the truth about web application firewalls: what the vendors do … · 2019-09-03 · bypassing waf...
TRANSCRIPT
![Page 1: The Truth about Web Application Firewalls: What the vendors do … · 2019-09-03 · Bypassing WAF systems can be bypassed in various ways. We can modify our attack to still be effective](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13551d7fac7d55343b1ba8/html5/thumbnails/1.jpg)
The Truth about The Truth about Web Application Firewalls: Web Application Firewalls:
What the vendors do NOT want What the vendors do NOT want
TROOPERS 09 – Munich, April 2009
What the vendors do NOT want What the vendors do NOT want you to know. you to know.
![Page 2: The Truth about Web Application Firewalls: What the vendors do … · 2019-09-03 · Bypassing WAF systems can be bypassed in various ways. We can modify our attack to still be effective](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13551d7fac7d55343b1ba8/html5/thumbnails/2.jpg)
$ $ whoiswhois WendelGHWendelGHPT Consultant at Trustwave's SpiderLabs.
2TROOPERS 09 – Munich, April 2009
PT Consultant at Trustwave's SpiderLabs.Over 7 years in the security industry.Vulnerability discovery Webmails, AP, Citrix, etc.Spoke in YSTS 2.0, Defcon 16, H2HC and others.Affiliated to Hackaholic team.
2
![Page 3: The Truth about Web Application Firewalls: What the vendors do … · 2019-09-03 · Bypassing WAF systems can be bypassed in various ways. We can modify our attack to still be effective](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13551d7fac7d55343b1ba8/html5/thumbnails/3.jpg)
$ $ whoiswhois SandroGauciSandroGauciFounder and CSO EnableSecurity.
3TROOPERS 09 – Munich, April 2009
Founder and CSO EnableSecurity.VOIPPACK (CANVAS addon).Security research papers.SIPVicious and SurfJack.
3
![Page 4: The Truth about Web Application Firewalls: What the vendors do … · 2019-09-03 · Bypassing WAF systems can be bypassed in various ways. We can modify our attack to still be effective](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13551d7fac7d55343b1ba8/html5/thumbnails/4.jpg)
IntroductionIntroduction• Web Application Firewalls (WAFs) are quickly taking their place to protect web applications.
• Today WAF systems are considered the next generation product to protect websites against web hacking attacks.
4TROOPERS 09 – Munich, April 2009
• During this presentation we will show WAF systems can be identified, detected and we will introduce new attacks.
• We will show how WAF systems can be vulnerable to the same vulnerabilities that they try to protect Web Applications from.
4
![Page 5: The Truth about Web Application Firewalls: What the vendors do … · 2019-09-03 · Bypassing WAF systems can be bypassed in various ways. We can modify our attack to still be effective](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13551d7fac7d55343b1ba8/html5/thumbnails/5.jpg)
What is WAFWhat is WAF
• WAFs are often called 'Deep Packet Inspection Firewall'.
• Some WAFs look certain 'attack signature' while others look for
5TROOPERS 09 – Munich, April 2009
• Some WAFs look certain 'attack signature' while others look for abnormal behavior.
• WAFs can be either software or hardware appliance.
5
![Page 6: The Truth about Web Application Firewalls: What the vendors do … · 2019-09-03 · Bypassing WAF systems can be bypassed in various ways. We can modify our attack to still be effective](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13551d7fac7d55343b1ba8/html5/thumbnails/6.jpg)
What is WAFWhat is WAF
• Modern WAF systems work both with attack signature and abnormal behavior.
6TROOPERS 09 – Munich, April 2009
• WAFs can be installed as a reverse proxy, embedded or connected in a switch (SPAN or RAP).
• Nowadays many WAF products detect both inbound and outbound attacks.
6
![Page 7: The Truth about Web Application Firewalls: What the vendors do … · 2019-09-03 · Bypassing WAF systems can be bypassed in various ways. We can modify our attack to still be effective](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13551d7fac7d55343b1ba8/html5/thumbnails/7.jpg)
VendorsVendors
7TROOPERS 09 – Munich, April 2009
7
![Page 8: The Truth about Web Application Firewalls: What the vendors do … · 2019-09-03 · Bypassing WAF systems can be bypassed in various ways. We can modify our attack to still be effective](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13551d7fac7d55343b1ba8/html5/thumbnails/8.jpg)
Who uses WAF?Who uses WAF?
• Many banks around the world.
• Companies that are very security conscious.
8TROOPERS 09 – Munich, April 2009
• Companies that are very security conscious.
• Many companies in compliance with PCI DSS (Payment Card Industry - Data Security Standard).
8
![Page 9: The Truth about Web Application Firewalls: What the vendors do … · 2019-09-03 · Bypassing WAF systems can be bypassed in various ways. We can modify our attack to still be effective](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13551d7fac7d55343b1ba8/html5/thumbnails/9.jpg)
Operation Modes:Operation Modes:
• Negative model (blacklist based).
9TROOPERS 09 – Munich, April 2009
• Positive model (whitelist based).
• Mixed / Hybrid (mix negative and positive model protection).
9
![Page 10: The Truth about Web Application Firewalls: What the vendors do … · 2019-09-03 · Bypassing WAF systems can be bypassed in various ways. We can modify our attack to still be effective](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13551d7fac7d55343b1ba8/html5/thumbnails/10.jpg)
Operation Mode: NegativeOperation Mode: Negative
A negative security model detects attacks by relying on a database of attack signatures.
10TROOPERS 09 – Munich, April 2009
Example:
Do not allow in any page, any argument value (user input) which match potential XSS strings like <script>, </script>, String.fromCharCode, etc.
10
![Page 11: The Truth about Web Application Firewalls: What the vendors do … · 2019-09-03 · Bypassing WAF systems can be bypassed in various ways. We can modify our attack to still be effective](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13551d7fac7d55343b1ba8/html5/thumbnails/11.jpg)
Operation Mode: PositiveOperation Mode: Positive
A positive security model enforces positive behavior by learning the application logic and then building a security policy of valid known good requests.
11TROOPERS 09 – Munich, April 2009
good requests.
Example:
Page news.jsp, the field "id" only accept numbers [0-9] and starting at 0 to 65535.
11
![Page 12: The Truth about Web Application Firewalls: What the vendors do … · 2019-09-03 · Bypassing WAF systems can be bypassed in various ways. We can modify our attack to still be effective](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13551d7fac7d55343b1ba8/html5/thumbnails/12.jpg)
Common Common WeaknessesWeaknesses BriefBrief
• Bad rules.
• Bad design.
12TROOPERS 09 – Munich, April 2009
• Bad design.
• Bad implementation.
• Vulnerable to the same flaws they intend to protect.
12
![Page 13: The Truth about Web Application Firewalls: What the vendors do … · 2019-09-03 · Bypassing WAF systems can be bypassed in various ways. We can modify our attack to still be effective](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13551d7fac7d55343b1ba8/html5/thumbnails/13.jpg)
DetectionDetection
WAF systems leave several signs which permit us to detect them, one of them are cookies:
Cookies: Some WAF products add their own cookie in the HTTP
13TROOPERS 09 – Munich, April 2009
Cookies: Some WAF products add their own cookie in the HTTP communication.
DEMO
13
![Page 14: The Truth about Web Application Firewalls: What the vendors do … · 2019-09-03 · Bypassing WAF systems can be bypassed in various ways. We can modify our attack to still be effective](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13551d7fac7d55343b1ba8/html5/thumbnails/14.jpg)
DetectionDetection
WAF leave several traces that permit us to detect them, one of them are Header Rewrite:
Header Rewrite: Some WAF products allow the rewriting of HTTP
14TROOPERS 09 – Munich, April 2009
Header Rewrite: Some WAF products allow the rewriting of HTTP headers. The most common field is "Server", this is used to try to deceive the attackers (server cloaking).
DEMO
14
![Page 15: The Truth about Web Application Firewalls: What the vendors do … · 2019-09-03 · Bypassing WAF systems can be bypassed in various ways. We can modify our attack to still be effective](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13551d7fac7d55343b1ba8/html5/thumbnails/15.jpg)
DetectionDetection
Some WAF systems change the return codes:
• Different 404 error codes for hostile and non existent pages.
15TROOPERS 09 – Munich, April 2009
• Different error codes (404, 400, 401, 403, 501, etc) for hostile parameters (even non existent ones) in valid pages.
DEMO
15
![Page 16: The Truth about Web Application Firewalls: What the vendors do … · 2019-09-03 · Bypassing WAF systems can be bypassed in various ways. We can modify our attack to still be effective](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13551d7fac7d55343b1ba8/html5/thumbnails/16.jpg)
DetectionDetection
Other WAF systems will simply drop the connection:
Drop Action: Immediately initiate a "connection close" action to tear
16TROOPERS 09 – Munich, April 2009
Drop Action: Immediately initiate a "connection close" action to tear down the TCP connection by sending a FIN packet.
DEMO
16
![Page 17: The Truth about Web Application Firewalls: What the vendors do … · 2019-09-03 · Bypassing WAF systems can be bypassed in various ways. We can modify our attack to still be effective](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13551d7fac7d55343b1ba8/html5/thumbnails/17.jpg)
DetectionDetection
WAF systems leave several signs which permit us to detect them, one of them are Pre Built-in Rules:
17TROOPERS 09 – Munich, April 2009
Pre Built-in Rules: All (at least all that we know) WAF systems have a built-in group of rules in negative mode, these rules are different in each products, this can help us to detect them.
DEMO
17
![Page 18: The Truth about Web Application Firewalls: What the vendors do … · 2019-09-03 · Bypassing WAF systems can be bypassed in various ways. We can modify our attack to still be effective](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13551d7fac7d55343b1ba8/html5/thumbnails/18.jpg)
DetectionDetection
You should be thinking…
• It’s so boring.
18TROOPERS 09 – Munich, April 2009
• It’s so boring.
• We have to have good knowledge of various products to identify them correctly.
• What about a tool that does all this?
18
![Page 19: The Truth about Web Application Firewalls: What the vendors do … · 2019-09-03 · Bypassing WAF systems can be bypassed in various ways. We can modify our attack to still be effective](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13551d7fac7d55343b1ba8/html5/thumbnails/19.jpg)
WAFW00FWAFW00F
That’s our answer for your prayers:
• Detect 10 different WAF products.
19TROOPERS 09 – Munich, April 2009
• Generic detection.
• Supports Windows and Unix.
• Much more coming soon.
19
![Page 20: The Truth about Web Application Firewalls: What the vendors do … · 2019-09-03 · Bypassing WAF systems can be bypassed in various ways. We can modify our attack to still be effective](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13551d7fac7d55343b1ba8/html5/thumbnails/20.jpg)
WAFW00FWAFW00F
20TROOPERS 09 – Munich, April 2009
20
![Page 21: The Truth about Web Application Firewalls: What the vendors do … · 2019-09-03 · Bypassing WAF systems can be bypassed in various ways. We can modify our attack to still be effective](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13551d7fac7d55343b1ba8/html5/thumbnails/21.jpg)
WAFW00FWAFW00F
21TROOPERS 09 – Munich, April 2009
DEMO
21
![Page 22: The Truth about Web Application Firewalls: What the vendors do … · 2019-09-03 · Bypassing WAF systems can be bypassed in various ways. We can modify our attack to still be effective](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13551d7fac7d55343b1ba8/html5/thumbnails/22.jpg)
BypassingBypassingWAF systems can be bypassed in various ways. We can modify our attack to still be effective and not match the WAF rules:
• Detect allowed / good strings.• Detect denied / bad strings.
22TROOPERS 09 – Munich, April 2009
• Detect denied / bad strings.• Detect sequences of good and bad strings together.• Modify your attack to match the good rules.
DEMO
22
![Page 23: The Truth about Web Application Firewalls: What the vendors do … · 2019-09-03 · Bypassing WAF systems can be bypassed in various ways. We can modify our attack to still be effective](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13551d7fac7d55343b1ba8/html5/thumbnails/23.jpg)
BypassingBypassingWAF systems can be bypassed in various ways. Another way is to use encoding and language support:
• Unicode.• Homographic attacks.
23TROOPERS 09 – Munich, April 2009
• Homographic attacks.
DEMO
23
![Page 24: The Truth about Web Application Firewalls: What the vendors do … · 2019-09-03 · Bypassing WAF systems can be bypassed in various ways. We can modify our attack to still be effective](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13551d7fac7d55343b1ba8/html5/thumbnails/24.jpg)
BypassingBypassingWAF systems can be bypassed in various ways. Web languages are very flexible:
• HTML and JS is very flexible.• XSS Case.
24TROOPERS 09 – Munich, April 2009
• XSS Case.
DEMO
24
![Page 25: The Truth about Web Application Firewalls: What the vendors do … · 2019-09-03 · Bypassing WAF systems can be bypassed in various ways. We can modify our attack to still be effective](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13551d7fac7d55343b1ba8/html5/thumbnails/25.jpg)
BypassingBypassingWAIT!
• What about positive model? • They are really secure?• If we find a positive model we should give up?
25TROOPERS 09 – Munich, April 2009
• If we find a positive model we should give up?
DEMO
25
![Page 26: The Truth about Web Application Firewalls: What the vendors do … · 2019-09-03 · Bypassing WAF systems can be bypassed in various ways. We can modify our attack to still be effective](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13551d7fac7d55343b1ba8/html5/thumbnails/26.jpg)
BypassingBypassing
There are many other ways to bypass WAF systems…
26TROOPERS 09 – Munich, April 2009
There are many other ways to bypass WAF systems…
Coming soon!
26
![Page 27: The Truth about Web Application Firewalls: What the vendors do … · 2019-09-03 · Bypassing WAF systems can be bypassed in various ways. We can modify our attack to still be effective](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13551d7fac7d55343b1ba8/html5/thumbnails/27.jpg)
BypassingBypassingYou should be thinking…
• It’s so boring.
• It’s time consuming.
27TROOPERS 09 – Munich, April 2009
• It’s time consuming.
• The are so many different techniques to remember.
• There are so many specific techniques that are product dependent.
• How about a tool which does all of the above?
27
![Page 28: The Truth about Web Application Firewalls: What the vendors do … · 2019-09-03 · Bypassing WAF systems can be bypassed in various ways. We can modify our attack to still be effective](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13551d7fac7d55343b1ba8/html5/thumbnails/28.jpg)
WAFFUNWAFFUNThat’s our answer for your prayers:
• Test the target and point weakness in the WAF system.
• Use with WAFW00F for better results.
28TROOPERS 09 – Munich, April 2009
• Use with WAFW00F for better results.
• Supports Windows and Unix.
• Alpha version! We need the community help!
• Much more coming soon.
28
![Page 29: The Truth about Web Application Firewalls: What the vendors do … · 2019-09-03 · Bypassing WAF systems can be bypassed in various ways. We can modify our attack to still be effective](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13551d7fac7d55343b1ba8/html5/thumbnails/29.jpg)
WAFFUNWAFFUN
DEMO
29TROOPERS 09 – Munich, April 2009
DEMO
29
![Page 30: The Truth about Web Application Firewalls: What the vendors do … · 2019-09-03 · Bypassing WAF systems can be bypassed in various ways. We can modify our attack to still be effective](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13551d7fac7d55343b1ba8/html5/thumbnails/30.jpg)
Show Time: 0dayShow Time: 0day
DEMOS
30TROOPERS 09 – Munich, April 2009
DEMOS
30
![Page 31: The Truth about Web Application Firewalls: What the vendors do … · 2019-09-03 · Bypassing WAF systems can be bypassed in various ways. We can modify our attack to still be effective](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13551d7fac7d55343b1ba8/html5/thumbnails/31.jpg)
WAF WAF -- Other problemsOther problems
• Backdoors.
31TROOPERS 09 – Munich, April 2009
• DoS.
• Overflows.
31
![Page 32: The Truth about Web Application Firewalls: What the vendors do … · 2019-09-03 · Bypassing WAF systems can be bypassed in various ways. We can modify our attack to still be effective](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13551d7fac7d55343b1ba8/html5/thumbnails/32.jpg)
Thank you!Thank you!
Do you have access to a commercial WAF system?Do you have ideas to improve our tools?
Don't have anyone to talk to?
32TROOPERS 09 – Munich, April 2009
Contact us!
wsguglielmetti [em] gmail [ponto] comsandro [em] enablesecurity [ponto] com
32