Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Application Firewall Bypassing – an approach for pentesters

Published byTeresa Mills Modified over 6 years ago

Similar presentations

Presentation on theme: "Web Application Firewall Bypassing – an approach for pentesters"— Presentation transcript:

1 Web Application Firewall Bypassing – an approach for pentesters
Khalil bijjou Security Consultant EUROSEC – Security since 1998 11th November 2016

2 BypassING a WAF – WHY? Number of deployed Web Application Firewalls (WAFs) is increasing WAFs make a penetration test more difficult Attempting to bypass a WAF is an important aspect of a penetration test

3 MAIN GOAL Provide a practical approach for penetration testers which helps to ensure accurate results

4 Introduction to Web Application Firewalls

5 OVERVIEW Replaces old fashioned Firewalls and IDS/IPS
Understands HTTP traffic better than traditional firewalls Protects a web application by adding a security layer Checks for malicious traffic and blocks it

6 FUNCTIONALITY Pre-processor: Decide whether a request will be processed further Normalization: Standardize user input Validate Input: Check user input against rules

7 Normalization functions
Simplifies the writing of rules No Knowledge about different forms of input needed compressWhitespace converts whitespace chars to spaces hexDecode decodes a hex-encoded string lowercase converts characters to lowercase urlDecode decodes a URL-encoded string

8 Input validation Security Models define how to enforce rules
Rules consist of regular expressions Three Security Models: Positive Security Model Negative Security Model Hybrid Security Model

9 Security models Positive Security Model (Whitelist)
Negative Security Model (Blacklist) Deny all but known good Allow all but known bad Prevents Zero-day Exploits Shipped with WAF More secure than blacklist Fast adoption Comprehensive understanding of application is needed Little knowledge needed Creating rules is a time-consuming process Protect several applications Tends to false positives Resource-consuming

10 Bypassing Methods and Techniques

11 Overview Pre-processor Exploitation: Make WAF skip input validation
Impedance Mismatch: WAF interprets input differently than back end Rule Set Bypassing: Use Payloads that are not detected by the WAF

12 Pre-processor Exploitation

13 Skipping parameter verification
PHP removes whitespaces from parameter names or transforms them into underscores ASP removes % character that is not followed by two hexadecimal digits A WAF which does not reject unknown parameters may be bypassed 1,2,3 1,2,3

14 MALFORMED HTTP Method Misconfigured web servers may accept malformed HTTP methods A WAF that only inspects GET and POST requests may be bypassed

15 Overloading the waf A WAF may be configured to skip input validation if performance load is heavy Often applies to embedded WAFs Great deal of malicious requests can be sent with the chance that the WAF will overload and let some requests through

16 Impedance Mismatch

17 HTTP PARAMETER POLLUTION
Sending a number of parameters with the same name Technologies interpret this request differently: Back end Behavior Processed ASP.NET Concatenate with comma productid=1,2 JSP First Occurrence productid=1 PHP Last Occurrence productid=2

18 HTTP PARAMETER POLLUTION
The following payload can be divided: WAF sees two individual parameters and may not detect the payload ASP.NET back end concatenates both values ?productid=select 1,2,3 from table ?productid=select 1&productid=2,3 from table

19 DOUBLE URL ENCODING WAF normalizes URL encoded characters into ASCII text The WAF may be configured to decode characters only once Double URL Encoding a payload may result in a bypass The following payload contains a double URL encoded character ’s’ -> %73 -> %25%37%33 1 union %25%37%33elect 1,2,3

20 Rule Set Bypassing

21 BYPASS RULE SET Two methods: Brute force by enumerating payloads
Reverse-engineer the WAFs rule set

22 Approach for Penetration Testers

23 Overview Similar to the phases of a penetration test
Divided into six phases, whereas Phase 0 may not always be possible

24 Phase 0 – DISABLE WAF Objective: find security flaws in the application more easily assessment of the security level of an application is more accurate Allows a more focused approach when the WAF is enabled May not be realizable in some penetration tests

25 Phase 1 - Reconnaissance
Objective: Gather information to get a overview of the target Basis for the subsequent phases Gather information about: web server programming language WAF & Security Model Internal IP Addresses

26 Phase 2 – attacking the pre-processor
Objective: make the WAF skip input validation Identify which parts of a HTTP request are inspected by the WAF to develop an exploit: Send individual requests that differ in the location of a payload Observe which requests are blocked Attempt to develop an exploit

27 Phase 3 – findING an impedance mismatch
Objective: make the WAF interpret a request differently than the back end and therefore not detecting it Knowledge about back end technologies is needed

28 PHASE 4 – Bypassing the rule set
Objective: find a payload that is not blocked by the WAFs rule set Brute force by sending different payloads Reverse-engineer the rule set in a trial and error approach: Send symbols and keywords that may be useful to craft a payload Observe which are blocked Attempt to develop an exploit based on the results of the previous steps

29 PHASE 5 – Other vulnerabilities
Objective: find other vulnerabilities that can not be detected by the WAF Broken authentication mechanism Privilege escalation Etc.

30 PHASE 6 – after the pentest
Objective: Inform customer about the vulnerabilities Advise customer to fix the root cause of a vulnerability For the time being, the vulnerability should be virtually patched by adding specific rules to the WAF Explain that the WAF can help to mitigate a vulnerability, but can not thoroughly fix it

31 WAFNinja

32 Overview CLI Tool written in Python Automates parts of the approach
Already used in several penetration tests Supports HTTPS connections GET and POST parameter Usage of cookies Usage of an intercepting browser

33 Fuzzing Sends different symbols and keywords Analyzes the response
Results are displayed in a clear and concise way Fuzzing strings can be extended with the insert-fuzz function shared within a team

34 Discussion & Questions
LinkedIn: Khalil Bijjou

Download ppt "Web Application Firewall Bypassing – an approach for pentesters"

Similar presentations

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
HTML Forms. collect information for passing to server- side processes built up from standard widgets –text-input, radio buttons, check boxes, option lists,

HTML Forms. collect information for passing to server- side processes built up from standard widgets –text-input, radio buttons, check boxes, option lists,
 The Citrix Application Firewall prevents security breaches, data loss, and possible unauthorized modifications to Web sites that access sensitive business.

 The Citrix Application Firewall prevents security breaches, data loss, and possible unauthorized modifications to Web sites that access sensitive business.
 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.

 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
SQL Injection and Buffer overflow

SQL Injection and Buffer overflow
Methods For The Prevention, Detection And Removal Of Software Security Vulnerabilities Jay-Evan J. Tevis Department of Computer Science and Software Engineering.

Methods For The Prevention, Detection And Removal Of Software Security Vulnerabilities Jay-Evan J. Tevis Department of Computer Science and Software Engineering.
Department Of Computer Engineering

Department Of Computer Engineering
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
Introduction to Application Penetration Testing

Introduction to Application Penetration Testing
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
AIS, 20141 Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)

AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
Brad Baker CS526 May 7 th, 2008 5/7/2008 1. 1. Project goals 2. Test Environment 3. The Problem 4. Some Solutions 5. ModSecurity Overview 6. ModSecurity.

Brad Baker CS526 May 7 th, /7/ Project goals 2. Test Environment 3. The Problem 4. Some Solutions 5. ModSecurity Overview 6. ModSecurity.
Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits.

Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits.
Prevent Cross-Site Scripting (XSS) attack

Prevent Cross-Site Scripting (XSS) attack
Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science.

Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science.
©2008 Gotham Digital Science Secure Parameter Filter (SPF) (AKA Protecting Vulnerable Applications with IIS7) Justin Clarke, Andrew Carey Nairn.

©2008 Gotham Digital Science Secure Parameter Filter (SPF) (AKA Protecting Vulnerable Applications with IIS7) Justin Clarke, Andrew Carey Nairn.
IST 210 Web Application Security. IST 210 Introduction Security is a process of authenticating users and controlling what a user can see or do.

IST 210 Web Application Security. IST 210 Introduction Security is a process of authenticating users and controlling what a user can see or do.
Computer Security and Penetration Testing

Computer Security and Penetration Testing

Similar presentations

Ads by Google