Web Application Firewalls: What the vendors do NOT want you to know SHAKACON III

Transcription

1 Web Application Firewalls: What the vendors do NOT want you to know

2 $ whois WendelGH PT Consultant at Trustwave's SpiderLabs. Over 7 years in the security industry. Vulnerability discovery Webmails, AP, Citrix, etc. Spoke in YSTS 2.0, Defcon 16, H2HC and others. Affiliated to Hackaholic team.

3 $ whois SandroGauci Founder and CSO EnableSecurity. VOIPPACK (CANVAS addon). Security research papers SIPVicious and SurfJack 9 years old

4 Introduction WAF - Web Application Firewall next generation protection can be identified, detected bypassing the rules security software is not necessarily secure

5 What is WAF Attack signatures or abnormal behavior based WAFs products: software or hardware appliance. WAFs AKA 'Deep Packet Inspection Firewall'.

6 What is WAF Flavors: a reverse proxy, embedded or connected in a switch (SPAN or RAP) WAF products detect both inbound and outbound attacks

7 Who uses WAF? Many banks around the world Companies which need high protection Many companies in compliance with PCI DSS (Payment Card Industry - Data Security Standard)

8 Operation Modes: Negative model (blacklist based) Positive model (whitelist based) Mixed / Hybrid

9 The negative model Relies on a database of known attacks Eg. XSS strings like <script>, </script>, String.fromCharCode, etc. Often regular expressions

10 The positive model Whitelist based Learning mode to create a security policy of known good HTTP traffic Example: Page news.jsp, the field "id" only accept numbers [0-9] and starting at 0 until

11 Common Weaknesses Bad design Bad implementation WAFs have to be similar to the web apps and http servers that they need to protect ergo they can have similar security flaws!

12 Detection: Cookies Cookies: Some WAF products add their own cookie in the HTTP communication Reason: some WAFs are also load balancers

13

14 Detection: Headers Header rewriting Most obvious would be "Server" Sometimes is a feature called server cloaking Connection header might be changed to Cneonction or nncoection

15

16 Response codes 404 error codes for existent scripts Different error codes (404, 400, 401, 403, 501, etc) for hostile parameters (even non existent ones) in valid pages.

17

18 some are plain weird like this error code 999

19

20 Detection: blocked connection Drop Action: Immediately initiate a "connection close" action to tear down the TCP connection by sending a FIN packet. Create a firewall rule to block abusers

21 Detection: Ruleset Built-in Rules: All (at least all that we know) WAF systems have a built-in group of rules in negative mode these rules are different in each products, this can help us to detect them

22 Automated detection You should be thinking It s so boring We have to know a lot of products to identify them correctly

23 WAFW00F An answer to your prayers Detect over 15 different WAF products (the number keeps changing) Options to detect multiple WAFs in place Generic detection methods included!

24

25 Bypassing Fingerprint the rules Detect allowed / denied strings Combinations of allowed or denied strings Modify your attack to not match the blacklist

26 Bypassing Encoding and language support, character sets Spaces, comments, case sensitive mutation, Unicode (%uc0af and %c0%af), etc The web server can parse, decode and interpret and HTTP request differently from the WAF

27 Bypassing HTML and JS is very flexible Various methods to split and encode your strings

28

29 Bypassing WAIT! What about positive model? They are really secure? If we find a positive model should we give up?

30

31 Bypassing It s time consuming. Large number of techniques to remember Some techniques may be product specific This calls for some automation!

32 WAFFUN Test the target and point weakness in the WAF Use with WAFW00F for better results. Works in progress, input welcome!

33 WAFFUN Checks if the script echos back (esp in the case of xss) Can check if error suppression is supported Finds out how the WAF responds when a it reacts to an attack

34 WAFFUN Goes through a list of well known blacklisted strings If any were blocked, it tries different encoding methods, null characters, unicode

35

36 Latest: XSS Constructor Tries a number of tags to find out which are allowed through Tries a number of DHTML event handlers Tries a number of Javascript methods

37 WAFFUN

38 Vulnerabilities Web Application specific issues: XSS, SQLi Overflows DoS

39

40 Thank you! Do you have ideas / resources to improve our tools? wsguglielmetti [em] gmail [ponto] com sandro [em] enablesecurity [ponto] com