Advanced Filter Evasion and Web Application Firewall Bypassing

Transcription

1 Advanced Filter Evasin and Web Applicatin Firewall Bypassing Encding and Filtering - understanding what kind f data encding us being used and hw it wrks is fundamental in ensuring that tests are perfrmed as intended Data Encding basics Dissecting encding types URL Encding HTML Encding Dcument character encding Character references Base (36 64) encding Unicde encding Multiple (De En)cdings Filtering basics Regular Expressins Metacharacters Shrthand character classes Nn-printing characters Unicde Web Applicatin Firewall WAF Detectin and Fingerprinting Client-side Filters Evasin Basic - advanced cverage f the mst mdern filter evasin techniques using different client side and server side languages. T have cmplete understanding f filters and encding this sectin intrduces the main Evasin Techniques that start frm Base64 and lesser knwn URI bfuscatin techniques and cncludes with JavaScript and PHP Obfuscatin techniques Base64 evasin URI Obfuscatin techniques URL shrtening URL Hstname bfuscatin JavaScript Obfuscatin Techniques JavaScript Encding Nn-alphanumeric JavaScript Cmpressing Minifying Packing PHP Obfuscatin Techniques Basic Language Reference Type Juggling Numeric Data types String Data types Array Data types Variable Variables Nn-alphanumeric Cde String generatin

2 Crss-Site Scripting - advanced attack techniques and extic XSS vectrs, hw t explit any kind f XSS with the mst advanced tls available Crss-Site Scripting Reflected XSS Persistent XSS DOM XSS Universal XSS XSS Attacks Ckie Grabbing Script Injectin Ckie Recrding and Lgging Bypassing HTTPOnly flag Crss-site Tracing(XST) CVE: BeEF s Tunnelling Prxy Defacements Virtual Defacement Persistent Defacement Phishing Keylgging Keylgging with Metasplit Keylgging with BeEF Netwrk Attacks IP detectin Subnet detectin Ping Sweeping Prt Scanning Simple Prt Scanner HTML5 alternatives Self-XSS Brwsers security measures Chrmium based brwser Mzilla Firefx based brwser Internet Explrer Safari JavaScript cnsle limitatins Extic XSS Vectrs Mutatin-based XSS mxss Examples mxss Multiple Mutatins XSS Filter Evasin and WAF bypassing techniques - Starting frm simple Blacklisting filters t different mechanisms t bypass cmmn input sanitizatin techniques, brwser filters and much mre. Bypassing Blacklisting Filters Injecting Script Cde Bypassing weak <script> tag banning MdSecurity > Script tag based XSS Beynd <script> tag - using HTML events Keywrd based filters Character escaping Unicde Decimal, Octal, Hexadecimal Cnstructr Strings

3 Executin Sinks Pseud-prtcls data vbscript Bypassing Sanitizatin String manipulatins Remving HTML Tags Escaping Qutes Escaping Parenthesis Bypassing Brwser Filters (Un)Filtered Scenaris Injecting inside HTML Tag Injecting inside HTML attributes Injecting inside SCRIPT tag Injecting inside event attributes DOM Based Other Scenaris SQL Injectin - Advanced Attack Techniques n different DBMS's SQL Injectin Expliting SQLi Techniques Classificatin Gathering Infrmatin frm the envirnment Identify the DBMS Errr Cde Analysis > MySQL Errr Cde Analysis > MSSQL Errr Cde Analysis > Oracle Banner Grabbing Educated Guessing String Cncatenatin Numeric Functins SQL Dialect Enumerating the DBMS Cntent MySQL MSSQL Oracle Tables and Clumns Users and Privileges Advanced SQLi Explitatin Out-f-Band Explitatin Alternative OOB Channels OOB via HTTP Oracle URL_HTTP Package Oracle HTTPURITYPE Package OOB via DNS DNS Exfiltratin Flw Prvking DNS requests MySQL MSSQL Oracle Expliting Secnd-Order SQL Injectin First-rder example Security Cnsideratins Autmatin Cnsideratins

4 SQLi Filter Evasin and WAF Bypassing - Advanced Attack Techniques n different DBMS s. Recgnizing the presence f WAF s and filters and implement effective bypassing techniques. SQLi Filter Evasin and WAF Bypassing DBMS gadgets Functins Cnstants and variables System variables Typecasting Bypassing Keywrds filters Using cmments Case changing Replaced keywrds Circumventing by Encding URL encde Duble URL encde Characters encding Inline cmmnets Allwed Whitespaces Bypassing Functins Filters Bypassing Regular Expressin filters Crss-Site Request Frgery - explit Weak Anti-CSRF mechanisms cncluding with Advanced Explitatin techniques XSRF Vulnerable scenaris Attack Vectrs Frce Brwsing with GET Example - change address Pst Requests Aut-submitting frm > v1 Aut-submitting frm > v2 Expliting Weak Anti-CSRF Measures Using Pst-nly requests Multi-Step Transactins Checking Referer Header Predictable Anti-CSRF tken Unverified Anti-CSRF tken Secret Ckies Advanced CSRF Explitatin Bypassing CSRF defences with XSS Bypassing Anti-CSRF Tken Request a valid frm with a valid tken Extract the valid tken frm the surce cde Frge the frm with the stlen tken HTML5 - what are the mst cmmn security mechanisms develper use: these are critical t understand hw t leverage even mre sphisticated attacks. Analysis f UI rendering attacks and an verview f related new Attack Vectrs intrduced with HTML5 HTML5

5 Semantics New attack vectrs Frm Elements Media Elements Semantic/Structural Elements Attributes Offline and Strage Web Strage > Attack Scenari Sessin Hijacking Offline Web Applicatin > Attack Scenati Device Access Gelcatin > Attack Scenari Fullscreen mde > Attack Scenari Phishing Perfrmance, Integrity and Cnnectivity Attack Scenaris Expliting HTML5 CORS Attack Scenari Universal Allw Allw by wildcard value * Allw by server-side Weak Access Cntrl Check Origin Example Intranet Scanning JS-Recn Remte Web Shell The Shell f the Future Strage Attack Scenari Web Strage Sessin Hijacking Crss-directry attacks User Tracking and Cnfidential Data disclsure IndexedDB IndexedDB vs WebSQL Database Web Messaging Attack Scenaris Web Messaging DOM XSS Origin Issue Web Sckets Attack Scenris Web Sckets Data Validatin MiTM Remre Shell Netwrk Recnnaissance Web Wrkers Attack Scenaris WebWrkers Brswer-Based Btnet Distributed Passwrd Cracking DDS Attacks HTML5 Security Measures Security Headers X-XSS-Prtectin X-Frame-Optins Strict-Transprt-Security X-Cntent-Type-Optins Cntent Security Plicy UI Readressing: The x-jacking Art ClickJacking LikeJacking StrkeJacking

6 New Attack Vectrs in HTML5 Drag-and-Drp Text Field Injectin Cntent Extractin XML Attacks - mst mdern related attacks such as XML Tag Injectin, XXE, XEE, Path Injectin. Fr each f them basic and advanced explitatin techniques are analysed XML Attacks Entities blck XML Dcument with External DTD + Entities XML Tag Injectin Testing XML Injectin Single/Duble Qutes Ampersand Angular parentheses XSS with CDATA XML external Entity Taxnmy External Entities: Private vs Publix Resurce Inclusin Resurce Inclusin - Imprved Invalid resurce t extract CDATA Escape using Parameter Entities PHP://I/O Stream Bypassing Access Cntrl Out-Of-Band Data Retrieval OOB via HTTP OOB via HTTP using XXEServe XML Entity Expansin Recursive Entity Expansin Billin Laugh Attack Generic Entity Expansin Quadratic Blwup Attack Remte Entity Expansin XPath Injectin XPath 1.0 vs 2.0 New Operatins and Expressins n Sequences Functins n Strings Functin accessrs FOR Operatr Cnditinal Expressin Regular Expressin Assemble/Disassemble String Data Types Advanced XPath Explitatin Blind Explitatin Errr Based Blean Based OOB Explitaitn HTTP Channel DNS Channel