2 Who is Wendel? Independent penetration test analyst. Affiliated to Hackaholic team. Over 7 years in the security industry. Discovered vulnerabilities in Webmails, Access Points, Citrix Metaframe, etc. Speaker at H2HC, Code Breakers, Defcon, etc.
3 Who is Sandro? Founder and CSO of EnableSecurity. Over 8 years in the security industry. Published security research papers. Tools - SIPVicious and SurfJack.
4 What is WAF? Web Application Firewall (WAF): An intermediary device, sitting between a web-client and a web server, analyzing OSI Layer-7 messages for violations in the programmed security policy. A Web application firewall is used as a security device protecting the web server from attack. Source: Web Application Security Consortium Glossary.
5 What is WAF? WAFs are often called 'Deep Packet Inspection Firewall'. Some WAFs look certain 'attack signature' while others look for abnormal behavior. WAFs can be either software or hardware appliance.
6 What is WAF? Modern WAF systems work both with attack signature and abnormal behavior. WAFs can be installed as a reverse proxy, embedded or connected in a switch (SPAN or RAP). Nowadays many WAF products detect both inbound and outbound attacks.
8 Who uses WAF? Many banks around the world. Companies which need high protection. Many companies in compliance with PCI DSS (Payment Card Industry - Data Security Standard).
9 Type of operation modes: Negative model (blacklist based). Positive model (whitelist based). Mixed / Hybrid (mix negative and positive model protection).
10 Type of operation modes: A negative security model recognize attacks by relying on a database of expected attack signatures. Example: Do not allow in any page, any argument value (user input) which match potential XSS strings like <script>, </script>, String.fromCharCode, etc. Pros: Less time to implement (plug and play or plug and hack? :). Cons: More false positives. More processing time. Less protection.
11 Type of operation modes: A positive security model enforces positive behavior by learning the application logic and then building a security policy of valid know good requests. Example: Page news.jsp, the field "id" only accept numbers [0-9] and starting at 0 until Pros: Better performance (less rules). Less false positives. Cons: Much more time to implement. Some vendors provide "automatic learning mode", they help, but are far from perfect, in the end, you always need a skilled human to review the policy.
12 Tricks to detect WAF systems: WAF systems leave several signs which permit us to detect them, like: Cookies - Some WAF products add their own cookie in the HTTP communication. Example - Citrix Netscaler: Host: User-Agent: Mozilla/5.0 Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: pt-br,pt;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO ,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: Cookie: ASPSESSIONIDAQRBCRDA=HKCIAFFBGFJOCOGGKMLDMKBP; ns_af=inomh/inobwnnkxoetwogbhpyjwa0; ns_af_.domain.com.br_%2f_wat=qvnqu0vtu0lptkleqvfsqknsreff?npkntil264r 7Pi8zgH5vSKd/S6YA&
13 Tricks to detect WAF systems: Cookies DEMO
14 Tricks to detect WAF systems: Header Rewrite - Some WAF products allow the rewriting of HTTP headers. The most common field is "Server", this is used to try to deceive the attackers (server cloaking). Example - Armorlogic Profense: Date: Sat, 08 Nov :06:58 GMT Server: Profense Expires: Thu, 19 Nov :52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Set-Cookie: SID=dkhtir88p1c6v2859rvqkpukg1; path=/ Vary: Accept-Encoding Content-Encoding: gzip Keep-Alive: timeout=1, max=10 Connection: Keep-Alive Transfer-Encoding: chunked
15 Tricks to detect WAF systems: Header Rewrite DEMO
16 Tricks to detect WAF systems: Different 404 error codes for hostile and non existent pages. Different error codes (404, 400, 401, 403, 501, etc) for hostile parameters (even non existent ones) in valid pages. Drop Action: "Immediately initiate a "connection close" action to tear down the TCP connection by sending a FIN packet. All (at least all that I know) WAF systems have a built-in group of rules in negative mode, these rules are different in each products, this can help us to detect them.
17 Tricks to detect WAF systems: Different 404 error DEMO
18 Specific techniques to evade WAF systems: In a penetration test made 7 months ago, we were able to bypass a Citrix Netscaler using the technique described above. Example - Real life: What we did after identifying the rules was rebuild the query like: 1) Removing all "NULL" words. 2) Use database SQL encoding features in some parts. 3) Remove the single quote character "'". 4) And have fun! :)
19 Attacking Negative Mode: How can we bypass it? DEMO
20 Attacking Positive Mode: Is possible bypass it? DEMO
21 BONUS: Armorlogic Profense static root password and sshd enable by default. Armorlogic Profense default password at web administration interface.
22 What we learned? Negative model will be bypassed. Positive model is harder... nothing is impossible, review your source code!
23 What s next? Wendel Guglielmetti Henrique and Sandro Gauci working on: Developing tools to detect WAF systems. Developing tools to evade WAF systems. Bypass encoder Research papers Advisories
Standard: Version: Date: Requirement: Author: PCI Data Security Standard (PCI DSS) 1.2 October 2008 6.6 PCI Security Standards Council Information Supplement: Application Reviews and Web Application Firewalls
Web Application Firewall on SonicWALL SRA Document Scope This document describes how to configure and use the Web Application Firewall feature in SonicWALL SRA 6.0. This document contains the following
Administration Manual Web Security Manager 4.2 www.alertlogic.com firstname.lastname@example.org February, 2014 Alert Logic, the Alert Logic logo, the Alert Logic logotype and Web Security Manager are trademarks
Introduction to Web Application Firewalls Dustin Anders Today s Presenter Dustin Anders, CISSP Senior Security Engineer w/ Imperva Implemented security solutions for large enterprises since 1997 (State
C H A P T E R 4 Layer 7 Load Balancing and Content Customization This chapter will discuss the methods and protocols involved in accomplishing a Layer 7 load-balancing solution. The reasons for and benefits
Barracuda Web Application Firewall Best Practices Guide US 1.0 Copyright 2011 Barracuda Networks Inc. 3175 S. Winchester Blvd., Campbell, CA 95008 1-888-268-4772 www.barracuda.com Table of Contents Introduction.................................................................................................................
An Accurate and Effective Approach to Protecting and Monitoring Web Applications White Paper Web applications have lowered costs and increased revenue by extending the enterprise s strategic business systems
UNIVERSITY OF OSLO Department of Informatics Presenting a Prototype for Pull Based Load Balancing of Web Servers Master thesis Arild Berggren Oslo University College 23rd May 2007 3 4 Presenting a Prototype
Net Integration Technologies, Inc. http://www.net itech.com Net Integrator Firewall Technical Overview Version 1.00 TABLE OF CONTENTS 1 Introduction...1 2 Firewall Architecture...2 2.1 The Life of a Packet...2
The Future of Web Security: 10 Things Every Web Application Firewall Should Provide Introduction Over half of all organizations have experienced a Web application breach in the past year, and many of these
Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper
The Evolution of Enterprise Application Security Why enterprises need runtime application self-protection 2 Abstract Enterprise information security encompasses a broad set of disciplines and technologies,
Payment Card Industry (PCI) Data Security Standard Approved Scanning Vendors Program Guide Version 2.0 May 2013 Document Changes Date Version Description February 11, 2010 1.0 May 2013 2.0 Approved Scanning
Unified Security Monitoring Best Practices June 8, 2011 (Revision 1) Copyright 2011. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of
RESEARCH PAPER Web application firewalls Laying the myths to rest A review of how businesses are reconsidering long-standing beliefs about web application firewalls January 2014 Sponsored by Contents Executive
SMALL BUSINESS NETWORK SECURITY GUIDE WHY A REAL FIREWALL PROVIDES THE BEST NETWORK PROTECTION AUGUST 2004 SMALL BUSINESS NETWORK SECURITY GUIDE: WHY A REAL FIREWALL PROVIDES THE BEST NETWORK PROTECTION
Cyber Security: Beginners Guide to Firewalls A Non-Technical Guide Essential for Business Managers Office Managers Operations Managers This appendix is a supplement to the Cyber Security: Getting Started
WHITE PAPER 10 Things Every Web Application Firewall Should Provide Introduction Because they are easily accessible and often serve as an entry point to valuable data, web applications are now and always
University of Amsterdam System & Network Engineering Security in mobile banking December 23, 2012 Authors: Thijs Houtenbos Jurgen Kloosterman Bas Vlaszaty Javy de Koning Abstract The goal of the research
Sponsored by VSS Monitoring Optimized Network Monitoring for Real-World Threats July 2011 A SANS Whitepaper Written by: Dave Shackleford Threat Overview Page 2 Drivers, Deployments and Gaps Page 3 Optimizing
Computer Fraud & Security, May 2007 page 1/10 From Network Security To Content Filtering Network security has evolved dramatically in the last few years not only for what concerns the tools at our disposals
White Paper Intrusion Detection and Prevention Protecting Your Network From Attacks Sarah Sorensen Product Marketing Manager Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA 408
Data protection Protecting personal data in online services: learning from the mistakes of others May 2014 Contents Introduction... 2 What the DPA says... 4 Software security updates... 5 Software security