OWASP Plan - Strawman               G. Geshev               Chapter Leader               georgi.geshev@owasp.orgOWASP     ...
OWASP Plan - Strawman           Can’t get there             from here?               Georgi Geshev               OWASP Bul...
OWASP Plan - Strawman          Can’t get there            from here?     The web application                Georgi Geshev ...
AgendaPart 1: Introduction• Why would you be interested in bypassing a WAF?                                        OWASP   4
AgendaPart 1: Introduction• Why would you be interested in bypassing a WAF?Part 2: Real-World Stories• The ModSecurity SQL...
Who’s Who?          Just in case you give a darn sh*t…About me:•   FOSS evangelist•   Offsex enthusiast•   Bug hunter•   I...
Who’s Who?          Just in case you give a darn sh*t…About me:•   FOSS evangelist•   Offsex enthusiast•   Bug hunter•   I...
Who’s Who?          Just in case you give a darn sh*t…About me:•   FOSS evangelist•   Offsec enthusiast•   Bug hunter•   I...
Who’s Who?          Just in case you give a darn sh*t…About me:•   FOSS evangelist•   Offsec enthusiast•   Bug hunter•   I...
Who’s Who?          Just in case you give a darn sh*t…About me:•   FOSS evangelist•   Offsec enthusiast•   Bug hunter•   I...
Bypassing WAFs for fun and...Why would you hack around a WAF?                               OWASP   11
Bypassing WAFs for fun and...Why would you hack around a WAF? • Vulnerability assessment                               OWA...
Bypassing WAFs for fun and...Why would you hack around a WAF? • Vulnerability assessment • Penetration testing scenario   ...
Bypassing WAFs for fun and...Why would you hack around a WAF? • Vulnerability assessment • Penetration testing scenario • ...
Bypassing WAFs for fun and...Why would you hack around a WAF? • Vulnerability assessment • Penetration testing scenario • ...
What about the challenge?“This is a SQL Injection and..                                        OWASP   16
What about the challenge?“This is a SQL Injection and Filter Evasion Challenge.”                                          ...
What about the challenge?“This is a SQL Injection and Filter Evasion Challenge.”• Intentionally broken demo sites         ...
What about the challenge?“This is a SQL Injection and Filter Evasion Challenge.”• Intentionally broken demo sites• Attacke...
What about the challenge?“This is a SQL Injection and Filter Evasion Challenge.”• Intentionally broken demo sites• Attacke...
What about the challenge?“This is a SQL Injection and Filter Evasion Challenge.”• Intentionally broken demo sites• Attacke...
What about the challenge? (cont.)                Targets..• IBM (AppScan)• Cenzic (HailStorm)• HP (WebInspect)• Acunetix (...
Challenge Scenario         ModSecurity Proxy                              TargetsHacker                                OWA...
Challenge Scenario         ModSecurity Proxy                              TargetsHacker                                OWA...
Objectives..Successfully enumerate the following information:                                        OWASP   25
Objectives..Successfully enumerate the following information:             Database Username(s)                           ...
Objectives..Successfully enumerate the following information:             Database Username(s)             Database Name...
Objectives..Successfully enumerate the following information:             Database Username(s)             Database Name...
Objectives..Successfully enumerate the following information:             Database Username(s)             Database Name...
What about the challenge? (cont.)                        Levels..There are two levels.                                   O...
What about the challenge? (cont.)                      Levels..There are two levels. We focus on the second one.          ...
What about the challenge? (cont.)                      Levels..There are two levels. We focus on the second one.• Level 1:...
What about the challenge? (cont.)                        Levels..There are two levels. We focus on the second one.• Level ...
The Winners      Johannes Dahse    Vladimir Vorontsov        PT Research     Ahmad Maulana         Travis Lee     Roberto ...
What about the techniques?   Less known and version specific featuresEx. MySQL Comment Extensions for conditional code exe...
Examples (pt. 1)• Injection Fragmentation Splitting up the SQLi payload so that each individual payload would not trigger ...
Examples (pt. 2)• HTTP Parameter Pollution  HPP allows an attacker to leverage how an ASP/ASP.NET-based  applications trea...
Examples (pt. 3)• Tricky Comments The intruder was able to leverage some platform and version specific attack techniques, ...
Examples (pt. 4)• Unusual Locations  In this case, the evasion was possible due to the attack vector  location - Request C...
Statistics• Estimated number of participants: >650• Avg. number of Requests to find an evasion: 433• Avg. Duration (Time t...
Shout outs go to..●    All the OWASP enthusiasts around the globe -                      For being awesome●    Ryan Barnet...
References• OWASP ModSecurity Core Rule Set Project:  http://goo.gl/H3f49• Challenge Announce:  http://goo.gl/88EDL• Lesso...
Thanks for you time!P. S. Ping me for OWASP stickers.   OWASP   43
Upcoming SlideShare
Loading in …5
×

[OWASP-Bulgaria] G. Geshev - Web Application Firewalls from an Attacker's Perspective

1,341 views

Published on

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,341
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
33
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

[OWASP-Bulgaria] G. Geshev - Web Application Firewalls from an Attacker's Perspective

  1. 1. OWASP Plan - Strawman G. Geshev Chapter Leader georgi.geshev@owasp.orgOWASP +359-884-237-20703.04.10 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
  2. 2. OWASP Plan - Strawman Can’t get there from here? Georgi Geshev OWASP Bulgaria LeaderOWASP georgi.geshev@owasp.org03.04.10 +359-884-237-207 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
  3. 3. OWASP Plan - Strawman Can’t get there from here? The web application Georgi Geshev firewall from OWASP Bulgaria Leader an attacker’s perspective.OWASP georgi.geshev@owasp.org03.04.10 +359-884-237-207 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
  4. 4. AgendaPart 1: Introduction• Why would you be interested in bypassing a WAF? OWASP 4
  5. 5. AgendaPart 1: Introduction• Why would you be interested in bypassing a WAF?Part 2: Real-World Stories• The ModSecurity SQL Injection Challenge OWASP 5
  6. 6. Who’s Who? Just in case you give a darn sh*t…About me:• FOSS evangelist• Offsex enthusiast• Bug hunter• Internet troll OWASP 6
  7. 7. Who’s Who? Just in case you give a darn sh*t…About me:• FOSS evangelist• Offsex enthusiast• Bug hunter• Internet troll OWASP 7
  8. 8. Who’s Who? Just in case you give a darn sh*t…About me:• FOSS evangelist• Offsec enthusiast• Bug hunter• Internet troll OWASP 8
  9. 9. Who’s Who? Just in case you give a darn sh*t…About me:• FOSS evangelist• Offsec enthusiast• Bug hunter• Internet troll OWASP 9
  10. 10. Who’s Who? Just in case you give a darn sh*t…About me:• FOSS evangelist• Offsec enthusiast• Bug hunter• Internet troll OWASP 10
  11. 11. Bypassing WAFs for fun and...Why would you hack around a WAF? OWASP 11
  12. 12. Bypassing WAFs for fun and...Why would you hack around a WAF? • Vulnerability assessment OWASP 12
  13. 13. Bypassing WAFs for fun and...Why would you hack around a WAF? • Vulnerability assessment • Penetration testing scenario OWASP 13
  14. 14. Bypassing WAFs for fun and...Why would you hack around a WAF? • Vulnerability assessment • Penetration testing scenario • Improving your own product OWASP 14
  15. 15. Bypassing WAFs for fun and...Why would you hack around a WAF? • Vulnerability assessment • Penetration testing scenario • Improving your own product • Just for fun? ;) OWASP 15
  16. 16. What about the challenge?“This is a SQL Injection and.. OWASP 16
  17. 17. What about the challenge?“This is a SQL Injection and Filter Evasion Challenge.” OWASP 17
  18. 18. What about the challenge?“This is a SQL Injection and Filter Evasion Challenge.”• Intentionally broken demo sites OWASP 18
  19. 19. What about the challenge?“This is a SQL Injection and Filter Evasion Challenge.”• Intentionally broken demo sites• Attacker’s traffic being passed through a WAF proxy OWASP 19
  20. 20. What about the challenge?“This is a SQL Injection and Filter Evasion Challenge.”• Intentionally broken demo sites• Attacker’s traffic being passed through a WAF proxy• Identify a SQL injection vector within the target site OWASP 20
  21. 21. What about the challenge?“This is a SQL Injection and Filter Evasion Challenge.”• Intentionally broken demo sites• Attacker’s traffic being passed through a WAF proxy• Identify a SQL injection vector within the target site• Find out if there’s a way to hack around the WAF proxy OWASP 21
  22. 22. What about the challenge? (cont.) Targets..• IBM (AppScan)• Cenzic (HailStorm)• HP (WebInspect)• Acunetix (Acunetix) OWASP 22
  23. 23. Challenge Scenario ModSecurity Proxy TargetsHacker OWASP 23
  24. 24. Challenge Scenario ModSecurity Proxy TargetsHacker OWASP 24
  25. 25. Objectives..Successfully enumerate the following information: OWASP 25
  26. 26. Objectives..Successfully enumerate the following information:  Database Username(s) OWASP 26
  27. 27. Objectives..Successfully enumerate the following information:  Database Username(s)  Database Name(s) OWASP 27
  28. 28. Objectives..Successfully enumerate the following information:  Database Username(s)  Database Name(s)  Table Name(s) OWASP 28
  29. 29. Objectives..Successfully enumerate the following information:  Database Username(s)  Database Name(s)  Table Name(s)  Column Name(s) OWASP 29
  30. 30. What about the challenge? (cont.) Levels..There are two levels. OWASP 30
  31. 31. What about the challenge? (cont.) Levels..There are two levels. We focus on the second one. OWASP 31
  32. 32. What about the challenge? (cont.) Levels..There are two levels. We focus on the second one.• Level 1: Speed Hacking OWASP 32
  33. 33. What about the challenge? (cont.) Levels..There are two levels. We focus on the second one.• Level 1: Speed Hacking• Level 2: Filter Evasion OWASP 33
  34. 34. The Winners Johannes Dahse Vladimir Vorontsov PT Research Ahmad Maulana Travis Lee Roberto Salgado SQLMap Developers HackPlayers<blink> Georgi Geshev </blink> OWASP 34
  35. 35. What about the techniques? Less known and version specific featuresEx. MySQL Comment Extensions for conditional code execution Mixture of (unterminated) commentsEx. double dash, C-style comments, etc. Splitting the query across multiple locationsEx. Multiple GET/POST parameters Parameter pollution a.k.a. HPP Less known attack vector locationsEx. Cookies, file names/contents, etc. Mixture of space separators and CR/LF’sEx. %09, %0a, %0b, %0c, %0d, %a0 OWASP 35
  36. 36. Examples (pt. 1)• Injection Fragmentation Splitting up the SQLi payload so that each individual payload would not trigger any filters however, when placed into the back-end SQL query, they would force boolean logic of true/false. OWASP 36
  37. 37. Examples (pt. 2)• HTTP Parameter Pollution HPP allows an attacker to leverage how an ASP/ASP.NET-based applications treats multiple parameters with the same name - which is to concatenate the payloads into one and separating them with commas. OWASP 37
  38. 38. Examples (pt. 3)• Tricky Comments The intruder was able to leverage some platform and version specific attack techniques, exploiting the way the back-end database handles/interprets different types of comments. OWASP 38
  39. 39. Examples (pt. 4)• Unusual Locations In this case, the evasion was possible due to the attack vector location - Request Cookie data. OWASP 39
  40. 40. Statistics• Estimated number of participants: >650• Avg. number of Requests to find an evasion: 433• Avg. Duration (Time to find an evasion): 72 hrs• Shortest number of Requests to find an evasion: 118• Shortest Duration (Time to find an evasion): 10 hrs OWASP 40
  41. 41. Shout outs go to..● All the OWASP enthusiasts around the globe - For being awesome● Ryan Barnett - For all the efforts● P. Serafimov - For kindly contributing to this talk ;) OWASP 41
  42. 42. References• OWASP ModSecurity Core Rule Set Project: http://goo.gl/H3f49• Challenge Announce: http://goo.gl/88EDL• Lessons Learned: http://goo.gl/gWLNP OWASP 42
  43. 43. Thanks for you time!P. S. Ping me for OWASP stickers. OWASP 43

×