WAFFle: Fingerprinting Filter Rules of Web Application Firewalls

Similar documents
WAFFle: Fingerprinting Filter Rules of Web Application Firewalls

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

Where every interaction matters.

White Paper Secure Reverse Proxy Server and Web Application Firewall

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Web Application Firewall Profiling and Evasion. Michael Ritter Cyber Risk Services Deloitte

Integrating Web Application Security into the IT Curriculum

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

Gateway Apps - Security Summary SECURITY SUMMARY

Hack Proof Your Webapps

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

Web Intrusion Detection with ModSecurity. Ivan Ristic

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper

Security features of ZK Framework

INTRUSION DECEPTION CZYLI BAW SIĘ W CIUCIUBABKĘ Z NAMI


SECURE APPLICATION DEVELOPMENT CODING POLICY OCIO TABLE OF CONTENTS

DMZ Network Visibility with Wireshark June 15, 2010

Data Breaches and Web Servers: The Giant Sucking Sound

Web Application Penetration Testing

STOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

Web-Application Security

Table of Contents. Page 2/13

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Web Application Security Assessment and Vulnerability Mitigation Tests

Intrusion detection for web applications

2013 MONITORAPP Co., Ltd.

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Bypassing Web Application Firewalls (WAFs) Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant

Using Free Tools To Test Web Application Security

Implementation of Web Application Firewall

The Top Web Application Attacks: Are you vulnerable?

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

Many network and firewall administrators consider the network firewall at the network edge as their primary defense against all network woes.

Rational AppScan & Ounce Products

DNS Pinning and Web Proxies

Firewalls P+S Linux Router & Firewall 2013

Some Notes on Web Application Firewalls

10 Things Every Web Application Firewall Should Provide Share this ebook

Magento Security and Vulnerabilities. Roman Stepanov

Guidelines for Web applications protection with dedicated Web Application Firewall

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

Developing ASP.NET MVC 4 Web Applications MOC 20486

Essential IT Security Testing

Web Application Firewall

Bank Hacking Live! Ofer Maor CTO, Hacktics Ltd. ATC-4, 12 Jun 2006, 4:30PM

From the Bottom to the Top: The Evolution of Application Monitoring

Pwning Intranets with HTML5

1 Web Application Firewalls implementations, common problems and vulnerabilities

IJMIE Volume 2, Issue 9 ISSN:

WEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services

Web Application Firewalls: What the vendors do NOT want you to know SHAKACON III

Why Device Fingerprinting Provides Better Network Security than IP Blocking. How to transform the economics of hacking in your favor

Recommended Practice Case Study: Cross-Site Scripting. February 2007

Barracuda Web Site Firewall Ensures PCI DSS Compliance

Application security testing: Protecting your application and data

JOOMLA SECURITY. ireland website design. by Oliver Hummel. ADDRESS Unit 12D, Six Cross Roads Business Park, Waterford City

Network Security Exercise #8

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting

Testnet Summerschool. Web Application Security Testing. Dave van Stein

Chapter 15. Firewalls, IDS and IPS

Cross Site Scripting Prevention

Introduction to the Mobile Access Gateway

Detection of SQL Injection and XSS Vulnerability in Web Application

Developing ASP.NET MVC 4 Web Applications

What is Web Security? Motivation

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Information Technology Career Cluster Introduction to Cybersecurity Course Number:

Web Application Attacks And WAF Evasion

How To Protect A Web Application From Attack From A Trusted Environment

Web Application Firewalls: What the vendors do NOT want you to know. The OWASP Foundation

How To Protect Your Network From Attack From Outside From Inside And Outside

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

BYOD Guidance: Architectural Approaches

HP ProLiant Essentials Vulnerability and Patch Management Pack Server Security Recommendations

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Inspection of Encrypted HTTPS Traffic

Safeguarding the Corporate Portal: A Review of Portal Security

Are you fighting new threats with old weapons? Secure your Web applications with Web Application Firewalls.

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

Web Application Security. Radovan Gibala Senior Field Systems Engineer F5 Networks

Introduction: 1. Daily 360 Website Scanning for Malware

Repeater. BrowserStack Local. browserstack.com 1. BrowserStack Local makes a REST call using the user s access key to browserstack.

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Reverse Shells Enable Attackers To Operate From Your Network. Richard Hammer August 2006

Web Application Security

Importance of Web Application Firewall Technology for Protecting Web-based Resources

SE 4C03 Winter 2005 Firewall Design Principles. By: Kirk Crane

Firewall Environments. Name

Transcription:

Email: sebastian.schinzel@cs.fau.de Twitter: @seecurity WAFFle: Fingerprinting Filter Rules of Web Application Firewalls Isabell Schmitt, Sebastian Schinzel* Friedrich-Alexander Universität Erlangen-Nürnberg Lehrstuhl für Informatik 1 IT-Sicherheitsinfrastrukturen *supported by Deutsche Forschungsgemeinschaft (DFG) as part of SPP 1496 Reliably Secure Software Systems

Introduction: Web Application Firewalls Web Application Firewalls intercept web requests filter requests to prevent attacks Internet Demilitarized Zone Intranet Web Server uses filter rules for detecting common attack patterns Passed Request Blocked Request blind for new attack patterns If attacker knows active filter rule set, he can search for loopholes in the rule set What can the attacker learn about the active filter rule set of a WAF? 2

Introduction: Related Work How can the attacker learn active filter rule set? WAFW00f detects if a web page is protected by a WAF and can differentiate between 22 different WAF producers (no active rule set) analyses HTTP status codes, cookies, etc. WAF Tester fingerprints WAF filter rules by analyzing the HTTP status codes and whether the WAF drops or rejects the HTTP request on the TCP layer analyses error conditions no visible error condition == no fingerprinting possible 3

Visibility of Web Application Firewalls 1. Response shows WAF error message a) the rogue request was blocked by the WAF or b) the WAF passed the request to the web application that responded with an error message and which was then cloaked by the WAF 2. Response shows Webapp error message a) WAF neither blocked the request, nor cloaked the web application s error message 3. Response shows Normal response a) WAF removed the malicious part of the rogue request b) WAF passed the rogue request but webapp ignored the malicious part of the request c) WAF passed the rogue request and the malicious part was executed, but it produced no visible result 4

Introduction to Timing Side Channel Attacks t0 t1 Attacker (client) user does not exist login(user, pass) An error occured false Server user correct? Other examples for side channels: sound visuals true emissions t2 user exists An error occured false pass correct? power consumption motion (mobiles) T true size of encrypted packages 5

1. Scenario: mod_security as Reverse Proxy mod_security filtering on reverse proxy Request gets passed to Web server iff request is not blocked by filter set Blocked requests are never passed to Web server Internet Passed Request Blocked Request Demilitarized Zone Intranet Web Server 6

2. Scenario: mod_proxy as Web Server Plugin mod_security filtering as web server plugin Request gets passed to Web application iff request is not blocked by filter set Blocked requests are never passed to Web application Internet Demilitarized Zone Intranet Web Server 7

3. Scenario: PHPIDS as Programming Library mod_security filtering as web application plugin Request gets passed to business logic iff request is not blocked by filter set Blocked requests are never passed to business application Internet Demilitarized Zone Intranet Web Server 8

WAFfle: Fingerprinting Filter Rules of Web Application Firewalls Idea behind WAFfle Demilitarized Zone Intranet Web Server 1. Generate polymorphic representations of exploit code (e.g. <script>alert(23);</script>, <script_>alert(23);</script>, <script >alert(23);</script> <script >alert(23);</script>) 2. Send to web app and measure response time Internet 9 Passed Request Blocked Request 3. Analyse response time

WAFfle: Fingerprinting Filter Rules of Web Application Firewalls Two phases of WAFle 1. Learning phase a) measure response times T of n passed requests b) define blocking boundary as b = min(t ) - ɛ 2. Attack phase Response time + Passed requests + + + + + + + + + + + Blocking boundary + + No decision possible: a) passed request + low jitter OR b) blocked request + high jitter X X Blocked request a) send probe and measure t b) blocked request if t < b 1. Learning phase 2. Attack phase # 10

WAFfle: Fingerprinting Filter Rules of Web Application Firewalls 11

WAFfle: Results Internet Demilitarized Zone Intranet Web Server Passed Request Blocked Request mod_security filtering on reverse proxy 12

WAFfle: Results Internet Demilitarized Zone Intranet Web Server mod_security filtering as web server plugin 13

WAFfle: Results Internet Demilitarized Zone Intranet Web Server mod_security filtering as web application plugin 14

WAFfle: Results Results All three scenarios allow to distinguish blocked from passed requests by observing response times With no repetitions, >95% of single requests already correctly determine blocked and passed requests 1(a) 1(b) 1(c) 15

WAFfle: Cross Site Timing Attack One more thing... We re on the web, and the web allows cross site requests Extend WAFfle for Cross Site Request Forgery (Cross Site Timing Attack) Generate Javascript code that attacker embeds on web page Web User 2) Victim Web Application Attacker tricks other users to visit web page other users perform measurement and send measurements to attacker 3) Web Browser 4) Sends Measurements Attacker WAF 1) Visits 16 Web Site

Cross-Site Timing Attack 17

WAFfle: Cross Site Timing Attack Cross Site Timing Attack 18

Summary Introduced a new timing attack against WAFs that directly distinguishes passed requests from blocked requests without relying on ambiguous error messages Tested the attack over an Internet connection against three common WAF deployment setups and showed that the attack is highly practical Combined our timing attack with XSRF, hides the attacker s identity prevents the WAF from blocking the attack (assuming that the attacker distributes the attack to many other users) 19

Thanks! Discussion. Email: sebastian.schinzel@cs.fau.de Twitter: @seecurity 20

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information