ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes, and everything else
[OWASP-Bulgaria] G. Geshev - Web Application Firewalls from an Attacker's Perspective
43
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org OWASP Plan - Strawman G. Geshev Chapter Leader [email protected] +359-884-237-207 03.04.10
-
Upload
g-geshev -
Category
Technology
-
view
1.223 -
download
1
description
Transcript of [OWASP-Bulgaria] G. Geshev - Web Application Firewalls from an Attacker's Perspective
- 1. OWASP Plan - Strawman G. Geshev Chapter Leader [email protected] +359-884-237-20703.04.10 Copyright The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
- 2. OWASP Plan - Strawman Cant get there from here? Georgi Geshev OWASP Bulgaria LeaderOWASP [email protected] +359-884-237-207 Copyright The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
- 3. OWASP Plan - Strawman Cant get there from here? The web application Georgi Geshev firewall from OWASP Bulgaria Leader an attackers perspective.OWASP [email protected] +359-884-237-207 Copyright The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
- 4. AgendaPart 1: Introduction Why would you be interested in bypassing a WAF? OWASP 4
- 5. AgendaPart 1: Introduction Why would you be interested in bypassing a WAF?Part 2: Real-World Stories The ModSecurity SQL Injection Challenge OWASP 5
- 6. Whos Who? Just in case you give a darn sh*tAbout me: FOSS evangelist Offsex enthusiast Bug hunter Internet troll OWASP 6
- 7. Whos Who? Just in case you give a darn sh*tAbout me: FOSS evangelist Offsex enthusiast Bug hunter Internet troll OWASP 7
- 8. Whos Who? Just in case you give a darn sh*tAbout me: FOSS evangelist Offsec enthusiast Bug hunter Internet troll OWASP 8
- 9. Whos Who? Just in case you give a darn sh*tAbout me: FOSS evangelist Offsec enthusiast Bug hunter Internet troll OWASP 9
- 10. Whos Who? Just in case you give a darn sh*tAbout me: FOSS evangelist Offsec enthusiast Bug hunter Internet troll OWASP 10
- 11. Bypassing WAFs for fun and...Why would you hack around a WAF? OWASP 11
- 12. Bypassing WAFs for fun and...Why would you hack around a WAF? Vulnerability assessment OWASP 12
- 13. Bypassing WAFs for fun and...Why would you hack around a WAF? Vulnerability assessment Penetration testing scenario OWASP 13
- 14. Bypassing WAFs for fun and...Why would you hack around a WAF? Vulnerability assessment Penetration testing scenario Improving your own product OWASP 14
- 15. Bypassing WAFs for fun and...Why would you hack around a WAF? Vulnerability assessment Penetration testing scenario Improving your own product Just for fun? ;) OWASP 15
- 16. What about the challenge?This is a SQL Injection and.. OWASP 16
- 17. What about the challenge?This is a SQL Injection and Filter Evasion Challenge. OWASP 17
- 18. What about the challenge?This is a SQL Injection and Filter Evasion Challenge. Intentionally broken demo sites OWASP 18
- 19. What about the challenge?This is a SQL Injection and Filter Evasion Challenge. Intentionally broken demo sites Attackers traffic being passed through a WAF proxy OWASP 19
- 20. What about the challenge?This is a SQL Injection and Filter Evasion Challenge. Intentionally broken demo sites Attackers traffic being passed through a WAF proxy Identify a SQL injection vector within the target site OWASP 20
- 21. What about the challenge?This is a SQL Injection and Filter Evasion Challenge. Intentionally broken demo sites Attackers traffic being passed through a WAF proxy Identify a SQL injection vector within the target site Find out if theres a way to hack around the WAF proxy OWASP 21
- 22. What about the challenge? (cont.) Targets.. IBM (AppScan) Cenzic (HailStorm) HP (WebInspect) Acunetix (Acunetix) OWASP 22
- 23. Challenge Scenario ModSecurity Proxy TargetsHacker OWASP 23
- 24. Challenge Scenario ModSecurity Proxy TargetsHacker OWASP 24
- 25. Objectives..Successfully enumerate the following information: OWASP 25
- 26. Objectives..Successfully enumerate the following information: Database Username(s) OWASP 26
- 27. Objectives..Successfully enumerate the following information: Database Username(s) Database Name(s) OWASP 27
- 28. Objectives..Successfully enumerate the following information: Database Username(s) Database Name(s) Table Name(s) OWASP 28
- 29. Objectives..Successfully enumerate the following information: Database Username(s) Database Name(s) Table Name(s) Column Name(s) OWASP 29
- 30. What about the challenge? (cont.) Levels..There are two levels. OWASP 30
- 31. What about the challenge? (cont.) Levels..There are two levels. We focus on the second one. OWASP 31
- 32. What about the challenge? (cont.) Levels..There are two levels. We focus on the second one. Level 1: Speed Hacking OWASP 32
- 33. What about the challenge? (cont.) Levels..There are two levels. We focus on the second one. Level 1: Speed Hacking Level 2: Filter Evasion OWASP 33
- 34. The Winners Johannes Dahse Vladimir Vorontsov PT Research Ahmad Maulana Travis Lee Roberto Salgado SQLMap Developers HackPlayers Georgi Geshev OWASP 34
- 35. What about the techniques? Less known and version specific featuresEx. MySQL Comment Extensions for conditional code execution Mixture of (unterminated) commentsEx. double dash, C-style comments, etc. Splitting the query across multiple locationsEx. Multiple GET/POST parameters Parameter pollution a.k.a. HPP Less known attack vector locationsEx. Cookies, file names/contents, etc. Mixture of space separators and CR/LFsEx. %09, %0a, %0b, %0c, %0d, %a0 OWASP 35
- 36. Examples (pt. 1) Injection Fragmentation Splitting up the SQLi payload so that each individual payload would not trigger any filters however, when placed into the back-end SQL query, they would force boolean logic of true/false. OWASP 36
- 37. Examples (pt. 2) HTTP Parameter Pollution HPP allows an attacker to leverage how an ASP/ASP.NET-based applications treats multiple parameters with the same name - which is to concatenate the payloads into one and separating them with commas. OWASP 37
- 38. Examples (pt. 3) Tricky Comments The intruder was able to leverage some platform and version specific attack techniques, exploiting the way the back-end database handles/interprets different types of comments. OWASP 38
- 39. Examples (pt. 4) Unusual Locations In this case, the evasion was possible due to the attack vector location - Request Cookie data. OWASP 39
- 40. Statistics Estimated number of participants: >650 Avg. number of Requests to find an evasion: 433 Avg. Duration (Time to find an evasion): 72 hrs Shortest number of Requests to find an evasion: 118 Shortest Duration (Time to find an evasion): 10 hrs OWASP 40
- 41. Shout outs go to.. All the OWASP enthusiasts around the globe - For being awesome Ryan Barnett - For all the efforts P. Serafimov - For kindly contributing to this talk ;) OWASP 41
- 42. References OWASP ModSecurity Core Rule Set Project: http://goo.gl/H3f49 Challenge Announce: http://goo.gl/88EDL Lessons Learned: http://goo.gl/gWLNP OWASP 42
- 43. Thanks for you time!P. S. Ping me for OWASP stickers. OWASP 43