bypassing web application
play

Bypassing Web Application Firewalls an approach for pentesters - PowerPoint PPT Presentation

Jan 23, 2023 •188 likes •533 views

Bypassing Web Application Firewalls an approach for pentesters KHALIL BIJJOU SECURITY CONSULTANT 17 th November 2017 BYPASSING A WAF WHY? Number of deployed Web Application Firewalls (WAFs) is increasing WAFs make a penetration

  1. Bypassing Web Application Firewalls – an approach for pentesters KHALIL BIJJOU SECURITY CONSULTANT 17 th November 2017

  2. BYPASSING A WAF – WHY? • Number of deployed Web Application Firewalls (WAFs) is increasing • WAFs make a penetration test more difficult • Attempting to bypass a WAF is an important aspect of a penetration test

  3. MAIN GOAL Provide a practical approach to bypass WAFs for penetration testers in order to ensure accurate results

  4. Introduction to Web Application Firewalls

  5. OVERVIEW • Replaces old fashioned Firewalls and IDS/IPS • Understands HTTP traffic better than traditional firewalls • Protects a web application by adding a security layer • Checks for malicious traffic and blocks it

  6. FUNCTIONALITY ▪ Pre-processor: ▪ Normalization: ▪ Validate Input: Decide whether a Standardize Check user request will be user input input against processed further rules

  7. NORMALIZATION FUNCTIONS • Simplifies the writing of rules • No Knowledge about different forms of input needed compressWhitespace converts whitespace chars to spaces hexDecode decodes a hex-encoded string lowercase converts characters to lowercase urlDecode decodes a URL-encoded string

  8. INPUT VALIDATION • Security Models define how to enforce rules • Rules consist of regular expressions • Three Security Models: 1. Positive Security Model 2. Negative Security Model 3. Hybrid Security Model

  9. SECURITY MODELS Positive Security Model (Whitelist) Negative Security Model (Blacklist) Deny all but known good Allow all but known bad Prevents Zero-day Exploits Shipped with WAF More secure than blacklist Fast adoption Comprehensive understanding of Little knowledge needed application is needed Creating rules is a time-consuming Protect several applications process Tends to false positives Resource-consuming

  10. Bypassing Methods and Techniques

  11. OVERVIEW Impedance Rule Set Pre-processor Mismatch : Bypassing: Exploitation : WAF interprets Use Payloads that Make WAF skip input differently are not detected by input validation than back end the WAF

  12. Pre-processor Exploitation

  13. SKIPPING PARAMETER VERIFICATION • PHP removes whitespaces from parameter names or transforms them into underscores http://www.website.com/products.php? %20productid =select 1,2,3 • ASP removes % character that is not followed by two hexadecimal digits http://www.website.com/products.aspx? %productid =select 1,2,3 • A WAF which does not reject unknown parameters may be bypassed

  14. MALFORMED HTTP METHOD • Misconfigured web servers may accept malformed HTTP methods • A WAF that only inspects GET and POST requests may be bypassed

  15. OVERLOADING THE WAF • A WAF may be configured to skip input validation if performance load is heavy • Often applies to embedded WAFs • Great deal of malicious requests can be sent with the chance that the WAF will overload and let some requests through

  16. Impedance Mismatch

  17. HTTP PARAMETER POLLUTION • Sending a number of parameters with the same name • Technologies interpret this request http://www.website.com/products/?productid=1&productid=2 differently: Back end Behavior Processed ASP.NET Concatenate with comma productid=1,2 JSP First Occurrence productid=1 PHP Last Occurrence productid=2

  18. HTTP PARAMETER POLLUTION The following payload ?productid= select 1,2,3 from table can be divided: ?productid= select 1 &productid= 2,3 from table • WAF sees two individual parameters and may not detect the payload • ASP.NET back end concatenates both values

  19. DOUBLE URL ENCODING • WAF normalizes URL encoded characters into ASCII text • The WAF may be configured to decode characters only once • Double URL Encoding a payload may result in a bypass ’s’ -> %73 -> %25%37%33 • The following payload contains a double URL encoded character 1 union %25%37%33elect 1,2,3

  20. Rule Set Bypassing

  21. BYPASS RULE SET • Two methods: ▪ Brute force by enumerating payloads ▪ Reverse-engineer the WAFs rule set

  22. APPROACH FOR PENETRATION TESTERS

  23. OVERVIEW • Similar to the phases of a penetration test • Divided into six phases, whereas Phase 0 may not always be possible

  24. PHASE 0 – DISABLE WAF Objective : find security flaws in the application more easily ➢ assessment of the security level of an application is more accurate • Allows a more focused approach when the WAF is enabled • May not be realizable in some penetration tests

  25. PHASE 1 - RECONNAISSANCE Objective : Gather information to get a overview of the target • Basis for the subsequent phases • Gather information about: ▪ web server ▪ programming language ▪ WAF & Security Model ▪ Internal IP Addresses

  26. PHASE 2 – ATTACKING THE PRE-PROCESSOR Objective : make the WAF skip input validation • Identify which parts of a HTTP request are inspected by the WAF to develop an exploit: 1. Send individual requests that differ in the location of a payload 2. Observe which requests are blocked 3. Attempt to develop an exploit

  27. PHASE 3 – FINDING AN IMPEDANCE MISMATCH Objective : make the WAF interpret a request differently than the back end and therefore not detecting it • Knowledge about back end technologies is needed

  28. PHASE 4 – BYPASSING THE RULE SET Objective : find a payload that is not blocked by the WAFs rule set 1. Brute force by sending different payloads 2. Reverse-engineer the rule set in a trial and error approach: 1. Send symbols and keywords that may be useful to craft a payload 2. Observe which are blocked 3. Attempt to develop an exploit based on the results of the previous steps

  29. PHASE 5 – OTHER VULNERABILITIES Objective : find other vulnerabilities that can not be detected by the WAF • Broken authentication mechanism • Privilege escalation • Etc.

  30. PHASE 6 – AFTER THE PENTEST Objective : Inform customer about the vulnerabilities • Advise customer to fix the root cause of a vulnerability • For the time being, the vulnerability should be virtually patched by adding specific rules to the WAF • Explain that the WAF can help to mitigate a vulnerability, but can not thoroughly fix it

  31. WAFNINJA

  32. OVERVIEW • CLI Tool written in Python • Automates parts of the approach • Already used in several penetration tests • Supports • HTTPS connections • GET and POST parameter • Usage of cookies • Usage of an intercepting browser

  33. FUZZING • Sends different symbols and keywords • Analyzes the response • Results are displayed in a clear and concise way • Fuzzing strings can be • extended with the insert-fuzz function • shared within a team

  34. DISCUSSION & QUESTIONS WAFNinja: https://github.com/khalilbijjou/WAFNinja E-Mail: kh.bijjou@gmail.com LinkedIn | Xing: Khalil Bijjou

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Bypassing Memory Protections: The Future of Exploitation Alexander Sotirov alex@sotirov.net

Bypassing Memory Protections: The Future of Exploitation Alexander Sotirov alex@sotirov.net

Bypassing Memory Protections: The Future of Exploitation Alexander Sotirov alex@sotirov.net About me Exploit development since 1999 Research into reliable exploitation techniques: Heap Feng Shui in JavaScript Bypassing browser

1.1k views • 48 slides
Bypassing the hubs - The potential of secondary European airports in the long haul sector Sven

Bypassing the hubs - The potential of secondary European airports in the long haul sector Sven

Bypassing the hubs - The potential of secondary European airports in the long haul sector Sven Maertens / DLR 7th Conference on Applied Infrastructure Research, OCT 10-11, 2008 Sven Maertens DLR Bypassing the hubs Page 1 Structure

559 views • 22 slides
Bypassing 802.1X In an IPv6 environment Introduction and motivation What is 802.1X? IEEE

Bypassing 802.1X In an IPv6 environment Introduction and motivation What is 802.1X? IEEE

Robert Diepeveen & Ruben de Vries Bypassing 802.1X In an IPv6 environment Introduction and motivation What is 802.1X? IEEE standard Port-based network access protocol Authentication mechanism for devices wishing to attach to

357 views • 17 slides
Bypassing Microsoft JEA role capabilities for fun & profit whoami Cristhian Parrot -

Bypassing Microsoft JEA role capabilities for fun & profit whoami Cristhian Parrot -

Bypassing Microsoft JEA role capabilities for fun & profit whoami Cristhian Parrot - @elc0rr3Km1n0s Sr. Penetration Tester & Lead Auditor @Airbus Father, Bug Hunter, Tech-entrepreneur Plan Intro Install Prerequisites

376 views • 22 slides
Breaking Through Another Side Bypassing Firmware Security Boundaries from Embedded Controller

Breaking Through Another Side Bypassing Firmware Security Boundaries from Embedded Controller

Breaking Through Another Side Bypassing Firmware Security Boundaries from Embedded Controller Alex Matrosov Alexandre Gazet Actually 5 months of passionate reverse-engineering nights Disclaimer All the details given about BIOS Guard

968 views • 77 slides
Mobile operators vs. Hackers: new security measures for new bypassing techniques ptsecurity.com

Mobile operators vs. Hackers: new security measures for new bypassing techniques ptsecurity.com

Sergey Puzankov Mobile operators vs. Hackers: new security measures for new bypassing techniques ptsecurity.com SS7 in the 20 th century SCP STP STP SSP SCP STP STP PSTN SSP SSP SS7 Signaling System #7, a set of telephony protocols

937 views • 60 slides
Bypassing the Language Bottleneck Alexei (Alyosha) Efros UC Berkeley Collaborators David

Bypassing the Language Bottleneck Alexei (Alyosha) Efros UC Berkeley Collaborators David

Visual Understanding without Naming: Bypassing the Language Bottleneck Alexei (Alyosha) Efros UC Berkeley Collaborators David Abhinav Scott Martial Natasha Yaser Satkin Fouhey Gupta Hebert Kholgade Sheikh Vincent Ivan Josef

1.26k views • 83 slides
Bypassing ISP and Enterprise Anti- DDoS with 90s technology Dennis Rand

Bypassing ISP and Enterprise Anti- DDoS with 90s technology Dennis Rand

So you think IoT DDoS botnets are dangerous Bypassing ISP and Enterprise Anti- DDoS with 90s technology Dennis Rand https://www.ecrimelabs.com @DennisRand About me Im a security researcher and founder of eCrimeLabs, based out of Denmark.

674 views • 48 slides
Exploitation on ARM Technique and bypassing defense mechanisms 07. 2010 STRI/Advance Technology

Exploitation on ARM Technique and bypassing defense mechanisms 07. 2010 STRI/Advance Technology

Exploitation on ARM Technique and bypassing defense mechanisms 07. 2010 STRI/Advance Technology Lab/Security # /usr/bin/whoami Itzhak (Zuk) Avraham Researcher at Samsung Electronics Partner at PIA Follow me on twitter under

473 views • 31 slides
Bypassing Phishing Filters Shahrukh Zaidi MSc System and Network Engineering (University of

Bypassing Phishing Filters Shahrukh Zaidi MSc System and Network Engineering (University of

Bypassing Phishing Filters Shahrukh Zaidi MSc System and Network Engineering (University of Amsterdam) Supervisors: Alex Stavroulakis, Rick van Galen (KPMG) Phishing emails Special type of spam message Fraudulent social

1.11k views • 29 slides
TSIGKILL: Bypassing dynamic DNS updates authentication through signature forgery or a tale on

TSIGKILL: Bypassing dynamic DNS updates authentication through signature forgery or a tale on

TSIGKILL: Bypassing dynamic DNS updates authentication through signature forgery or a tale on how to audit a DNS server when you dont really know anything about DNS Date 17/11/2017 At GreHack By Clment Berthaux Whoami Clment

721 views • 26 slides
Bypassing Combinatorial Protections Polynomial-Time Algorithms for Single-Peaked Electorates

Bypassing Combinatorial Protections Polynomial-Time Algorithms for Single-Peaked Electorates

Bypassing Combinatorial Protections Polynomial-Time Algorithms for Single-Peaked Electorates Markus Brill COMSOC 2010 Dsseldorf Joint work with Felix Brandt, Edith Hemaspaandra, and Lane Hemaspaandra Voting Rules C = {a,b,c,...} is a

660 views • 11 slides
:: Privacy Pass :: Bypassing internet challenges anonymously Alex Davidson 1,3 Ian Goldberg 2

:: Privacy Pass :: Bypassing internet challenges anonymously Alex Davidson 1,3 Ian Goldberg 2

:: Privacy Pass :: Bypassing internet challenges anonymously Alex Davidson 1,3 Ian Goldberg 2 Nick Sullivan 3 George Tankersley 4 Filippo Valsorda 4 1 Royal Holloway, University of London 2 University of Waterloo 3 Cloudflare 4 Independent PETS

591 views • 55 slides
Bypassing CSRF Protections A Double Defeat of the Double-Submit Cookie Pattern About Me

Bypassing CSRF Protections A Double Defeat of the Double-Submit Cookie Pattern About Me

Bypassing CSRF Protections A Double Defeat of the Double-Submit Cookie Pattern About Me David Johansson (@securitybits) Security consultant since 2007 Helping clients design and build secure software Security training Based in

821 views • 25 slides
Cost-Effective Compiler Directed Memory Prefetching and Bypassing Daniel Ortega, , Eduard

Cost-Effective Compiler Directed Memory Prefetching and Bypassing Daniel Ortega, , Eduard

Cost-Effective Compiler Directed Memory Prefetching and Bypassing Daniel Ortega, , Eduard Ayguad e , Jean-Loup Baer and Mateo Valero Departamento de Arquitectura de Computadores, Department of

676 views • 39 slides
BYPASSING SECURITY RESTRICTIONS TH THE E CASE ASE OF F CVE VE-2018 2018-5955 5955 Whoami

BYPASSING SECURITY RESTRICTIONS TH THE E CASE ASE OF F CVE VE-2018 2018-5955 5955 Whoami

BYPASSING SECURITY RESTRICTIONS TH THE E CASE ASE OF F CVE VE-2018 2018-5955 5955 Whoami Ad Adam Nu Nurudin ini CEH, ITIL L V3, 3, CCNA, CCNP, CASP, PCI-DS DSS, B , BSC-IT IT Lead Security Researcher @ Netwatch Technologies

178 views • 16 slides
Review EEE118: Electronic Devices and Circuits 1 Finished looking at the peak detector circuit.

Review EEE118: Electronic Devices and Circuits 1 Finished looking at the peak detector circuit.

EEE118: Lecture 7 Review EEE118: Electronic Devices and Circuits 1 Finished looking at the peak detector circuit. Lecture VII 2 Considered the use of the peak detector in AM radio demodulation 3 Introduced and described the operation of the

395 views • 4 slides
How it started! Gateway Design Automation Cadence purchased Gateway in 1989. Verilog

How it started! Gateway Design Automation Cadence purchased Gateway in 1989. Verilog

Introduction To HDL Verilog HDL Debdeep Mukhopadhyay debdeep@cse.iitm.ernet.in Dept of CSE, IIT Madras 1 How it started! Gateway Design Automation Cadence purchased Gateway in 1989. Verilog was placed in the public domain.

527 views • 17 slides
Sensor Data Analytics for Intrusion Detection Tech Tesfay, Prof. Anna Scaglione Tech Tesfay,

Sensor Data Analytics for Intrusion Detection Tech Tesfay, Prof. Anna Scaglione Tech Tesfay,

Sensor Data Analytics for Intrusion Detection Tech Tesfay, Prof. Anna Scaglione Tech Tesfay, Prof. Anna Scaglione (ASU) Mar. 30, 2018 1 / 29 Outline Motivation for cyber-physical intrusion detection Reconnaissance activity identification

481 views • 34 slides
Verilog Hung-Wei Tseng Verilog Verilog is a hardware description language (HDL). In this

Verilog Hung-Wei Tseng Verilog Verilog is a hardware description language (HDL). In this

Verilog Hung-Wei Tseng Verilog Verilog is a hardware description language (HDL). In this class, we use Verilog to implement and verify your processor. C/Java like syntax 2 Data type in Verilog Bit vector is the only data type in

319 views • 14 slides
Data Types Possible Values: 0: logic 0, false 1: logic 1, true X: unknown logic

Data Types Possible Values: 0: logic 0, false 1: logic 1, true X: unknown logic

Verilog for Testbenches A little Verilog Big picture: Two main Hardware Description Languages (HDL) out there VHDL Designed by committee on request of the Department of Defense Based on Ada Verilog Designed by a

357 views • 14 slides
A Time Marching Scheme for Solving Volume Integral Equa9ons

A Time Marching Scheme for Solving Volume Integral Equa9ons

A Time Marching Scheme for Solving Volume Integral Equa9ons on Nonlinear Sca<erers Hakan Bac Division of Computer, Electrical, and Mathema9cal

760 views • 38 slides
Basic Elec. Engr Basic Elec. Engr. Lab . Lab ECS 204 ECS 204 Asst. Prof. Dr. Prapun Suksompong

Basic Elec. Engr Basic Elec. Engr. Lab . Lab ECS 204 ECS 204 Asst. Prof. Dr. Prapun Suksompong

Basic Elec. Engr Basic Elec. Engr. Lab . Lab ECS 204 ECS 204 Asst. Prof. Dr. Prapun Suksompong prapun@siit.tu.ac.th Diode Transformer Lab 6 Rectifiers Electrolytic Capacitor 1 Diode 2 Unidirectional current

645 views • 19 slides
Updated Oscillation Results from MiniBooNE Richard Van de Water Los Alamos National Laboratory

Updated Oscillation Results from MiniBooNE Richard Van de Water Los Alamos National Laboratory

Updated Oscillation Results from MiniBooNE Richard Van de Water Los Alamos National Laboratory P-25 Subatomic Physics Group Representing the MiniBooNE Experiment DNP 2008, Oakland, CA Outline 1. The LSND oscillation signal. 2. The MiniBooNE

953 views • 63 slides

More recommend