Web Application Firewall Bypassing

Similar documents
Web Application Firewall Profiling and Evasion. Michael Ritter Cyber Risk Services Deloitte

Web Application Attacks And WAF Evasion

Intrusion detection for web applications

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

EVADING ALL WEB-APPLICATION FIREWALLS XSS FILTERS

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION

Playing with Web Application Firewalls

Some Notes on Web Application Firewalls

Check list for web developers

External Network & Web Application Assessment. For The XXX Group LLC October 2012

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

Protocol-Level Evasion of Web Application Firewalls

SECURE APPLICATION DEVELOPMENT CODING POLICY OCIO TABLE OF CONTENTS

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

ASL IT Security Advanced Web Exploitation Kung Fu V2.0

Application security testing: Protecting your application and data

Vulnerability Assessment and Penetration Testing

Web Application Firewalls: What the vendors do NOT want you to know SHAKACON III

We protect you applications! No, you don t. Digicomp Hacking Day 2013 May 16 th 2013

Penetration Test Report

Bank Hacking Live! Ofer Maor CTO, Hacktics Ltd. ATC-4, 12 Jun 2006, 4:30PM

[state of the internet] / SEO Attacks. Threat Advisory: Continuous Uptick in SEO Attacks

Guidelines for Web applications protection with dedicated Web Application Firewall

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Penta Security 3rd Generation Web Application Firewall No Signature Required.

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

<Insert Picture Here> Oracle Web Cache 11g Overview

SQL Injection Attacks: Detection in a Web Application Environment

Implementation of Web Application Firewall

Web Application Firewalls Evaluation and Analysis. University of Amsterdam System & Network Engineering MSc

Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper

Web Application Security

Web Application Firewall (WAF) Guide. Web Application Firewall を 理 解 するための 手 引 き A Handbook to Understand Web Application Firewall

SQL injection: Not only AND 1=1. The OWASP Foundation. Bernardo Damele A. G. Penetration Tester Portcullis Computer Security Ltd

Input Validation Vulnerabilities, Encoded Attack Vectors and Mitigations OWASP. The OWASP Foundation. Marco Morana & Scott Nusbaum

Penetration Testing with Kali Linux

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Thick Client Application Security

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Adobe Systems Incorporated

How To Fix A Web Application Security Vulnerability

Application Security Testing. Generic Test Strategy

Cross-Site Scripting

Client vs. Server Implementations of Mitigating XSS Security Threats on Web Applications

Penetration Testing Report Client: Business Solutions June 15 th 2015

1 Web Application Firewalls implementations, common problems and vulnerabilities

CS 558 Internet Systems and Technologies

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

Keyword: Cloud computing, service model, deployment model, network layer security.

Mingyu Web Application Firewall (DAS- WAF) All transparent deployment for Web application gateway

Advanced PostgreSQL SQL Injection and Filter Bypass Techniques

VIDEO intypedia007en LESSON 7: WEB APPLICATION SECURITY - INTRODUCTION TO SQL INJECTION TECHNIQUES. AUTHOR: Chema Alonso

Where every interaction matters.

IJMIE Volume 2, Issue 9 ISSN:

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

How To Protect A Web Application From Attack From A Trusted Environment

Institutionen för datavetenskap

Bypassing Web Application Firewalls (WAFs) Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant

Criteria for web application security check. Version

Automating SQL Injection Exploits

HTTPParameter Pollution. ChrysostomosDaniel

Web application security

Learn Ethical Hacking, Become a Pentester

Advanced Web Security, Lab

Essential IT Security Testing

BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS

Web application testing

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Web Application Security

SECURITY B-SIDES: ATLANTA STRATEGIC PENETRATION TESTING. Presented by: Dave Kennedy Eric Smith

Web Intrusion Detection with ModSecurity. Ivan Ristic

Application Security Testing. Erez Metula (CISSP), Founder Application Security Expert

Web Application Report

Magento Security and Vulnerabilities. Roman Stepanov

A Tale of the Weaknesses of Current Client-side XSS Filtering

The New PCI Requirement: Application Firewall vs. Code Review

External Supplier Control Requirements

Project 2: Web Security Pitfalls

Finding Your Way in Testing Jungle. A Learning Approach to Web Security Testing.

Playing with Web Application Firewalls

SQL Injection January 23, 2013

Web Application Firewalls: What the vendors do NOT want you to know. The OWASP Foundation

Attack and Penetration Testing 101

Common Criteria Web Application Security Scoring CCWAPSS

Application Security Testing

(WAPT) Web Application Penetration Testing

How to Make the Client IP Address Available to the Back-end Server

SANS Top 20 Critical Controls for Effective Cyber Defense

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

STOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect

Transcription:

Web Application Firewall Bypassing how to defeat the blue team KHALIL BIJJOU CYBER RISK SERVICES DELOITTE 29 th Octobre 2015

STRUCTURE Motivation & Objective Introduction to Web Application Firewalls Bypassing Methods and Techniques Approach for Penetration Testers The Tool WAFNinja Results Conclusion

Motivation & Objective

MOTIVATION AND THESIS OBJECTIVE (I) MOTIVATION Number of deployed Web Application Firewalls (WAFs) is increasing WAFs make a penetration test more difficult Attempting to bypass a WAF is an important aspect of a penetration test

MOTIVATION AND THESIS OBJECTIVE (II) OBJECTIVE Provide a practical approach for penetration testers which helps to ensure accurate results

Introduction to Web Application Firewalls

INTRODUCTION TO WEB APPLICATION FIREWALLS (I) OVERVIEW Protects a web application by adding a security layer Stands between a user and a web server Understands HTTP traffic better than traditional firewalls Checks for malicious traffic and blocks it

INTRODUCTION TO WEB APPLICATION FIREWALLS (IV) FUNCTIONALITY Pre-processor: Decide wether a request will be processed further Normalization: Standardize user input Validate Input: Check user input against policies

INTRODUCTION TO WEB APPLICATION FIREWALLS (V) NORMALIZATION FUNCTIONS Simplifies the writing of rules No Knowledge about different forms of input needed compresswhitespace hexdecode lowercase urldecode converts whitespace chars to spaces decodes a hex-encoded string converts characters to lowercase decodes a URL-encoded string

INTRODUCTION TO WEB APPLICATION FIREWALLS (VI) INPUT VALIDATION Security Models define how to enforce policies Policies consist of regular expressions Three Security Models: 1. Positive Security Model 2. Negative Security Model 3. Hybrid Security Model

INTRODUCTION TO WEB APPLICATION FIREWALLS (VII) INPUT VALIDATION Positive Security Model (Whitelist) Deny all but known good Prevents Zero-day Exploits More secure than blacklist Comprehensive understanding of application is needed Creating policies is a time-consuming process Negative Security Model (Blacklist) Allow all but known bad Shipped with WAF Fast adoption Little knowledge needed Protect several applications Tends to false positives Resource-consuming

Bypassing Methods and Techniques

BYPASSING METHODS AND TECHNIQUES (I) OVERVIEW Pre-processor Exploitation: Make WAF skip input validation Impedance Mismatch: WAF interprets input differently than back end Rule Set Bypassing: Use Payloads that are not detected by the WAF

Pre-processor Exploitation

BYPASSING METHODS AND TECHNIQUES (II) BYPASSING PARAMETER VERIFICATION PHP removes whitespaces from parameter names or transforms them into underscores http://www.website.com/products.php?%20productid=select 1,2,3 ASP removes % character that is not followed by two hexadecimal digits http://www.website.com/products.aspx?%productid=select 1,2,3 A WAF which does not reject unknown parameters may be bypassed with this technique.

BYPASSING METHODS AND TECHNIQUES (III) PRE-PROCESSOR EXPLOITATION EXAMPLE X-* Headers WAF may be configured to trust certain internal IP Addresses Input validation is not applied on requests originating from these IPs If WAF retrieves these IPs from headers which can be changed by a user a bypass may occur A user is in control of the following HTTP Headers: X-Originating-IP X-Forwarded-For X-Remote-IP X-Remote-Addr

BYPASSING METHODS AND TECHNIQUES (IV) MALFORMED HTTP METHOD Misconfigured web servers may accept malformed HTTP methods A WAF that only inspects GET and POST requests may be bypassed

BYPASSING METHODS AND TECHNIQUES (V) OVERLOADING THE WAF A WAF may be configured to skip input validation if performance load is heavy Often applies to embedded WAFs Great deal of malicious requests can be sent with the chance that the WAF will overload and skip some requests

Impedance Mismatch

BYPASSING METHODS AND TECHNIQUES (VI) HTTP PARAMETER POLLUTION Sending a number of parameters with the same name Technologies interpret this request http://www.website.com/products/?productid=1&productid=2 differently: Back end Behavior Processed ASP.NET Concatenate with comma productid=1,2 JSP First Occurrence productid=1 PHP Last Occurrence productid=2

BYPASSING METHODS AND TECHNIQUES (VII) IMPEDANCE MISMATCH EXAMPLE The following payload?productid=select 1,2,3 from table can be divided:?productid=select 1&productid=2,3 from table WAF sees two individual parameters and may not detect the payload ASP.NET back end concatenates both values

BYPASSING METHODS AND TECHNIQUES (VIII) HTTP PARAMETER FRAGMENTATION Splitting subsequent code between different parameters Example query: sql = "SELECT * FROM table WHERE uid = "+$_GET['uid']+" and pid = +$_GET[ pid'] The following request: http://www.website.com/index.php?uid=1+union/*&pid=*/select 1,2,3 would result in this SQL Query: sql = "SELECT * FROM table WHERE uid = 1 union/* and pid = */select 1,2,3"

BYPASSING METHODS AND TECHNIQUES (IX) DOUBLE URL ENCODING WAF normalizes URL encoded characters into ASCII text The WAF may be configured to decode characters only once Double URL Encoding a payload may result in a bypass s -> %73 -> %25%37%33 The following payload contains a double URL encoded character 1 union %25%37%33elect 1,2,3

Rule Set Bypassing

BYPASSING METHODS AND TECHNIQUES (X) BYPASS RULE SET Two methods: Brute force by enumerating payloads Reverse-engineer the WAFs rule set

APPROACH FOR PENETRATION TESTERS

APPROACH FOR PENETRATION TESTERS (I) OVERVIEW Similar to the phases of a penetration test Divided into six phases, whereas Phase 0 may not always be possible

APPROACH FOR PENETRATION TESTERS(II) PHASE 0 Identifying vulnerabilities with a disabled WAF Objective: find security flaws in the application more easily assessment of the security level of an application is more accurate Allows a more focused approach when the WAF is enabled May not be realizable in some penetration tests

APPROACH FOR PENETRATION TESTERS(III) PHASE 1 Reconaissance Objective: Gather information to get a good overview of the target Basis for the subsequent phases Gather information about: web server programming language WAF & Security Model Internal IP Addresses

APPROACH FOR PENETRATION TESTERS (IV) PHASE 2 Attacking the pre-processor Objective: make the WAF skip input validation Identify which parts of a HTTP request are inspected by the WAF to develop an exploit: 1. Send individual requests that differ in the location of a payload 2. Observe which requests are blocked 3. Attempt to develop an exploit

APPROACH FOR PENETRATION TESTERS(V) PHASE 3 Attempting an impedance mismatch Objective: make the WAF interpret a request differently than the back end and therefore not detecting it Knowledge about back end technologies is needed

APPROACH FOR PENETRATION TESTERS(VI) PHASE 4 Bypassing the rule set Objective: find a payload that is not blocked by the WAFs rule set 1. Brute force by sending different payloads 2. Reverse-engineer the rule set in a trial and error approach: 1. Send symbols and keywords that may be useful to craft a payload 2. Observe which are blocked 3. Attempt to develop an exploit based on the results of the previous steps

APPROACH FOR PENETRATION TESTERS(VII) PHASE 5 Identifying miscellaneous vulnerabilities Objective: find other vulnerabilities that can not be detected by the WAF Broken authentication mechanism Privilege escalation

APPROACH FOR PENETRATION TESTERS(VIII) PHASE 6 Post assessment Objective: Inform customer about the vulnerabilities Advise customer to fix the root cause of a vulnerability For the time being, the vulnerability should be virtually patched by adding specific rules to the WAF Explain that the WAF can help to mitigate a vulnerability, but can not thoroughly fix it

WAFNINJA

WAFNINJA (I) OVERVIEW CLI Tool written in Python Automates parts of the approach Already used in several penetration tests Supports HTTPS connections GET and POST parameter Usage of cookies

WAFNINJA (II) MOST IMPORTANT FUNCTIONS Fuzz Reverse-engineer a WAFs rule set by sending different symbols and keywords Analyzes the response of every request Results are displayed in a clear and concise way Fuzzing strings can be extended with the insert-fuzz function Bypass Brute forcing the WAF by enumerating payloads and sending them to the target Analyzes the response of every request Results are displayed in a clear and concise way Payloads can be extended with the insert-bypass function

RESULTS

RESULTS (I) OVERVIEW Results of using WAFNinja to attempt to bypass three WAFs in a test environment Deployed WAFs used the standard configuration Two vulnerable web applications behind every WAF

RESULTS (II) COMODO WAF Most intelligent rule set of the three tested WAFs SQL Injection payload found: 0 union/**/select 1,version(),@@datadir Disclosure of sensitive information:

RESULTS (III) MODSECURITY WAF Highly restrictive rule set SQL Injection payload found: 1+uni%0Bon+se%0Blect+1,2,3 but was not processed by the back end

RESULTS (IV) AQTRONIX WEBKNIGHT WAF Most vulnerable rule set of all three WAFs SQL Injection payload found: 0 union(select 1,@@hostname,@@datadir) Disclosure of sensitive information:

RESULTS (V) AQTRONIX WEBKNIGHT SQL Injection payload found: 0 union(select 1,username,password from(users)) Disclosure of personal data:

RESULTS (VI) AQTRONIX WEBKNIGHT XSS payload found: <img src=x onwheel=prompt(1)> onwheel replaced an old JavaScript event handler

CONCLUSION

CONCLUSION (I) Different Bypass Methods and Techniques have been gathered and categorized Based on these techniques a practical approach is described A tool which facilitates this approach was developed The tool s results contributed to finding several bypasses

CONCLUSION (II) The given approach can improve the accuracy of penetration test results The listing of bypassing techniques can be used by vendors to improve their WAFs WAF vulnerabilities found were reported to the particular WAF vendors Ultimately: WAFs make exploiting vulnerabilities more difficult, but do not guarantee that a security breach will not happen

CONCLUSION (III)

CONCLUSION (III)

THANK YOU FOR YOUR ATTENTION! E-Mail: kbijjou@deloitte.de Xing: Khalil Bijjou

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information