Oct 2016 XSS Auditor: EdgeHTML.dll IE+Edge XSS Auditor Result: blocked

Slide 23

Slide 23 text

OWASP Meetup Russia 12 Oct 2016 XSS Auditor: EdgeHTML.dll Regexp bypass. Result: alert! Thx @ahack_ru for payload

Slide 24

Slide 24 text

OWASP Meetup Russia 12 Oct 2016 (?:div|like|between|and|not )\s+\w)

Slide 25

Slide 25 text

OWASP Meetup Russia 12 Oct 2016 (?:div|like|between|and|not )\s+\w) https://github.com/PHPIDS/PHPIDS/commit/667e63af93e8fd2ee4df99dd98cb41acdf480906

Slide 26

Slide 26 text

OWASP Meetup Russia 12 Oct 2016 What’s next? 1. Identify WAF vendor and version using “signature” vulnerabilities. 2. Reveal and apply bypasses depending on a situation 3. Craft string which bypasses all regexp-based rules.

Slide 27

Slide 27 text

OWASP Meetup Russia 12 Oct 2016 ModSecurity 3 SQLi Bypass Basic SQLi is given: All SQLi Regexp bypass: ​ -1'OR#foo id=IF#foo (ASCII#foo ((SELECT-version()/1.))<250,1,0) #

Slide 28

Slide 28 text

OWASP Meetup Russia 12 Oct 2016 What’s next? 1. Identify WAF vendor and version using “signature” vulnerabilities. 2. Reveal and apply bypasses depending on a situation 3. Craft string which bypasses all regexp-based rules. 4. … 5. Dig deeper!

Slide 29

Slide 29 text

OWASP Meetup Russia 12 Oct 2016 METHOD II: Unexpected by primary logic bypass

Slide 30

Slide 30 text

OWASP Meetup Russia 12 Oct 2016 libinjection

Slide 31

Slide 31 text

OWASP Meetup Russia 12 Oct 2016 libinjection

Slide 32

Slide 32 text

OWASP Meetup Russia 12 Oct 2016 https://github.com/attackercan/ CPP-SQL-FUZZER • Receive SQL query as input • Fuzz it (mysql.h, SQLAPI.h, ODBC?) • Record every query except syntax errors • Parse output! • Current MySQL.h perfomance: 21M symbols in ~10 mins; speed = 35k queries per second (QPS). • Up to 1.6M QPS!

Slide 33

Slide 33 text

OWASP Meetup Russia 12 Oct 2016 SQL fuzzer

Slide 34

Slide 34 text

OWASP Meetup Russia 12 Oct 2016 SQL fuzzer: Examples

Slide 35

Slide 35 text

OWASP Meetup Russia 12 Oct 2016 SQL fuzzer: Newest results “Clever fuzzing” + scalable DEMO

Slide 36

Slide 36 text

OWASP Meetup Russia 12 Oct 2016 SQL Fuzzer: Results

Slide 37

Slide 37 text

OWASP Meetup Russia 12 Oct 2016 • OWASP: Regexp security cheatsheet + SAST •SQL Fuzzer: Classified tables https://www.owasp.org/index.php/Regular_Expressi on_Security_Cheatsheet Contribution

Slide 38

Slide 38 text

OWASP Meetup Russia 12 Oct 2016 1. Help OWASP! Update Regular Expression Security Cheatsheet 2. Create regular expression Dynamic analysis tool Call for help

Slide 39

Slide 39 text

OWASP Meetup Russia 12 Oct 2016 Questions?

Slide 40

Slide 40 text

OWASP Meetup Russia 12 Oct 2016 Arseniy Sharoglazov (Contribution to Regex Security Cheatsheet) Dmitry Serebryannikov @dsrbr (Contribution to SQL fuzzer) Andrey Evlanin @xpathmaster All @ptsecurity team ;) Thank you