sorry about your waf
play

SORRY ABOUT YOUR WAF Bypassing the Modern WAF Johnny Xmas - PowerPoint PPT Presentation

May 31, 2023 •186 likes •418 views

SORRY ABOUT YOUR WAF Bypassing the Modern WAF Johnny Xmas Johnny.Xmas@Kasada.io @J0hnnyXm4s JOHNNY XMAS Johnny.Xmas@Kasada.io Blade Runner & Director of Field Engineering, North America & Europe @ kasada.io CISSP, GIAC, GPEN

  1. SORRY ABOUT YOUR WAF Bypassing the Modern WAF Johnny Xmas Johnny.Xmas@Kasada.io @J0hnnyXm4s

  2. JOHNNY XMAS Johnny.Xmas@Kasada.io Blade Runner & Director of Field Engineering, North America & Europe @ kasada.io CISSP, GIAC, GPEN PREVIOUS PROFESSIONAL ROLES: LINKS: • Network Engineer • hIps:/ /twiIer.com/j0hnnyxm4s • Systems Engineer • hIps:/ • InformaGon Security Engineer /www.linkedin.com/in/johnnyxmas/ • InformaGon Security Consultant • hIps:/ /www.youtube.com/c/johnnyxmas • PenetraGon Tester • hIps:/ /github.com/johnnyxmas 
 • Industrial Security Researcher

  3. WAF W E B A P P L I C AT I O N F I R E W A L L S BASIC •Very Basic Behavioral Analysis •Various levels of IP ReputaGon, header inspecGon and POST data inspecGon. •Just blacklists IPs (LOL) •Trivial to Bypass

  4. SQLMap https://github.com/sqlmapproject/sqlmap

  5. WAF W E B A P P L I C AT I O N F I R E W A L L S SOPHISTIOCATED •OXen a Reverse Proxy •ParGally relies on js execuGon •Fingerprints client environment

  6. Also, they’re both preOy useless. . . …so let’s get hacking!

  7. BARE MINIMUMS

  8. BARE MINIMUMS Rotate Your IP •Huge # of “Free Proxy” sites • https://hide.me • https://hidester.com • https://www.proxysite.com/ •Srsly just google “Free Proxies”

  9. BARE MINIMUMS Use ResidenGal IPs •Residential IPs are easy to •Huge # of “Free Proxy” sites 
 lease in bulk 
 •Hard to convince The •Residential IPs are not free 
 Business to allow blocking residential IPs 
 •Services like HolaVPN and MonkeySocks use users’ IPs

  10. BARE MINIMUMS Use The Usual HTTP Headers • BUT ALSO: • Accept : */* • DNT : 1 • X-Headers (Sometimes) • User-Agent (NO QUOTES) • Session Cookies (Sometimes)

  11. BARE MINIMUMS Rotate User-Agents •Seriously, this gets past so •Also use this for whitelist many defenses fuzzing •Rotate with each HTTP request, if possible Use Cookies •Auth’d sessions often have •WATCH OUT FOR more lenient throttling •Some session cookies are SNEAKY WAF COOKIES *required*

  12. Use POSTMan https://www.getpostman.com/

  13. SUPER BORING CODE DEMO P L E A S E B E A R W I T H U S F O R L I K E 2 M I N U T E S (IT’S COOL, WE PROMISE)

  14. ADVANCED TACTICS FOR CLOUD WAFS BE THE LUCHADOR *AND* THE OSTRICHES

  15. EDGE ENUMERATION Check Every System • Find ASN’s owned by target (ARIN, • Find which IPs are hosting web etc) servers (ScanCannon) • Find domains owned by target to • Enumerate paths to find forms, APIs, uncover additional ASNs (WHOIS) data, etc (wfuzz, etc) Smash DNS •Reverse Lookup on IPs to •Find ASN’s owned by DNS names (human- target (ARIN, etc) language indicators) •Find domains owned by •DNS History lookups target to uncover •DNS Zone Transfers additional ASNs •DNS name fuzzing

  16. EDGE ENUMERATION Round-Robin the Edge Nodes •Discover all edge nodes •This exploits the sync •Hit one until it blocks you, delay (often 15 minutes) then hit the next and conserves IPs Unprotected Paths Smash the API •APIs are almost never fully-protected; •Layer 7 WAFs & their often not at all associated CDNs •Some of these may •Great if all you need is to steal data have path rules be accidental or •Can also be used to “test” credentials •One application may intentionally have multiple login unprotected portals \ paths

  17. SOPHISTICATED WAFs Find the Origins •Use previous enumeration •Hitting these bypasses the WAF (look for “origin” in DNS) completely •UUID or hash DNS names •Watch out for firewalls Ditch the Script, Share the Cookies •*RUN* WAF Javascript and •Identify and block WAF replay the resulting fingerprint javascript snippets cookie OR. . .

  18. AUTOMATE A REAL BROWSER

  19. AUTOMATE A REAL BROWSER https://github.com/GoogleChrome/puppeteer •Looks like human activity •Properly leverages •Practically undetectable Cookies •Scriptable AF •Multiple instances per IP •Executes Javascript •Headless Chrome • Puppeteer • Selenium

  20. RealisWc WebDriver • User_agent 
 • Hardware_concurrency 
 • Navigator_Platform 
 • Resolution 
 • Color_depth 
 • Available_resolutions 
 • Pixel_ratio 
 • Timezone_o ff set 
 • Cpu_Class • Session_storage

  21. SUMMARY: •Rotate IP Addresses •Rotate session cookies 
 • Use Residential IPs Rotate between targets •Use the Usual HTTP •Hit the Origin directly Headers •Use a Web Driver •Use POSTMan • Change the stock •Rotate your User- config! Agents

  22. THANKS FOR PLAYING! Johnny Xmas, CISSP, GIAC, GPEN Johnny.Xmas@Kasada.io @J0hnnyXm4s hOps:/ /www.github.com/johnnyxmas/Talk_Decks

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Samsara for Fleets 1 Company background Mission: To improve the safety, efficiency, and

Samsara for Fleets 1 Company background Mission: To improve the safety, efficiency, and

0 COMPANY AND SOLUTION OVERVIEW Samsara for Fleets 1 Company background Mission: To improve the safety, efficiency, and sustainability of the operations that power our economy Culture of innovation: Proven leadership and engineering from

210 views • 18 slides
qr Lily Wong Fillmore University of California at Berkeley What

qr Lily Wong Fillmore University of California at Berkeley What

The Common Core Standards: What about English Learners & Language Minority Students? qr Lily Wong Fillmore University of California at Berkeley What about ELs & LMs? Many educators wondering:

1.8k views • 33 slides
Coming Soon 8th Grade Fiesta Saturday April 28, 2018 7-10pm Things to know... Tickets

Coming Soon 8th Grade Fiesta Saturday April 28, 2018 7-10pm Things to know... Tickets

Coming Soon 8th Grade Fiesta Saturday April 28, 2018 7-10pm Things to know... Tickets IDs No Limousines allowed (KISD policy) Dates are not necessary. Go to have fun with your friends. Fashion Guidelines Dos

477 views • 21 slides
JOHNNY MERCER award-winning songwriter & lyricist W H O is Johnny Mercer? - Full Name:

JOHNNY MERCER award-winning songwriter & lyricist W H O is Johnny Mercer? - Full Name:

an introduction to: JOHNNY MERCER award-winning songwriter & lyricist W H O is Johnny Mercer? - Full Name: Johnny - John Herndon Mercer Mercer - Born: - November 18, 1909 in Savannah, Georgia - Died: - June 25, 1976 in Beverly Hills,

387 views • 13 slides
CHCI JUNE 2020 INVESTOR PRESENTATION Comstock Holding Companies, Inc. NASDAQ: CHCI Disclosures

CHCI JUNE 2020 INVESTOR PRESENTATION Comstock Holding Companies, Inc. NASDAQ: CHCI Disclosures

CHCI JUNE 2020 INVESTOR PRESENTATION Comstock Holding Companies, Inc. NASDAQ: CHCI Disclosures This release includes forward-looking statements that are made pursuant to the safe harbor provisions of the Private Securities Litigation

457 views • 24 slides
The Mastery Model Sounds Great. So How Do We Get There? Presentation by Jason Carmichael The

The Mastery Model Sounds Great. So How Do We Get There? Presentation by Jason Carmichael The

The Mastery Model Sounds Great. So How Do We Get There? Presentation by Jason Carmichael The New Community School Richmond, VA Objectives 1. Explore the promise of mastery model and how it can redefine teaching and learning in the 21st

387 views • 22 slides
By Stephanie Kocer, Chris3an Lindman and Moriah Wald He

By Stephanie Kocer, Chris3an Lindman and Moriah Wald He

By Stephanie Kocer, Chris3an Lindman and Moriah Wald He became a very influen3al figure for future pop stars. Perkins was a pioneer in

684 views • 19 slides
2020 2021 Staff Draft Public Briefing November 20, 2019 This presentation contains

2020 2021 Staff Draft Public Briefing November 20, 2019 This presentation contains

Rendell L. Jones Office of the Chief Financial Officer 2020 2021 Staff Draft Public Briefing November 20, 2019 This presentation contains estimates that are pre-decisional and subject change. Agenda Key Accomplishments The

496 views • 34 slides
The Dos and Donts of Unemployment Benefit Claims April 10, 2015 Paul Holscher Phone:

The Dos and Donts of Unemployment Benefit Claims April 10, 2015 Paul Holscher Phone:

NCCUPA-HR Spring Development Workshop The Dos and Donts of Unemployment Benefit Claims April 10, 2015 Paul Holscher Phone: 919-841-3556 Email: paul.holscher@jacksonlewis.com Henry Ross (HR), the HR Director for ABC University, is

869 views • 82 slides
ELECTRONICS OUR SOLUTIONS FOR YOUR PROJECTS Diapositive 1 FQ1 FEN QIAN; 15/09/2017 COMPANY

ELECTRONICS OUR SOLUTIONS FOR YOUR PROJECTS Diapositive 1 FQ1 FEN QIAN; 15/09/2017 COMPANY

FQ1 ww w.a d va nte lec .c o m ELECTRONICS OUR SOLUTIONS FOR YOUR PROJECTS Diapositive 1 FQ1 FEN QIAN; 15/09/2017 COMPANY PRESENTATION ADVANTELEC : Set up in 2011 near Lyon in France, Advantelec is your strategic partner for sourcing and

500 views • 20 slides
Halcn Resources Investor Presentation August 2018 Forward Looking Statements This

Halcn Resources Investor Presentation August 2018 Forward Looking Statements This

Halcn Resources Investor Presentation August 2018 Forward Looking Statements This communication contains forward looking information regarding Halcn Resources that is intended to be covered by the safe harbor for "forward

597 views • 26 slides
Q2 Presentation CEO Karl Johnny Hersvik CFO Alexander Krane Oslo, 17 July 2014 NOT FOR

Q2 Presentation CEO Karl Johnny Hersvik CFO Alexander Krane Oslo, 17 July 2014 NOT FOR

Q2 Presentation CEO Karl Johnny Hersvik CFO Alexander Krane Oslo, 17 July 2014 NOT FOR DISTRIBUTION TO U.S. NEWS WIRE SERVICES OR FOR DISSEMINATION IN THE UNITED STATES, AUSTRALIA, CANADA OR JAPAN IMPORTANT INFORMATION This presentation does

612 views • 35 slides
Shelf Drilling Transaction Announcement February 21, 2019 Disclaimer This presentation (the

Shelf Drilling Transaction Announcement February 21, 2019 Disclaimer This presentation (the

Shelf Drilling Transaction Announcement February 21, 2019 Disclaimer This presentation (the "Presentation") has been prepared by Shelf Drilling, Ltd. ("Shelf Drilling" or the "Company") exclusively for information

158 views • 14 slides
expert panel Panellists Jon McLeod Laurent Chokoual Datou Conor Magowan Ross Williamson

expert panel Panellists Jon McLeod Laurent Chokoual Datou Conor Magowan Ross Williamson

Post-EU referendum expert panel Panellists Jon McLeod Laurent Chokoual Datou Conor Magowan Ross Williamson Chairman, UK Corporate, Chairman, EU Public Affairs Director of Public Affairs, Scotland Managing Director, Financial and Public

178 views • 15 slides
BI and WIC Data Warehouse Project Overview Reason for the Data Warehouse project EBT

BI and WIC Data Warehouse Project Overview Reason for the Data Warehouse project EBT

BI and WIC Data Warehouse Project Overview Reason for the Data Warehouse project EBT introduces to WIC a wealth of valuable information Thousands of individual food products, multiple NTEs for each Possibilities to improve program

429 views • 13 slides
EGM Presentation Document March 14, 2016 Disclaimers No Offer or Solicitation This presentation

EGM Presentation Document March 14, 2016 Disclaimers No Offer or Solicitation This presentation

EGM Presentation Document March 14, 2016 Disclaimers No Offer or Solicitation This presentation is being made in connection with the proposed business combination transaction between Koninklijke Ahold N.V. also known as Royal Ahold ( Ahold )

305 views • 27 slides
The Art of Community: Rural S.C. 21 st Annual Rural Health Conference The Power of Rural Context:

The Art of Community: Rural S.C. 21 st Annual Rural Health Conference The Power of Rural Context:

The Art of Community: Rural S.C. 21 st Annual Rural Health Conference The Power of Rural Context: Rural Co Si Six x Counti ties, s, Si Six x Mavens, s, Si Six x Teams A A ne new w fram amework A A state e ar arts ts commissi

286 views • 17 slides
The Art of Community: Rural S.C. New Tools for Community Development Main Street South Carolina

The Art of Community: Rural S.C. New Tools for Community Development Main Street South Carolina

3/6/2018 Public Transformation The Art of Community: Rural S.C. New Tools for Community Development Main Street South Carolina Presentation in Manning, SC Feb. 22, 2018 1 3/6/2018 Welcome to South Carolina! Population > 5 million 46

202 views • 16 slides
Johnny Symington (John Andrew Douglas Symington) Joint Managing Director of Symington Family

Johnny Symington (John Andrew Douglas Symington) Joint Managing Director of Symington Family

Tutored Douro DOC & Port Tasting Wednesday 16 th November 2016 Johnngton Speaker: Johnny Symington (John Andrew Douglas Symington) Joint Managing Director of Symington Family Estates Owners of Grahams, Cockburns, Dows, Warres,

599 views • 13 slides
User Group Monthly Meeting September 13, 2018 2:00 PM ET Agenda Welcome Poll: Which

User Group Monthly Meeting September 13, 2018 2:00 PM ET Agenda Welcome Poll: Which

HL7 Immunization User Group Monthly Meeting September 13, 2018 2:00 PM ET Agenda Welcome Poll: Which perspective do you primarily identify yourself with? Updates SISC Update Patient Matching discussion SISC Update Mary

757 views • 37 slides
RESULTS PRESENTATION FOR THE YEAR ENDED 31 MARCH 2017 RESULTS PRESENTATION FOR THE YEAR ENDED

RESULTS PRESENTATION FOR THE YEAR ENDED 31 MARCH 2017 RESULTS PRESENTATION FOR THE YEAR ENDED

RESULTS PRESENTATION FOR THE YEAR ENDED 31 MARCH 2017 RESULTS PRESENTATION FOR THE YEAR ENDED 31 MARCH 2017 AGENDA Doug Murray Anthony Thunstr m Jane Fisher Chief Executive Officer Chief Financial Officer Group Director Economy

634 views • 40 slides
Electromagnetic Interference (EMI) IBEX 2011 Speakers: David Gratton- Martek-Palm Beach, FL

Electromagnetic Interference (EMI) IBEX 2011 Speakers: David Gratton- Martek-Palm Beach, FL

Electromagnetic Interference (EMI) IBEX 2011 Speakers: David Gratton- Martek-Palm Beach, FL Johnny Lindstrom- Westport Shipyard, WA Property of the NMEA. Shall not be copied or re-distributed. Seminar Overview EMI Troubleshooting

310 views • 30 slides
2019 Fall Enrollment Todays Topics What can I do during Fall Enrollment? Personal

2019 Fall Enrollment Todays Topics What can I do during Fall Enrollment? Personal

2019 Fall Enrollment Todays Topics What can I do during Fall Enrollment? Personal Benefits Enrollment Statement Whats new this year? Your Options How to Make Changes 2019 Fall Enrollment What can I do during Fall

363 views • 17 slides
Investor Presentation Value Creation Plan March 7, 2018 Safe Harbor Statements This

Investor Presentation Value Creation Plan March 7, 2018 Safe Harbor Statements This

Investor Presentation Value Creation Plan March 7, 2018 Safe Harbor Statements This presentation is dated as of March 7, 2018 and speaks as of that date. Forward-Looking Statements This presentation contains statements that may constitute

343 views • 17 slides

More recommend