Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
The Truth about
      Web Application Firewalls:
     What the vendors do NOT want
              you to know.



TROOPERS ...
$ whois WendelGH
    PT Consultant at Trustwave's SpiderLabs.
    Over 7 years in the security industry.
    Vulnerability...
$ whois SandroGauci
    Founder and CSO EnableSecurity.
    VOIPPACK (CANVAS addon).
    Security research papers.
    SIP...
Introduction
    • Web Application Firewalls (WAFs) are quickly taking their place to
    protect web applications.

    •...
What is WAF

    • WAFs are often called 'Deep Packet Inspection Firewall'.

    • Some WAFs look certain 'attack signatur...
What is WAF

    • Modern WAF systems work both with attack signature and
    abnormal behavior.

    • WAFs can be instal...
Vendors




TROOPERS 09 – Munich, April 2009     7
Who uses WAF?
    •   Many banks around the world.



    •   Companies that are very security conscious.



    •   Many ...
Operation Modes:

    • Negative model (blacklist based).



    • Positive model (whitelist based).



    • Mixed / Hybr...
Operation Mode: Negative

    A negative security model detects attacks by relying on a database
    of attack signatures....
Operation Mode: Positive

    A positive security model enforces positive behavior by learning the
    application logic a...
Common Weaknesses Brief

    • Bad rules.

    • Bad design.

    • Bad implementation.

    • Vulnerable to the same flaw...
Detection
    WAF systems leave several signs which permit us to detect them,
    one of them are cookies:

    Cookies: S...
Detection
    WAF leave several traces that permit us to detect them, one of them
    are Header Rewrite:

    Header Rewr...
Detection
    Some WAF systems change the return codes:

    • Different 404 error codes for hostile and non existent page...
Detection

    Other WAF systems will simply drop the connection:

    Drop Action: Immediately initiate a quot;connection...
Detection

    WAF systems leave several signs which permit us to detect them,
    one of them are Pre Built-in Rules:

  ...
Detection

    You should be thinking…

    • It’s so boring.

    • We have to have good knowledge of various products to...
WAFW00F
    That’s our answer for your prayers:

    • Detect 10 different WAF products.

    • Generic detection.

    • ...
WAFW00F




TROOPERS 09 – Munich, April 2009   20
WAFW00F


                             DEMO



TROOPERS 09 – Munich, April 2009    21
Bypassing
    WAF systems can be bypassed in various ways. We can modify our
    attack to still be effective and not matc...
Bypassing
    WAF systems can be bypassed in various ways. Another way is to
    use encoding and language support:

    •...
Bypassing
    WAF systems can be bypassed in various ways. Web languages
    are very flexible:

    • HTML and JS is very...
Bypassing
                                   WAIT!

    • What about positive model?
    • They are really secure?
    • I...
Bypassing


           There are many other ways to bypass WAF systems…

                             Coming soon!




TRO...
Bypassing
    You should be thinking…

    • It’s so boring.

    • It’s time consuming.

    • The are so many different ...
WAFFUN
    That’s our answer for your prayers:

    • Test the target and point weakness in the WAF system.

    • Use wit...
WAFFUN


                              DEMO




TROOPERS 09 – Munich, April 2009     29
Show Time: 0day


                             DEMOS




TROOPERS 09 – Munich, April 2009     30
WAF - Other problems

    • Backdoors.

    • DoS.

    • Overflows.




TROOPERS 09 – Munich, April 2009   31
Thank you!
            Do you have access to a commercial WAF system?
                 Do you have ideas to improve our to...
Upcoming SlideShare
Loading in …5
×

Troopers09: The Truth about Web Application Firewalls: What the vendors do NOT want you to know

5,406 views

Published on

A presentation given at Troopers09 / Munich on 23rd April 2009 which talks about weaknesses in Web Application Firewall technologies.

Published in: Technology, Travel
  • Be the first to comment

Troopers09: The Truth about Web Application Firewalls: What the vendors do NOT want you to know

  1. 1. The Truth about Web Application Firewalls: What the vendors do NOT want you to know. TROOPERS 09 – Munich, April 2009
  2. 2. $ whois WendelGH PT Consultant at Trustwave's SpiderLabs. Over 7 years in the security industry. Vulnerability discovery Webmails, AP, Citrix, etc. Spoke in YSTS 2.0, Defcon 16, H2HC and others. Affiliated to Hackaholic team. TROOPERS 09 – Munich, April 2009 2
  3. 3. $ whois SandroGauci Founder and CSO EnableSecurity. VOIPPACK (CANVAS addon). Security research papers. SIPVicious and SurfJack. TROOPERS 09 – Munich, April 2009 3
  4. 4. Introduction • Web Application Firewalls (WAFs) are quickly taking their place to protect web applications. • Today WAF systems are considered the next generation product to protect websites against web hacking attacks. • During this presentation we will show WAF systems can be identified, detected and we will introduce new attacks. • We will show how WAF systems can be vulnerable to the same vulnerabilities that they try to protect Web Applications from. TROOPERS 09 – Munich, April 2009 4
  5. 5. What is WAF • WAFs are often called 'Deep Packet Inspection Firewall'. • Some WAFs look certain 'attack signature' while others look for abnormal behavior. • WAFs can be either software or hardware appliance. TROOPERS 09 – Munich, April 2009 5
  6. 6. What is WAF • Modern WAF systems work both with attack signature and abnormal behavior. • WAFs can be installed as a reverse proxy, embedded or connected in a switch (SPAN or RAP). • Nowadays many WAF products detect both inbound and outbound attacks. TROOPERS 09 – Munich, April 2009 6
  7. 7. Vendors TROOPERS 09 – Munich, April 2009 7
  8. 8. Who uses WAF? • Many banks around the world. • Companies that are very security conscious. • Many companies in compliance with PCI DSS (Payment Card Industry - Data Security Standard). TROOPERS 09 – Munich, April 2009 8
  9. 9. Operation Modes: • Negative model (blacklist based). • Positive model (whitelist based). • Mixed / Hybrid (mix negative and positive model protection). TROOPERS 09 – Munich, April 2009 9
  10. 10. Operation Mode: Negative A negative security model detects attacks by relying on a database of attack signatures. Example: Do not allow in any page, any argument value (user input) which match potential XSS strings like <script>, </script>, String.fromCharCode, etc. TROOPERS 09 – Munich, April 2009 10
  11. 11. Operation Mode: Positive A positive security model enforces positive behavior by learning the application logic and then building a security policy of valid known good requests. Example: Page news.jsp, the field quot;idquot; only accept numbers [0-9] and starting at 0 to 65535. TROOPERS 09 – Munich, April 2009 11
  12. 12. Common Weaknesses Brief • Bad rules. • Bad design. • Bad implementation. • Vulnerable to the same flaws they intend to protect. TROOPERS 09 – Munich, April 2009 12
  13. 13. Detection WAF systems leave several signs which permit us to detect them, one of them are cookies: Cookies: Some WAF products add their own cookie in the HTTP communication. DEMO TROOPERS 09 – Munich, April 2009 13
  14. 14. Detection WAF leave several traces that permit us to detect them, one of them are Header Rewrite: Header Rewrite: Some WAF products allow the rewriting of HTTP headers. The most common field is quot;Serverquot;, this is used to try to deceive the attackers (server cloaking). DEMO TROOPERS 09 – Munich, April 2009 14
  15. 15. Detection Some WAF systems change the return codes: • Different 404 error codes for hostile and non existent pages. • Different error codes (404, 400, 401, 403, 501, etc) for hostile parameters (even non existent ones) in valid pages. DEMO TROOPERS 09 – Munich, April 2009 15
  16. 16. Detection Other WAF systems will simply drop the connection: Drop Action: Immediately initiate a quot;connection closequot; action to tear down the TCP connection by sending a FIN packet. DEMO TROOPERS 09 – Munich, April 2009 16
  17. 17. Detection WAF systems leave several signs which permit us to detect them, one of them are Pre Built-in Rules: Pre Built-in Rules: All (at least all that we know) WAF systems have a built-in group of rules in negative mode, these rules are different in each products, this can help us to detect them. DEMO TROOPERS 09 – Munich, April 2009 17
  18. 18. Detection You should be thinking… • It’s so boring. • We have to have good knowledge of various products to identify them correctly. • What about a tool that does all this? TROOPERS 09 – Munich, April 2009 18
  19. 19. WAFW00F That’s our answer for your prayers: • Detect 10 different WAF products. • Generic detection. • Supports Windows and Unix. • Much more coming soon. TROOPERS 09 – Munich, April 2009 19
  20. 20. WAFW00F TROOPERS 09 – Munich, April 2009 20
  21. 21. WAFW00F DEMO TROOPERS 09 – Munich, April 2009 21
  22. 22. Bypassing WAF systems can be bypassed in various ways. We can modify our attack to still be effective and not match the WAF rules: • Detect allowed / good strings. • Detect denied / bad strings. • Detect sequences of good and bad strings together. • Modify your attack to match the good rules. DEMO TROOPERS 09 – Munich, April 2009 22
  23. 23. Bypassing WAF systems can be bypassed in various ways. Another way is to use encoding and language support: • Unicode. • Homographic attacks. DEMO TROOPERS 09 – Munich, April 2009 23
  24. 24. Bypassing WAF systems can be bypassed in various ways. Web languages are very flexible: • HTML and JS is very flexible. • XSS Case. DEMO TROOPERS 09 – Munich, April 2009 24
  25. 25. Bypassing WAIT! • What about positive model? • They are really secure? • If we find a positive model we should give up? DEMO TROOPERS 09 – Munich, April 2009 25
  26. 26. Bypassing There are many other ways to bypass WAF systems… Coming soon! TROOPERS 09 – Munich, April 2009 26
  27. 27. Bypassing You should be thinking… • It’s so boring. • It’s time consuming. • The are so many different techniques to remember. • There are so many specific techniques that are product dependent. • How about a tool which does all of the above? TROOPERS 09 – Munich, April 2009 27
  28. 28. WAFFUN That’s our answer for your prayers: • Test the target and point weakness in the WAF system. • Use with WAFW00F for better results. • Supports Windows and Unix. • Alpha version! We need the community help! • Much more coming soon. TROOPERS 09 – Munich, April 2009 28
  29. 29. WAFFUN DEMO TROOPERS 09 – Munich, April 2009 29
  30. 30. Show Time: 0day DEMOS TROOPERS 09 – Munich, April 2009 30
  31. 31. WAF - Other problems • Backdoors. • DoS. • Overflows. TROOPERS 09 – Munich, April 2009 31
  32. 32. Thank you! Do you have access to a commercial WAF system? Do you have ideas to improve our tools? Don't have anyone to talk to? Contact us! wsguglielmetti [em] gmail [ponto] com sandro [em] enablesecurity [ponto] com TROOPERS 09 – Munich, April 2009 32

×