SORRY ABOUT YOUR WAF Bypassing the Modern WAF Johnny Xmas - - PowerPoint PPT Presentation

sorry about your waf
SMART_READER_LITE
LIVE PREVIEW

SORRY ABOUT YOUR WAF Bypassing the Modern WAF Johnny Xmas - - PowerPoint PPT Presentation

May 31, 2023 186 likes •421 views

SORRY ABOUT YOUR WAF Bypassing the Modern WAF Johnny Xmas Johnny.Xmas@Kasada.io @J0hnnyXm4s JOHNNY XMAS Johnny.Xmas@Kasada.io Blade Runner & Director of Field Engineering, North America & Europe @ kasada.io CISSP, GIAC, GPEN

slide-1
SLIDE 1

SORRY ABOUT YOUR WAF

Bypassing the Modern WAF

Johnny Xmas

Johnny.Xmas@Kasada.io

@J0hnnyXm4s

slide-2
SLIDE 2

Blade Runner & Director of Field Engineering, North America & Europe @ kasada.io CISSP, GIAC, GPEN

JOHNNY XMAS

Johnny.Xmas@Kasada.io

PREVIOUS PROFESSIONAL ROLES:

  • Network Engineer
  • Systems Engineer
  • InformaGon Security Engineer
  • InformaGon Security Consultant
  • PenetraGon Tester
  • Industrial Security Researcher

LINKS:

  • hIps:/

/twiIer.com/j0hnnyxm4s

  • hIps:/

/www.linkedin.com/in/johnnyxmas/

  • hIps:/

/www.youtube.com/c/johnnyxmas

  • hIps:/

/github.com/johnnyxmas


slide-3
SLIDE 3

WAF

W E B A P P L I C AT I O N F I R E W A L L S

BASIC

  • Very Basic Behavioral Analysis
  • Various levels of IP ReputaGon, header

inspecGon and POST data inspecGon.

  • Just blacklists IPs (LOL)
  • Trivial to Bypass
slide-4
SLIDE 4

SQLMap

https://github.com/sqlmapproject/sqlmap

slide-5
SLIDE 5

WAF

W E B A P P L I C AT I O N F I R E W A L L S

  • OXen a Reverse Proxy
  • ParGally relies on js execuGon
  • Fingerprints client environment

SOPHISTIOCATED

slide-6
SLIDE 6

Also, they’re both preOy useless. . . …so let’s get hacking!

slide-7
SLIDE 7

BARE MINIMUMS

slide-8
SLIDE 8
  • Huge # of “Free Proxy” sites
  • https://hide.me
  • https://hidester.com
  • https://www.proxysite.com/
  • Srsly just google “Free Proxies”

Rotate Your IP

BARE MINIMUMS

slide-9
SLIDE 9
  • Huge # of “Free Proxy” sites

  • Hard to convince The

Business to allow blocking residential IPs


  • Residential IPs are easy to

lease in bulk


  • Residential IPs are not free

  • Services like HolaVPN and

MonkeySocks use users’ IPs

Use ResidenGal IPs

BARE MINIMUMS

slide-10
SLIDE 10

Use The Usual HTTP Headers

BARE MINIMUMS

  • BUT ALSO:
  • Accept : */*
  • DNT : 1
  • X-Headers (Sometimes)
  • User-Agent (NO QUOTES)
  • Session Cookies (Sometimes)
slide-11
SLIDE 11
  • Seriously, this gets past so

many defenses

  • Rotate with each HTTP

request, if possible

  • Also use this for whitelist

fuzzing

Rotate User-Agents

  • Auth’d sessions often have

more lenient throttling

  • Some session cookies are

*required*

  • WATCH OUT FOR

SNEAKY WAF COOKIES

Use Cookies

BARE MINIMUMS

slide-12
SLIDE 12

Use POSTMan

https://www.getpostman.com/

slide-13
SLIDE 13

(IT’S COOL, WE PROMISE)

P L E A S E B E A R W I T H U S F O R L I K E 2 M I N U T E S

SUPER BORING CODE DEMO

slide-14
SLIDE 14

ADVANCED TACTICS

FOR CLOUD WAFS

BE THE LUCHADOR *AND* THE OSTRICHES

slide-15
SLIDE 15

EDGE ENUMERATION

  • Find ASN’s owned by target (ARIN,

etc)

  • Find domains owned by target to

uncover additional ASNs (WHOIS)

  • Find which IPs are hosting web

servers (ScanCannon)

  • Enumerate paths to find forms, APIs,

data, etc (wfuzz, etc)

Check Every System Smash DNS

  • Find ASN’s owned by

target (ARIN, etc)

  • Find domains owned by

target to uncover additional ASNs

  • Reverse Lookup on IPs to

DNS names (human- language indicators)

  • DNS History lookups
  • DNS Zone Transfers
  • DNS name fuzzing
slide-16
SLIDE 16

EDGE ENUMERATION

  • Discover all edge nodes
  • Hit one until it blocks you,

then hit the next

  • This exploits the sync

delay (often 15 minutes) and conserves IPs

Round-Robin the Edge Nodes

  • Layer 7 WAFs & their

associated CDNs have path rules

  • One application may

have multiple login portals \ paths

  • Some of these may

be accidental or intentionally unprotected

Unprotected Paths

  • APIs are almost never fully-protected;
  • ften not at all
  • Great if all you need is to steal data
  • Can also be used to “test” credentials

Smash the API

slide-17
SLIDE 17
  • Use previous enumeration

(look for “origin” in DNS)

  • UUID or hash DNS names
  • Hitting these bypasses the WAF

completely

  • Watch out for firewalls

Find the Origins

  • Identify and block WAF

javascript snippets

  • *RUN* WAF Javascript and

replay the resulting fingerprint cookie

Ditch the Script, Share the Cookies

SOPHISTICATED WAFs

  • OR. . .
slide-18
SLIDE 18

AUTOMATE A REAL BROWSER

slide-19
SLIDE 19
  • Headless Chrome
  • Puppeteer
  • Selenium
  • Looks like human activity
  • Practically undetectable
  • Scriptable AF
  • Executes Javascript
  • Properly leverages

Cookies

  • Multiple instances per IP

AUTOMATE A REAL BROWSER

https://github.com/GoogleChrome/puppeteer

slide-20
SLIDE 20

RealisWc WebDriver

  • User_agent

  • Navigator_Platform

  • Color_depth

  • Pixel_ratio

  • Cpu_Class
  • Hardware_concurrency

  • Resolution

  • Available_resolutions

  • Timezone_offset

  • Session_storage
slide-21
SLIDE 21
  • Rotate IP Addresses
  • Use Residential IPs
  • Use the Usual HTTP

Headers

  • Use POSTMan
  • Rotate your User-

Agents

  • Rotate session cookies


Rotate between targets

  • Hit the Origin directly
  • Use a Web Driver
  • Change the stock

config!

SUMMARY:

slide-22
SLIDE 22

Johnny Xmas, CISSP, GIAC, GPEN

THANKS FOR PLAYING!

Johnny.Xmas@Kasada.io @J0hnnyXm4s

hOps:/ /www.github.com/johnnyxmas/Talk_Decks