SecureSphere Test Drive Lab Manual - · PDF fileSecureSphere WAF Test Drive 3 Introduction to...

SecureSphereWebApplicationFirewall

TestDrive

ThepurposeofthisTestDriveistoenablecustomerstorapidlyevaluateSecureSphereWebApplicationFirewall(WAF)features.ThisTestDriveisfocusedondemonstratinghowSecureSphereprotectsagainstadvancedcyberthreatssuchasSQLInjectionandZero-DayAttack

ProtectingapplicationsagainstSQLInjectionandZero-DayAttacks

SecureSphereWAFTestDrive 1

ContentsPreface..........................................................................................................................................................2Requirements............................................................................................................................................2CommonTerms.........................................................................................................................................2IntroductiontoSecureSphereWAF....................................................................................................3KeyCapabilities................................................................................................................................................3

LabObjectives............................................................................................................................................6SecureSphereTestDriveSign-upandLaunch................................................................................7Sign-UpfortheTestDrive................................................................................................................................7LaunchSecureSphereTestDrive......................................................................................................................8

TestDriveEnvironment......................................................................................................................16Lab1:ProtectAgainstSQLInjection...............................................................................................19Overview....................................................................................................................................................19

TestDriveLabProcedure...............................................................................................................................20Lab1Conclusion............................................................................................................................................27CreateyourZero-Dayattack.....................................................................................................................28

Lab2Conclusion............................................................................................................................................33

SecureSphereWAFTestDriveFAQ.................................................................................................34CopyrightNotice....................................................................................................................................35ContactingImperva...............................................................................................................................36

Headquarters..............................................................................................................................................36


PrefaceThisTestDriveallowsyoutoquicklyandeasilyexplorethebenefitsofusingImpervaSecureSphereWAFtoprotectyourapplications.ThislabwasdevelopedbyImpervaandisprovidedfreeofchargeforeducationalanddemonstrationpurposes.

Requirements• InternetAccess• RemoteDesktopProtocol(RDP)clientonyourlocalmachine• Accesstoanemailaccounttoreceivelogincredentials• RDPportisopentoAmazon.comtoconnecttothe“Attacker’sWorkstation”• Forabetterbrowserexperience,youcan(optionally)accesstheSecureSpheremanagerover

TCPport8083(ifopenonyournetwork)

CommonTermsThetermsbelowareusedthroughoutthedocument.

Term DefinitionAttacker’sWorkstation AWindowsmachinethatwassetupforthepurposeofsending

attacks,aswellasoptionallyaccessingtheSecureSphereGUI.WebApplicationFirewall(WAF)

AWAFstopsattacksonHTTPservers,preventingamyriadofattacksthatNextGenFirewallsandIPD/IDSproductscannotprotectagainst.

SecureSphere Imperva’scomprehensive,integratedsecurityplatformthatincludesSecureSphereWeb,DatabaseandFileSecurity.

SecureSphereManager(MX)

AwebbasedGUIthatunifiestheadministration,logging,andreportingofmultipleSecureSpheregateways.

SecureSphereGateway Inspectsandpassestraffictothedestinationwebservers.SQLInjection Acodeinjectiontechnique,usedtoattackdata-drivenapplications,in

whichmaliciousSQLstatementsareinsertedintoanentryfieldforexecution(e.g.todumpthedatabasecontentstotheattacker).


IntroductiontoSecureSphereWAFYourwebsitereceivesacontinuousbarrageofattacks.Ifhackersuncoveracrackinyourdefenses,theycanstealyourapplicationdata,defraudyourusers,andtakedownyourwebsite.TheSecureSphereWAFstopswebattacksandpreventscostlydatabreachesanddowntime.Combiningmultipledefenses,SecureSphereaccuratelypinpointsandblocksattackswithoutblockingyourcustomers.Itoffersdrop-indeploymentandautomatedmanagement.CertifiedbyICSALabs,SecureSpheresatisfiesPCI6.6complianceandprovidesironcladprotectionagainsttheOWASPTopTen.

KeyCapabilitiesBlockAttackswithLaserPrecision

SecurityaccuracyisjobnumberoneatImperva.Weknowyou’rejustasconcernedaboutblockinglegitimateusersasyouareaboutstoppingattacks.Withthatinmind,we’vedevelopedDynamicProfilingtechnologytoautomaticallybuilda“whitelist”ofacceptableuserbehavior.AndweuseCorrelatedAttackValidationtocorrelateDynamicProfilingviolationswithothersuspiciousactivitytocorrectlyidentifyattackswithoutblockingyourcustomers.

LeverageWorld-RenownedApplicationSecurityResearch

Togetaheadandstayaheadinthecontinuousfightagainstapplicationattacks,youneedyourownsecurityresearchorganization.SecureSphereWAFcustomersgetexactlythatwithregularsignatureandpolicyupdatesfromourdedicatedsecurityresearchteam,theApplicationDefenseCenter(ADC).ADCresearchyieldsthemostup-to-datethreatintelligence,andthemostcompletesetofapplicationsignaturesandpoliciesintheindustry.


ShutDownMaliciousSourcesandBots

Canyoudistinguishbetweenrealcustomers,knownattackers,orbots?Canyoutellifwebsitevisitorsareusinganonymousproxiestocloaktheiridentity?ThreatRadarReputationServicesdetectstheseuserswithIPreputationfeedsofmalicioussources,anonymizingservices,phishingURLs,andIPgeolocationdata.ThreatRadardeliversanup-to-dateandautomateddefenseagainstautomatedattacksandattacksourcestohelpyoumaximizeuptimeandprotectyoursensitivedata.

StopApplicationDDoSandBusinessLogicAttacks

Youcankeepyourcustomershappyandyourreputationintactinspiteofthegrowingthreatofbusinesslogicattacks.Businesslogicattacksexploitthenormallogicofyourapplicationstopostcommentspaminforumsandmessageboards,scrapewebcontent,ordisableaccesstoyourwebsite.Allofthiscanreduceyourcompetitiveedge,frustratecustomers,anddamageyourreputation.SecureSpheremitigatestheseconcernsbyidentifyingbots,knownattacksources,andattackbehavior.

InstantlyPatchWebsiteVulnerabilitiesApplicationvulnerabilitiescanleaveyourcompanyexposedtoattackforweeksormonths.SecureSphereintegrateswithapplicationscannersforvirtualpatching,importingassessmentresults,andcreatingcustompoliciestoremediatevulnerabilities.Comparedtomanuallyfixingwebsitevulnerabilities,virtualpatchingreducesthewindowofexposureandcosts.


GainForensicsInsightswithCustomizableReportsSpeedupDeploymentwithoutRisk

Youcanquicklyanalyzesecuritythreatsandmeetcompliancerequirementswithgraphicalreports.SecureSphereprovidesbothpre-definedandfully-customizablereports.Reportscanbeviewedondemandoremailedonadaily,weekly,ormonthlybasis.Areal-timedashboardprovidesyouwithahighlevelviewofsystemstatusandsecurityevents.Nowyoucanprotectyourapplicationswithoutimpactingperformanceandwithoutrequiringextensivenetworkchanges.SecureSphereoffersflexibleinline,non-inline,andproxydeploymentoptionsthatmeetyourorganizations’diverserequirements.SecureSphere’sunique,transparentbridgemodesavestimeandlaborwithdrop-indeploymentthatrequiresnochangestoexistingapplicationsornetworkdevices.SecureSpherealsodeliversmulti-Gigabitthroughputwhilemaintainingsub-millisecondlatency.

DataCenterSecurityLeaderWefillthegapsintraditionalsecuritybydirectlyprotectinghigh-valueapplicationsanddataassetsinphysicalandvirtualdatacenters.


LabObjectivesTheobjectivesoftheselabsaretodemonstratethecapabilityofSecureSpheretoprotectagainstSQLInjectionandZero-DayAttacks.Participantswillunderstand:

• WhattypeofdamageasuccessfulSQLInjectionattackcancause

• ThechallengesofprotectingagainstaZero-Dayattack

• HowSecureSphereviewstheattacks

• HowSecureSpherecanprotectagainsttheattacks

Additionally,TestDriversarewelcometobrowsetheGUI,generatedifferenttypesofattacksagainstthetargetserver,orevaluateafeature.


SecureSphereTestDriveSign-upandLaunch

Sign-UpfortheTestDrive1. GotoAmazon’sSecurityTestDrivepage:

http://aws.amazon.com/testdrive/security/

2. ClickontheSecureSphere“Tryitnowfree”button. 3. Completetheregistrationform

4.

5. ClickonContinue

6. ClickonTestDrives

ClickonSignup


7. ClickontheEnterbutton

8. Youhavetheopportunitytowatchourvideo,downloadthePDFGuide,andlaunchtheTestDrivecloud.Werecommendstartingwiththevideo,reviewingtheTestDriveLabManual,andthenlaunchingtheTestDrive.

LaunchSecureSphereTestDrive

9. ClickontheLaunchTestDrivebutton 10. Waitforthelaunchtocomplete.Onceit’scompleted,theprogressbarwillshow‘In

Progress’


Onceyousee‘InProgress’turnGreen,youcanproceedtothenextstep.

11. CheckyouremailforthelinktotheManagementServer(MX).Alternatively,youcancopy&

pastethelinkfromthebottomright-handquadrantoftheTestDriveGUI,inthe‘Environment’window.Forexample:

YourEmailwilllooksimilartotheonebelow:

SecureSphereonAWSTestDrive 10

*Note:Pleasewaitfor~5-8minutesbeforeaccessingtheURLsassomeresourcesmaytakeafewextraminutestobecomeavailable,dependingonAWSresourceavailability.

Thelogininstructionsarepresentedatthebottomoftheemail.There,youwillfindyourlinktologintotheMX,andtheIPaddressoftheAttacker’sWorkstation.

YourURLtotheMXwilllooksimilartothis:https://ec2-54-183-14-120.us-west-1.compute.amazonaws.com:8083

Hello Edgard,

Your SecureSphere Test Drive has been created and is ready for you to use. Please remember that after 3 hours the environment will no longer be available. The information you need to login and use your TestDrive is available below.

From your location, you will need access to the Amazon Cloud. At a minimum, RDP protocol and (optionally) TCP Port 8083 must be allowed outbound to AWS.

You can use Remote Desktop client to RDP to the IP address of Windows Attacker Machine, and login using these credentials below You can access the SecureSphere Manager (MX) using a web browser on port 8083(like HTTPS://ip_address:8083 ) If you dont have access to port 8083, the Windows Attacker Machine is able to login to the MX

Login for Windows Machine: User: TestDrive Password: Imperva1

Login for SecureSphere Manager: User: admin Password: aws_is_cool1

Your IP address is below:

The Imperva Management Server IP and Username: admin and password aws_is_cool1.: https://ec2-54-183-14-120.us-west-1.compute.amazonaws.com:8083

You can RDP to the IP address of Windows Attacker Machine using Username: TestDrive and Password Imperva1 . The IP Address is : 54.183.118.43

Use the Windows Attacker machine to attack this URL of the Web-Server : http://OrbiteraT-elbExter-15HHA3RDXNMCI-1823771081.us-west- 1.elb.amazonaws.com


TIP: If you are unable to access the link provided in the email, proceed to Step 16 (accessing the Attacker’s Workstation using RDP), then return to this step after you’ve accessed the desktop of the Attacker’s Workstation. The Attacker’s Workstation can access the MX GUI, so accessing it directly is optional, but preferred.

Alternatively,oncetheTestDrivehasfinishedlaunchingyoucanobtainthenecessarylogininformationfromthe‘Environment’window.


12. AccepttheuntrustedHTTPSconnectionusingyourbrowsersstandardprocess.(WedonotgeneratetrustedcertificatesforTestDrivesincetheyareonlyliveforafewhours):

13. LogintotheGUIusingtheusernameandpasswordprovidedintheemailorintheEnvironmentwindowoftheTestDrivesignupportal.


14. Youmayhavetowaitafewminutesfortheservertocompleteitsinitialload:

15. YouarenowintheSecureSphereGUI.Ifyouareunabletoconnect,youmighthaveablockedport.Ifyoususpectyourportisblocked,youcantestithere:http://portquiz.net:8083/

Ifyouareunabletoaccessawebpageatthataddress,askyoursystemadministratortoopenoutboundTCPport8083.Youwillalsowanttocheckyourlocalfirewalltomakesureit’snotblockedonyourworkstation.

Youcanproceedtothenextstep,andaccesstheManagementServer(MX)fromtheAttacker’sWorkstation.

16. Fromyourlocalworkstation,accesstheAttacker’sWorkstationusingRemoteDesktop

Protocol(RDP).InWindows,youcanaccomplishthisbygoingtothecommandprompt,typingmstsc,andpressingenter.


17. EntertheIPaddressoftheAttacker’sWorkstationthatwasprovidedinyouremail,orfromtheOUTPUTwindowoftheTestDrivesignupportal.

18. Onceprompted,enteryourcredentialstoaccesstheAttacker’sWorkstation.


19. ClickYEStoaccepttheRDPsessioncertificate.

20. YouarenowconnectedtotheAttacker’sWorkstation.Fromthisworkstation,youcan

accesstheSecureSphereManagementServer(MX)andgenerateattackstothedemowebserver(SuperVeda).


TestDriveEnvironment

4

RDP

WebGUI(Alternate) Attacker

HTTP

1

WebGUIManage

SecureSphereAdmin

2 3SecureSphereGateways

HTTP

SuperVedaWebserver

1 SecureSphereAdmin Thisisyourrole,thepersonthatusesawebbrowsertoconnect

totheMX,usingHTTPSonport8083.YouwillalsouseRemoteDesktopfromyourmachinetotheWindowsmachinewe’vecreatedforyouinAWStoattackSuperVeda.ThesamemachinecanactasbothSecureSphereAdminandAttacker,incaseyourbrowsercannotaccessport8083totheMX.

2 SecureSphereMX TheMXcontrolsthesecuritypolicies,profiles,configurations,alerts,andotherfunctionality.TheMXpushestheappropriateconfigurationtotheGatewaysaftereachchange.

3 SecureSphereGateways

TheGatewaysprovideproxyfunctionalityforthetraffic.Onlytrafficthat’sloadbalanced(inthiscaseHTTP/HTTPS)ispassedontothewebserver–allothertrafficisdropped.AfterinspectingtheHTTPtrafficagainstthepoliciesandinspectionengines,thetrafficisproxiedtotheSuperVedawebserver.

4 Attacker’sWorkstation

ThisistheWindowsmachinethatyouareRDP’dto,andcanalsoaccesstheMX.

5 SuperVeda Thevulnerabletargetthatwewillbeattacking,thensubsequentlyprotecting.


WithinAWS,we’vecreatedallofthenecessarycomponentstoprovideenoughinfrastructuretocompletethisTestDrive.ThisisnotnecessarilythewayImpervarecommendsdeploymentofSecureSphere,thisdesignissolelyforthepurposeofthisTestDrive.TheAWSArchitectureisrepresentedbelow:

SuperVedaForthepurposesofthisTestDrive,wewillbeusingawebsitethat’sbeencreatedspecificallytodemonstratevulnerabilitiesinwebapplications.Thevulnerablewebsiteisforaphonyonlinestorewe’vedeveloped,calledSuperVeda.WewillbegeneratingattacksagainsttheSuperVedawebsitewithinyourownAWSprivatecloud.NoattackswillleaveAWSoraffectanyrealcompany,aslongastheseinstructionsarefollowedandallattacksaretargetingtheSuperVedaapplication.Inthisregard,it’sveryimportanttodoublecheckyourworktoensureyou’renotaccidentallyattackingthewrongtargets.ThetestingsiteSuperVedaisopentomanytypesofattacks,feelfreetosendafewifyouknowsomeoffthetopofyourhead.


Lab1:ProtectAgainstSQLInjectionOverviewInthislab,wewillsendaSQLInjectionattackagainstthetargetwebserver,viewstolendata,andthenenableprotectionagainstSQLInjectionattacks.InordertodemonstratethedamagethataSQLInjectionattackcando,wewillturnoffSecureSphere’s‘BlockMode’sotheattackcanpasstothewebserver.Atahighlevel,wewillfollowthisprocess:

1. Ensurethesecurityisdisabled2. GenerateSQLInjectionattacks3. Viewthealerts4. TurnonBlockingModetostoptheattacks5. Viewtheresults6. Summary


TestDriveLabProcedure

Disablethesecurity1. First,makesureyou’reloggedintotheManagerGUIandtheAttacker’sWorkstation,asdescribedin

theprevioussection.2. Makesurethatthesecurityisdisabledsoyoucanexperiencetheresultsofasuccessfulattack.In

theGUI,wewillsetthesystemto‘SimulationMode’,asshownbelow:

GenerateSQLInjectionAttacks3. OpenawebbrowserandnavigatetotheSuperVedaWebsite(thewebserver)fromtheAttacker’s

Workstation.Asyoucanseebelow,wehaveanopenRDPSessiontotheAttacker’sWorkstation

1. ClickonMain2. ClickonSetup3. ClickonWeb-ServerGroupwithintheleftpane4. ClickonSimulationwithintherightpane5. ClickonSave


withanopenweb-browser,usingtheURLthatwereceivedintheemail.

4. AttheendoftheURL,pastethisSQLInjectioncodeandGO:

/showproducts.jsp?CatID=1UNIONSELECT1,Username,1,1,'1','1','1'FROMusers

So,yourURLmightlooklikethis(withyourIPinsteadofthissample):

http://OrbiteraT-elbExter-15KRX3MQUMOFB-2144608398.us-west-1.elb.amazonaws.com/showproducts.jsp?CatID=1UNIONSELECT1,Username,1,1,'1','1','1'FROMusers

Theresultisawebpagethatshowstheusernamesofthepeoplethathaveregistered,asshownbelow.


5. Sinceusernameshavelimitedvalue,wecanmodifythestringtostealpasswords,aswellascredit

cardinformation.Todothis,simplychangethefieldyouwanttostealfromthetable,asshownbelow:

Tostealpasswords:http://<SERVER-IP>/showproducts.jsp?CatID=1UNIONSELECT1,Password,1,1,'1','1','1'FROMusers

TostealCreditCards:http://<SERVER-IP>/showproducts.jsp?CatID=1UNIONSELECT1,CCNumber,1,1,'1','1','1'FROMusers

Successfullyattackingtheserverandstealingthecreditcardsresultsinaweb-pagewiththecreditcardnumberslistedbeforetheproducts:


ViewtheAlerts6. IntheSecureSphereGUI,takeamomenttoviewtheAlertsgeneratedbytheattacksyou’ve

generated.

1. ClickonMonitoronthetopmenu2. ClickonAlertsonthesub-menu


3. ClickonanAlertwithinthecenterpanethatwasgeneratedduringyoursession4. Clickonthe+signwithintherightpanetoviewthedetailsoftheAlerts5. Returntostep3

7. NoticethatthereareseveraltypesofAlertsgeneratedduringyourattack.ProtectAgainstSQLInjectionNow,it’stimetoprotecttheSuperVedawebserveragainstattack.Todothis,wewillreversewhatwedidinour1ststep,whichwastomoveto‘SimulationMode’.Now,wewillmoveto‘ActiveMode’whereattackswillbeblockedinsteadofsolelyalertedupon.8. TomoveSecureSphereintoBlockingMode,followthestepsbelow:

1. ClickonSetup2. ClickonWeb-ServerGroupwithintheleftpane3. ClickonActivefortheModeselectionwithintherightpane4. ClickonSave


9. OpenthebrowsertoSuperVedawebserverandgeneratesomeattacksagain,asyoudidinprevioussteps.Trytostealusernames,passwords,andcreditcards.

YoushouldreceiveaBlockpagewhichlookslikethis:

Tostealusernames:/showproducts.jsp?CatID=1UNIONSELECT1,Username,1,1,'1','1','1'FROMusersTostealpasswords:http://<SERVER-IP>/showproducts.jsp?CatID=1UNIONSELECT1,Password,1,1,'1','1','1'FROMusersTostealcreditcards:http://<SERVER-IP>/showproducts.jsp?CatID=1UNIONSELECT1,CCNumber,1,1,'1','1','1'FROMusers


10. ChecktheAlertintheSecureSphereconsole,aspreviouslydescribed.

1. ClickonMonitoronthetopmenu2. ClickonAlertsonthesub-menu3. ClickonanAlertwithinthecenterpanethatwasgeneratedduringyoursession,itwillhavethe

Blocksymbol )inthe2ndcolumn.4. Clickonthe+signwithintherightpanetoviewthedetailsoftheAlerts.5. Returntostep3andviewadditionalAlerts


Lab1ConclusionInthislab,youwereabletoexperiencefirst-handhowaSQLinjectionattackcaneasilystealcriticalinformationfromunprotectedwebapplications.Attackersexploitapplicationswiththegoalofstealingsensitivedatadirectlyfromthedatacenter.Byconstructingasimpletextstring,we’reabletoquicklybypasscommonfirewallsandstealusernames,passwords,andcreditcards.

Nextgenerationfirewallsandintrusionpreventionsystems(IPS)arenotequippedtostopapplicationattacksbecausetheydonotprovidetheaccuracy,thegranularity,orthebreadthofprotectiontothwartWeb-basedthreats.Whilethesesolutionsprotectnetworksandusers,theyareill-equippedtostopattacksthattargetcustomers’ownwebsites.Whilenextgenfirewallsare“applicationaware”—meaningthattheycanpreventusersfromvisitingphishingsitesortunnelingapplicationsinHTTP—theyarenotdesignedfromthegrounduptoprotectWebapplications.Asaresult,theyleaveholesintheirapplicationdefenses—defensesthatareonlyaddressedbydedicatedWAFs.

OnceBlockModewasinitiatedinSecureSphere,wewereabletostoptheattacksacrosstheentirewebsite.Becausewebapplicationfirewallsbuildabaselineofexpectedinput,theycanaccuratelystopattackslikeSQLinjectionandcross-sitescripting.ByprofilingWebapplicationbehavior,forinstance,awebapplicationfirewallcandeterminewhichusersshouldnotaddbrackets,braces,andsemi-colonsintoazipcodefieldonaregistrationpage,butcanenterthesesamecharactersintoacommentfield.Validatinginputprovidesthecontextneededtodifferentiatebetweenattacksandlegitimaterequests.


Lab2:ProtectagainstaZero-DayattackusingtheProfileOverviewInthislab,wewillcreateourownZero-Dayattack,andattempttosendittotheSuperVedawebserver.WewilldemonstratehowSecureSphereallowslegitimatetrafficthrough,whileblockingattemptstohacktheapplication.

• CreateaZero-Dayattack• Sendzero-DayattacktoSuperVeda• ViewAlert• ViewProfile

CreateyourZero-DayattackMostattacksfollowastructureofsomesort.Forthepurposeoftestinginthelab,wedon’tactuallyneedtheZero-Daytowork,wejustneedtocreatesomethingthat’sneverbeen‘inthewild’before.Thistechniqueensuresthatitwillbypassmostsignaturebaseddetectionmethods.

First,wewillchoosethestructurewewanttouse,whichincludestheinjection,thepayload,andthepadding.Next,wewillinjectthatattackintoapageparameter.

Forthisexercise,useatexteditoronyourlocalmachineorontheAttacker’sWorkstationtocrafttheattack.

NormalusageofanHTTPparameterisusuallyintheformatofname=data.Takeforexampleanonlinestorethatsellsbooks:itmightuseanHTTPparameterthatlookslike:

BookName=SecurityHandbook2014

Or

Author=Dr.SeussSecureSpherestudiesandrecordsgoodtransactions,addingthemtotheapplication’s“Profile”.ByblockingonProfileViolations,theWAFwillpasslegitimaterequeststotheSuperVedawebserver,whilebadrequestsareblocked.SecureSpheredoesn’thavetorelyonsignaturesforattacks,astheyarenotareliableprotectionagainstzero-Dayattacks.


WewillfollowthisprocesstocreateourZero-Dayattack:

• Chooseyourattackformat• ChooseyourInjection• CreatethePayload• CreatethePadding• Assembletheattack

TheInjectionisusedtobreakthecodeand‘openthedoor’toourPayload.ThePayloadwillcontainthedestructivecodewewanttoexecute.ThePaddingisusedtoevadeISD/IPS,orpushthecodeintothecorrectpositiontoexecuteproperly.Then,weaddtheZero-DayattacktoaParameter,soitmightlooklike:

BookName=Zero-DayAttackSinceParameterscoulduseavarietyofcharacters,IDS/IPSandNextGenFirewallscannotprotectagainstthistypeofattack.

1. ChoosewhichformatyouwanttouseforyourZero-Dayattack:

2. ChooseyourInjection

Choosefromoneofthefollowingexampleinjections:

Choice Injection PotentialPurpose1 ‘) BreakswebservercodeandstartsaSQLstatement2 && MakesanANDlist3 >`/. OutputRedirection4 <script> Startsascript5 || MakesanORlist

1

2

3

4

Injection Payload Padding

Padding Injection Payload

Injection Padding Payload

Injection Payload


3. CreatethePayload

Tocreateyourpayload,choose2-3randomwordsandputthemtogether.Thiswillsimulatesomeunforeseen,unknownattack.Someexamplesarebelow,butfeelfreetocreateyourownPayload.

Example Payload PotentialPurpose1 quickbrownfox Disableskeyboard2 boomboom Shutsdownserver3 Gimmedata Stealsthedatabase4 Executecommand Runsthecommandtogetalistofprocesses5 PingImperva.com TriestopingImperva.com

4. CreatethePadding

TocreatePadding,chooseanycharacter,andrepeatitseveraltimes.ThreeexamplePaddingscouldbe:

000WWWWWWWW%%%%%%

5. AssembletheAttack

Assembletheattackbyreferringtotheattackformatyouchoseinstep1.Forexample,ifIchoseFormat1,Injection2,quickbrownfox,and‘WWWWW’asPadding,myZero-Dayattackwouldlikethis:

Theresultwouldlooklikethis:&&quickbrownfox%%%%%%

Injection&&

Payload

Padding%%%%%%


6. Clickon‘CreateanAccount’withintheSuperVedawebsite.Then,copy&pastetheattackintothe‘FirstName’field.

7. YoushouldreceiveaBlockPage,suchasthis,whichshowsthattheWAFblockedyourZero-Day

attack:


8. IntheSecureSphereGUI,takealookattheAlertsthatweregeneratedfromyourattack,eventhoughnosignaturecouldhavedetectedit.

1. ClickonMonitoronthetopmenu2. ClickonAlertsonthesub-menu3. ViewthemostrecentAlert,locatedatthetopofthecenterpane.TheywillhaveBlocksymbol

( )inthe2ndcolumn.4. Clickonthe+signwithintherightpanetoviewthedetailsoftheAlerts.5. Returntostep3andviewadditionalAlerts


Lab2ConclusionDespitethebesteffortsofapplicationdevelopersandITsecurityteams,mostapplicationshavevulnerabilities.Inthislab,youwereabletocreateanattackthathadneverbeenperformed,sendittoawebserver,andobservetheWAFprotectingtheapplicationfromattack.Next-generationfirewallsandIDS/IPSsolutionslackthecapabilitytoenforcegoodbehaviorbecausetheyrelyonsignaturesofknownattackstoprotectservers.Zero-dayattacks,APTs,andtargetedmalwareeasilybypassthosesolutions,leavingapplicationsopentoattack.

ThroughdefensessuchaspatentedDynamicProfilingtechnology,SQLinjectionandXSScorrelationengines,anddetectionofHTTPprotocolviolations,SecureSphereidentifieszero-dayattemptstoexploitwebapplicationvulnerabilities.Inaddition,onceanewvulnerabilityispublished,theImpervaApplicationDefenseCenter(ADC)quicklydevelopsasignatureorasetofpoliciestovirtuallypatchthevulnerability.Throughautomaticsecurityupdates,allSecureSphereappliancesreceivethelatestsecuritycontentandareprotectedagainstnewlypublishedvulnerabilities.UsingSecureSphere,anorganizationcanensuretheirwebserversareprotectedagainstattacks,evenbeforetheattackisconceived,developed,andexecuted.


SecureSphereWAFTestDriveFAQ

Q:IfIdon’thaveRDPaccessfrommynetwork,howcanItryaTestDrive?

A:YoucanlaunchafreeWindowsworkstationwithyourownAWSaccount.Alternatively,youcantrytheTestDrivefromadifferentinternetconnectionifyouaren’tabletoaccessRDP.Also,checkyourlocalfirewalltomakesureyou’reallowedtouseRDPProtocol.

Q:IfIdidn’tfinishtheTestDrive,canItryitagain?A:Yes,youcantryaTestDriveupto3times.

Q:IfIdon’tport8083frommynetwork,canIaccesstheManager(MX)?

A:Yes,youcanusetheAttacker’sWorkstationtoaccesstheMX.

Q:WherecanIlearnmore?

A:Forthelatestresearchandthoughtleadership,visittheWhitePapers&eBookspageonImperva.com.


CopyrightNotice

©2014Imperva,Inc.AllRightsReserved.FollowthislinktoseetheSecureSpherecopyrightnoticesandcertainopensourcelicenseterms:https://www.imperva.com/sign_in.asp?retURL=/articles/Reference/SecureSphere-License-and-Copyright-Information.Thisdocumentisforinformationalpurposesonly.Imperva,Inc.makesnowarranties,expressedorimplied.

Nopartofthisdocumentmaybeused,disclosed,reproduced,transmitted,transcribed,storedinaretrievalsystem,ortranslatedintoanylanguageinanyformorbyanymeanswithoutthewrittenpermissionofImperva,Inc.Toobtainthispermission,writetotheattentionoftheImpervaLegalDepartmentat:3400BridgeParkway,Suite200,RedwoodShores,CA94065.

InformationinthisdocumentissubjecttochangewithoutnoticeanddoesnotrepresentacommitmentonthepartofImperva,Inc.Thesoftwaredescribedinthisdocumentisfurnishedunderalicenseagreement.Thesoftwaremaybeusedonlyinaccordancewiththetermsofthisagreement.ThisdocumentcontainsproprietaryandconfidentialinformationofImperva,Inc.ThisdocumentissolelyfortheuseofauthorizedImpervacustomers.Theinformationfurnishedinthisdocumentisbelievedtobeaccurateandreliable.However,noresponsibilityisassumedbyImperva,Inc.fortheuseofthismaterial.

TRADEMARKATTRIBUTIONSImpervaandSecureSpherearetrademarksofImperva,Inc.Allotherbrandandproductnamesaretrademarksorregisteredtrademarksoftheirrespectiveowners.PATENTINFORMATIONThesoftwaredescribedbythisdocumentiscoveredbyoneormoreofthefollowingpatents:USPatentNos.7,752,662,7,743,420,7,640,235,8,024,804,8,051,484,8,056,141,8,135,498and8,181,246.ImpervaInc.3400BridgeParkway,Suite200RedwoodShores,CA94065UnitedStatesTel:+1(650)345-9000Fax:+1(650)345-9004Website:http://www.imperva.com

GeneralInformation:[email protected]

Sales:[email protected]

ProfessionalServices:[email protected]:[email protected]


ContactingImperva

Headquarters

3400 Bridge Parkway, Suite 200 Redwood Shores, CA 94065 United States

Tel: +1 (650) 345-9000 Fax: +1 (650) 345-9004

General Information: [email protected]

Sales: [email protected]

Professional Services: [email protected]

Technical Support: [email protected]

Partners: [email protected]

Media Relations: [email protected]

Investor Relations: [email protected]

Imperva Sales: (866)926-4678(USOnly)

Technical Support: (877)467-3780(650)345-9000,option2.

ForquestionsrelatingtotheTestDrive,[email protected]

SecureSphere Test Drive Lab Manual - · PDF fileSecureSphere WAF Test Drive 3 Introduction to...

Documents

Transcript of SecureSphere Test Drive Lab Manual - · PDF fileSecureSphere WAF Test Drive 3 Introduction to...