Web Application Attacks And WAF Evasion

Transcription

1 Web Application Attacks And WAF Evasion Ahmed ALaa (EG-CERT) 19 March 2013

2 What Are We Going To Talk About? - introduction to web attacks - OWASP organization - OWASP frameworks - Crawling & info. gathering - Vulnerability Assesment - WAF Evading

3 Introduction To Web Application Attacks

4 Server Side Attacks

5 OWASP The Open Web Application Security Project

6 OWASP Oraganization The Open Web Application Security Project (OWASP) is a worldwide not-for-profit charitable organization focused on improving the security of software. Our mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks.

7 OWASP Frameworks it s a vulnerable open source framework for testing vulnerabilites and educational purpose with many level of security to be test. - DVWA (Damn Vulnerable Web Application) - Mutillidae - Web Goat

8 OWASP Top 10 Web App. Vuln Injection 2. Broken Authentication and Session Management 3. Cross Site Scripting (XSS) 4. Insecure Direct Object References 5. Security Misconfiguration 6. Sensitive Data Expouse 7. Missing Function Level Access Control 8. Cross Site Request Forgery (CSRF) 9. Using Known Vulnerable Components 10. Unvalidated Redirects and Forwards

9 Web Attacks Methods

10 Info Gathering Via Firefox Addons Wappalyzer: a browser extension that uncovers the technologies used on websites. It detects content management systems, web shops, web servers, JavaScript frameworks, analytics tools and many more. Domain Details : Displays Server Type, Headers, IP Address, Location Flag, and links to Whois Reports. Shows links to check server status and cache when page fails to load.

11 Web Crawling By Burpsuite

12 Directory Enumeration By DirBuster

13 Brute Forcing Basic Authentication & Forms Via Firefox Addon Firefoce

14 Local File Inclusion (DVWA)

15 PHP Wrappers A wrapper is additional code which tells the stream how to handle specific protocols/encodings. For example, the http wrapper knows how to translate a URL into an HTTP/1.0 request for a file on a remote server. There are many wrappers built into PHP by default Php://filter/convert.base64-encode/resource=include.php Data://text/plain;base64,SSBsb3ZlIFBIUAo= Php://input

16 SQL Injection Attacks A poorly validated input field in a Web input form may allow an attacker to insert additional SQL instructions which may then be passed directly into the backend database. Attacker sends simple text-based attacks that exploit the syntax of The target interpreter.

17 SQL Injection Authintication Bypass

18 SQL Injection Authintication Bypass Due to no input validation in the code then we can inject our query to gain admin authentication. admin -- - admin and 1= admin or 1 = 1 admin or 1=1 Limit 0,1 # or 1= or 1=1 Limit 0,1 /* AND 1=0 UNION ALL SELECT 1,2,3 -- -

19 SQL Injection Types - Union Based injection - Blind Based injection - Time Based injection - Error Based injection - Blind Time Based injection

20 Detecting SQL Injection Vulnerability MySQL Error Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /var/www/myawesomestore.com/buystuff.php on line 12 Error: You have an error in your SQL syntax: check the manual that corresponds to your MySQL server version for the right syntax to use near at line 12 MSSQL Error Server Error in / Application. Unclosed quotation mark before the character string ;. Description: An unhanded exception occurred during the execution of the current web request. Please review the stack trace for more information about the error where it originated in the code. Exception Details: System.Data.SqlClient.SqlException: Unclosed quotation mark before the character string ;.

21 SQL Injection Exploitation (prepare your lab) - Order By Clause - Union Statement - user(), DataBase(), Version() - Information_schema - Data Base Structure - Substring & ascii

22 WAF Evasion (Web Application Firewall) Web application firewalls are designed to protect web applications from known attacks, such as SQL injection attacks, that are commonly used to compromise websites. They do this by intercepting requests sent by clients and enforcing strict rules about their formatting and payload. However, there are various methods for sneaking malicious requests that violate these rules past WAFs by modifying certain parts of their headers or the paths of requested URLs. These are known as protocol-level evasion techniques, and WAFs are not properly equipped to deal with them at the moment because the techniques are not very well documented.

23 WAF Evasion (Web Application Firewall) - Detect WAF systems. - Fingerprint WAF systems. - Generic evasion techniques.

24 WAF Evasion Techniques SQL comments in parameters to try to defeat some SQL Injection rules. Words in random case to try to defeat some SQL Injection rules. SQL query encoding (for example: hex encoding via database features). URI encoding (for example: Unicode forward slash).

25 WAF Evasion Techniques (SQL inj.) Comment: /*!*/ /*!order*//**//*!by*/ 1 /*!union*//**//*!select*/ 1,2,3,4,5 Case sensitive /*!order*//**//*!by*/ 1 /*!union*//**//*!select*/ 1,2,3,4,5 Encoding %2F*!uNiOn*%2F%2F**%2F%2F*!sEleCt*%2F%201%2C2%E2%80 table_name=0xhex to bypass forbidden single quote

26 Questions??!!!

27 Contact: Thank you