Search

Troopers09: The Truth about Web Application Firewalls: What the vendors do NOT want you to know

Loading...

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

0 comments

Post a comment

    Post a comment
    Embed Video
    Edit your comment Cancel

    Notes on slide 1

    Favorites, Groups & Events

    Troopers09: The Truth about Web Application Firewalls: What the vendors do NOT want you to know - Presentation Transcript

    1. The Truth about Web Application Firewalls: What the vendors do NOT want you to know. TROOPERS 09 – Munich, April 2009
    2. $ whois WendelGH PT Consultant at Trustwave's SpiderLabs. Over 7 years in the security industry. Vulnerability discovery Webmails, AP, Citrix, etc. Spoke in YSTS 2.0, Defcon 16, H2HC and others. Affiliated to Hackaholic team. TROOPERS 09 – Munich, April 2009 2
    3. $ whois SandroGauci Founder and CSO EnableSecurity. VOIPPACK (CANVAS addon). Security research papers. SIPVicious and SurfJack. TROOPERS 09 – Munich, April 2009 3
    4. Introduction • Web Application Firewalls (WAFs) are quickly taking their place to protect web applications. • Today WAF systems are considered the next generation product to protect websites against web hacking attacks. • During this presentation we will show WAF systems can be identified, detected and we will introduce new attacks. • We will show how WAF systems can be vulnerable to the same vulnerabilities that they try to protect Web Applications from. TROOPERS 09 – Munich, April 2009 4
    5. What is WAF • WAFs are often called 'Deep Packet Inspection Firewall'. • Some WAFs look certain 'attack signature' while others look for abnormal behavior. • WAFs can be either software or hardware appliance. TROOPERS 09 – Munich, April 2009 5
    6. What is WAF • Modern WAF systems work both with attack signature and abnormal behavior. • WAFs can be installed as a reverse proxy, embedded or connected in a switch (SPAN or RAP). • Nowadays many WAF products detect both inbound and outbound attacks. TROOPERS 09 – Munich, April 2009 6
    7. Vendors TROOPERS 09 – Munich, April 2009 7
    8. Who uses WAF? • Many banks around the world. • Companies that are very security conscious. • Many companies in compliance with PCI DSS (Payment Card Industry - Data Security Standard). TROOPERS 09 – Munich, April 2009 8
    9. Operation Modes: • Negative model (blacklist based). • Positive model (whitelist based). • Mixed / Hybrid (mix negative and positive model protection). TROOPERS 09 – Munich, April 2009 9
    10. Operation Mode: Negative A negative security model detects attacks by relying on a database of attack signatures. Example: Do not allow in any page, any argument value (user input) which match potential XSS strings like <script>, </script>, String.fromCharCode, etc. TROOPERS 09 – Munich, April 2009 10
    11. Operation Mode: Positive A positive security model enforces positive behavior by learning the application logic and then building a security policy of valid known good requests. Example: Page news.jsp, the field \"id\" only accept numbers [0-9] and starting at 0 to 65535. TROOPERS 09 – Munich, April 2009 11
    12. Common Weaknesses Brief • Bad rules. • Bad design. • Bad implementation. • Vulnerable to the same flaws they intend to protect. TROOPERS 09 – Munich, April 2009 12
    13. Detection WAF systems leave several signs which permit us to detect them, one of them are cookies: Cookies: Some WAF products add their own cookie in the HTTP communication. DEMO TROOPERS 09 – Munich, April 2009 13
    14. Detection WAF leave several traces that permit us to detect them, one of them are Header Rewrite: Header Rewrite: Some WAF products allow the rewriting of HTTP headers. The most common field is \"Server\", this is used to try to deceive the attackers (server cloaking). DEMO TROOPERS 09 – Munich, April 2009 14
    15. Detection Some WAF systems change the return codes: • Different 404 error codes for hostile and non existent pages. • Different error codes (404, 400, 401, 403, 501, etc) for hostile parameters (even non existent ones) in valid pages. DEMO TROOPERS 09 – Munich, April 2009 15
    16. Detection Other WAF systems will simply drop the connection: Drop Action: Immediately initiate a \"connection close\" action to tear down the TCP connection by sending a FIN packet. DEMO TROOPERS 09 – Munich, April 2009 16
    17. Detection WAF systems leave several signs which permit us to detect them, one of them are Pre Built-in Rules: Pre Built-in Rules: All (at least all that we know) WAF systems have a built-in group of rules in negative mode, these rules are different in each products, this can help us to detect them. DEMO TROOPERS 09 – Munich, April 2009 17
    18. Detection You should be thinking… • It’s so boring. • We have to have good knowledge of various products to identify them correctly. • What about a tool that does all this? TROOPERS 09 – Munich, April 2009 18
    19. WAFW00F That’s our answer for your prayers: • Detect 10 different WAF products. • Generic detection. • Supports Windows and Unix. • Much more coming soon. TROOPERS 09 – Munich, April 2009 19
    20. WAFW00F TROOPERS 09 – Munich, April 2009 20
    21. WAFW00F DEMO TROOPERS 09 – Munich, April 2009 21
    22. Bypassing WAF systems can be bypassed in various ways. We can modify our attack to still be effective and not match the WAF rules: • Detect allowed / good strings. • Detect denied / bad strings. • Detect sequences of good and bad strings together. • Modify your attack to match the good rules. DEMO TROOPERS 09 – Munich, April 2009 22
    23. Bypassing WAF systems can be bypassed in various ways. Another way is to use encoding and language support: • Unicode. • Homographic attacks. DEMO TROOPERS 09 – Munich, April 2009 23
    24. Bypassing WAF systems can be bypassed in various ways. Web languages are very flexible: • HTML and JS is very flexible. • XSS Case. DEMO TROOPERS 09 – Munich, April 2009 24
    25. Bypassing WAIT! • What about positive model? • They are really secure? • If we find a positive model we should give up? DEMO TROOPERS 09 – Munich, April 2009 25
    26. Bypassing There are many other ways to bypass WAF systems… Coming soon! TROOPERS 09 – Munich, April 2009 26
    27. Bypassing You should be thinking… • It’s so boring. • It’s time consuming. • The are so many different techniques to remember. • There are so many specific techniques that are product dependent. • How about a tool which does all of the above? TROOPERS 09 – Munich, April 2009 27
    28. WAFFUN That’s our answer for your prayers: • Test the target and point weakness in the WAF system. • Use with WAFW00F for better results. • Supports Windows and Unix. • Alpha version! We need the community help! • Much more coming soon. TROOPERS 09 – Munich, April 2009 28
    29. WAFFUN DEMO TROOPERS 09 – Munich, April 2009 29
    30. Show Time: 0day DEMOS TROOPERS 09 – Munich, April 2009 30
    31. WAF - Other problems • Backdoors. • DoS. • Overflows. TROOPERS 09 – Munich, April 2009 31
    32. Thank you! Do you have access to a commercial WAF system? Do you have ideas to improve our tools? Don't have anyone to talk to? Contact us! wsguglielmetti [em] gmail [ponto] com sandro [em] enablesecurity [ponto] com TROOPERS 09 – Munich, April 2009 32

    + sandrogaucisandrogauci, 6 months ago

    custom

    2172 views, 0 favs, 5 embeds more stats

    A presentation given at Troopers09 / Munich on 23rd more

    More info about this document

    © All Rights Reserved

    Go to text version

    • Total Views 2172
      • 2021 on SlideShare
      • 151 from embeds
    • Comments 0
    • Favorites 0
    • Downloads 33
    Most viewed embeds
    • 147 views on http://enablesecurity.com
    • 1 views on http://feeds.feedburner.com
    • 1 views on http://www.proxyninja.com
    • 1 views on http://209.85.153.132
    • 1 views on http://209.85.229.132

    more

    All embeds
    • 147 views on http://enablesecurity.com
    • 1 views on http://feeds.feedburner.com
    • 1 views on http://www.proxyninja.com
    • 1 views on http://209.85.153.132
    • 1 views on http://209.85.229.132

    less

    Flagged as inappropriate Flag as inappropriate
    Flag as inappropriate

    Select your reason for flagging this presentation as inappropriate. If needed, use the feedback form to let us know more details.

    Cancel
    File a copyright complaint
    Having problems? Go to our helpdesk?

    Categories

    Tags

    -->
    Search
    RSS Feed
    What's new?

    © 2009 SlideShare Inc. All Rights Reserved