WAFFle: Fingerprinting Filter Rules of Web Application Firewalls

Similar documents

WAFFle: Fingerprinting Filter Rules of Web Application Firewalls

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

Web Application Attacks And WAF Evasion

Where every interaction matters.

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Data Breaches and Web Servers: The Giant Sucking Sound

Pwning Intranets with HTML5

Integrating Web Application Security into the IT Curriculum

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

Web-Application Security

Network Security Exercise #8

Security Research Advisory IBM inotes 9 Active Content Filtering Bypass

Network Security Web Security

Security Testing with Selenium

BlackBerry Enterprise Server for Microsoft Office 365 preinstallation checklist

JOOMLA SECURITY. ireland website design. by Oliver Hummel. ADDRESS Unit 12D, Six Cross Roads Business Park, Waterford City

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

IJMIE Volume 2, Issue 9 ISSN:

Guidelines for Web applications protection with dedicated Web Application Firewall

White Paper Secure Reverse Proxy Server and Web Application Firewall

Testnet Summerschool. Web Application Security Testing. Dave van Stein

ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION

Cross Site Scripting Prevention

Bypassing Web Application Firewalls (WAFs) Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant

Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper

HTML5 and security on the new web

Securing Internet Facing. Applications. Technical White Paper. configuration drift, in which IT members open up ports or make small, supposedly

Web Application Security

ensuring security the way how we do it

The Top Web Application Attacks: Are you vulnerable?

Gateway Apps - Security Summary SECURITY SUMMARY

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

Web Intrusion Detection with ModSecurity. Ivan Ristic

Intrusion detection for web applications

Recommended Practice Case Study: Cross-Site Scripting. February 2007

AppDefend Application Firewall Overview

Web Application Penetration Testing

Table of Contents. Page 2/13

How Web Application Security Can Prevent Malicious Attacks

Lightweight Directory Access Protocol (LDAP) Schoolwires Centricity2

Preparing for the Cross Site Request Forgery Defense

Bypassing NoScript Security Suite Using Cross-Site Scripting and MITM Attacks

EVADING ALL WEB-APPLICATION FIREWALLS XSS FILTERS

SECURE APPLICATION DEVELOPMENT CODING POLICY OCIO TABLE OF CONTENTS

Security features of ZK Framework

A Tale of the Weaknesses of Current Client-Side XSS Filtering

Web Application Security Assessment and Vulnerability Mitigation Tests

Chapter 8 Security Pt 2

Web Application Security

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Offensive Security. Advanced Web Attacks and Exploitation. Mati Aharoni Devon Kearns. v. 1.0

WEB ATTACKS AND COUNTERMEASURES

BYOD Guidance: Architectural Approaches

OCR LEVEL 3 CAMBRIDGE TECHNICAL

Step into the Future: HTML5 and its Impact on SSL VPNs

Advanced Web Technology 10) XSS, CSRF and SQL Injection 2

From the Bottom to the Top: The Evolution of Application Monitoring

ModSecurity as Universal Cross-platform Web Protection Tool

Implementation of Web Application Firewall

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

SESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

Hacking Intranet Websites from the Outside (Take 2) Fun With & Without JavaScript Malware

Firewall Environments. Name

2014 Entry Form (Complete one for each entry.) Fill out the entry name exactly as you want it listed in the program.

1 Web Application Firewalls implementations, common problems and vulnerabilities

Chapter 8 Network Security

Wordpress Security. A guide on how to not get hacked when using wordpress. David Kennedy (ReL1K) Twitter: Dave_ReL1K

Bust a cap in a web app with OWASP ZAP

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

CS5008: Internet Computing

Table of Contents. Application Vulnerability Trends Report Introduction. 99% of Tested Applications Have Vulnerabilities

Some Notes on Web Application Firewalls

Security Certification of Third- Parties Applications

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting

LASTLINE WHITEPAPER. Large-Scale Detection of Malicious Web Pages

We protect you applications! No, you don t. Digicomp Hacking Day 2013 May 16 th 2013

Hack Proof Your Webapps

Web Engineering Web Application Security Issues

MetaXSSploit. Bringing XSS in Pentesting A journey in building a security tool. Claudio

Web Application Firewall (WAF) Guide. Web Application Firewall を理解するための手引き A Handbook to Understand Web Application Firewall

Useful Tips for Reducing the Risk of Unauthorized Access for Network Cameras Important

Sitefinity Security and Best Practices

SAP: Session (Fixation) Attacks and Protections

Learn Ethical Hacking, Become a Pentester

Developing ASP.NET MVC 4 Web Applications MOC 20486

VIDEO intypedia007en LESSON 7: WEB APPLICATION SECURITY - INTRODUCTION TO SQL INJECTION TECHNIQUES. AUTHOR: Chema Alonso

QualysGuard WAS. Getting Started Guide Version 4.1. April 24, 2015

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek

Neural Network Approach to Web Application Protection

MWR InfoSecurity Security Advisory. BT Home Hub SSID Script Injection Vulnerability. 10 th May Contents

Transcription:

Email: sebastian.schinzel@cs.fau.de Twitter: @seecurity WAFFle: Fingerprinting Filter Rules of Web Application Firewalls Isabell Schmitt, Sebastian Schinzel* Friedrich-Alexander Universität Erlangen-Nürnberg Lehrstuhl für Informatik 1 IT-Sicherheitsinfrastrukturen

Talk presented at 6th USENIX Workshop on Offensive Technologies (WOOT 2012) Full paper: http://www.sebastian-schinzel.de/_download/woot12.pdf Full video of talk: https://www.usenix.org/conference/woot12/waffle-fingerprinting-filter-rules-webapplication-firewalls 2

Introduction: Web Application Firewalls Web Application Firewalls intercept web requests filter requests to prevent attacks Internet Demilitarized Zone Intranet Web Server uses filter rules for detecting common attack patterns Passed Request Blocked Request blind for new attack patterns 3

Introduction: Web Application Firewalls Web Application Firewalls intercept web requests filter requests to prevent attacks Internet Demilitarized Zone Intranet Web Server uses filter rules for detecting common attack patterns Passed Request Blocked Request blind for new attack patterns If attacker knows active filter rule set, he can search for loopholes in the rule set What can the attacker learn about the active filter rule set of a WAF? 3

WAFfle: Fingerprinting Filter Rules of Web Application Firewalls Idea behind WAFfle 1. Generate polymorphic representations of exploit code (e.g. <script>alert(23);</script>, <script_>alert(23);</script>, <script >alert(23);</script> <script >alert(23);</script>) 2. Send to web app and measure response time 3. Analyse response time Internet Passed Request Blocked Request Demilitarized Zone Intranet Web Server 4

WAFfle: Fingerprinting Filter Rules of Web Application Firewalls Idea behind WAFfle Demilitarized Zone Intranet Web Server 1. Generate polymorphic representations of exploit code (e.g. <script>alert(23);</script>, <script_>alert(23);</script>, <script >alert(23);</script> <script >alert(23);</script>) 2. Send to web app and measure response time Internet 4 Passed Request Blocked Request 3. Analyse response time

Introduction: Web Application Firewalls Demilitarized Zone Intranet Web Server Internet Passed Request Blocked Request 5

Introduction: Web Application Firewalls Internet Demilitarized Zone Intranet Web Server 6

Introduction: Web Application Firewalls Internet Demilitarized Zone Intranet Web Server 7

WAFfle: Results Internet Demilitarized Zone Intranet Web Server mod_security filtering as web application plugin 8

WAFfle: Results Internet Demilitarized Zone Intranet Web Server mod_security filtering as web application plugin 8

WAFfle: Results Results All three scenarios allow to distinguish blocked from passed requests by observing response times With no repetitions, >95% of single requests already correctly determine blocked and passed requests 1(a) 1(b) 1(c) 9

WAFfle: Results Results All three scenarios allow to distinguish blocked from passed requests by observing response times With no repetitions, >95% of single requests already correctly determine blocked and passed requests 1(a) 1(b) 1(c) 9

WAFfle: Cross Site Timing Attack One more thing... We re on the web, and the web allows cross site requests Extend WAFfle for Cross Site Request Forgery (Cross Site Timing Attack) 10

WAFfle: Cross Site Timing Attack One more thing... We re on the web, and the web allows cross site requests Extend WAFfle for Cross Site Request Forgery (Cross Site Timing Attack) Web User 2) Victim Web Application Web Browser 3) WAF 4) Sends Measurements Attacker 1) Visits 10 Web Site

WAFfle: Cross Site Timing Attack One more thing... We re on the web, and the web allows cross site requests Extend WAFfle for Cross Site Request Forgery (Cross Site Timing Attack) Generate Javascript code that attacker embeds on web page Web User 2) Victim Web Application Attacker tricks other users to visit web page other users perform measurement and send measurements to attacker 3) Web Browser 4) Sends Measurements Attacker WAF 1) Visits 10 Web Site

WAFfle: Cross Site Timing Attack Cross Site Timing Attack 11

Thanks! Discussion. Email: sebastian.schinzel@cs.fau.de Twitter: @seecurity 12