SlideShare una empresa de Scribd logo

Web Application Firewalls Detection, Bypassing And Exploitation

Sandro Gauci
Sandro Gauci

A presentation and demonstration of issues that apply to Web application firewalls. Talks about how easy it is to fingerprint some web application firewalls, how bypassing them is possible. Finally it talks about how they can be used against your organization if they get compromised.

Tecnología
1 de 31
Descargar para leer sin conexión
Web Application Firewalls: Detection, Bypassing and Exploitation Sandro Gauci and Wendel Guglielmetti Henrique EnableSecurity and Trustwave sandro@enablesecurity.com OWASP December 2nd, 2009 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org Friday, 4 December 2009
$ whois WendelGH PT Consultant at Trustwave's SpiderLabs Over 7 years in the security industry Vulnerability discovery Webmails, AP, Citrix, etc Spoke in YSTS 2.0, Defcon 16, H2HC and others Affiliated to Hackaholic team OWASP 2 Friday, 4 December 2009
$ whois SandroGauci Founder and CSO EnableSecurity From .mt Security software VOIPPACK (CANVAS addon) Surfjack - insecure cookies SIPVicious Security research papers Been around for > 9 years OWASP 3 Friday, 4 December 2009
Introduction WAF - Web Application Firewall next generation protection what can we do? can be identified, detected bypassing the rules exploit WAFs OWASP 4 Friday, 4 December 2009
What is WAF? Attack signatures or abnormal behavior based WAFs products: software or hardware appliance. Flavors: a reverse proxy embedded connected in a switch (SPAN or RAP) WAF products detect both inbound Some also detect outbound attacks OWASP 5 Friday, 4 December 2009
Who uses WAFs? Many banks around the world Companies which need high protection Many companies in compliance with PCI DSS (Payment Card Industry - Data Security Standard) OWASP 6 Friday, 4 December 2009
Operation Modes Negative model (blacklist based) Positive model (whitelist based) Mixed / Hybrid OWASP 7 Friday, 4 December 2009
The negative model Relies on a database of known attacks Eg. XSS strings like <script>, </script>, String.fromCharCode, etc. Often regular expressions OWASP 8 Friday, 4 December 2009
Whitelist model Whitelist based Learning mode to create a security policy of known “good” HTTP traffic Known as dynamic profiling technology by some Example: Page news.jsp, the field "id" only accept numbers [0-9] and starting at 0 until 65535 news.jsp?id=-1 would not be allowed OWASP 9 Friday, 4 December 2009
Common Weaknesses Design issues WAFs have to be similar to the web apps and http servers that they need to protect Blacklists are by design “flawed” Bad implementation Parsing issues Again - a WAF needs to do a lot of things that the web app and http server does ergo they can have similar security flaws! OWASP 10 Friday, 4 December 2009
Detection A number of products can be detected sometimes by design Detection is not a big deal but ... sometimes we’re told that WAFs are ‘invisible’ the better you know your enemy (or client), the better helps in a penetration test or targeted attack shows that stealth attacks are possible OWASP 11 Friday, 4 December 2009
Detection Cookies Reason: some WAFs are also load balancers Headers Header rewriting Most obvious would be "Server" Sometimes is a feature called “server cloaking” “Connection” header might be changed to Cneonction or nnCoection Response codes 404 error codes for existent scripts and 403 for non existent ones OWASP 12 Friday, 4 December 2009
Detection via response codes 404 error codes for existent scripts Different error codes (404, 400, 401, 403, 501, etc) for hostile parameters (even non existent ones) in valid pages. OWASP 13 Friday, 4 December 2009
Friday, 4 December 2009
Friday, 4 December 2009
Automating WAF detection WAFW00F Detect 20 different WAF products  the number keeps changing thanks to contributions :-) Options to detect multiple WAFs in place Generic detection methods included! Get your copy waffit.googlecode.com Please contribute OWASP 16 Friday, 4 December 2009
Friday, 4 December 2009
Bypassing a WAF Fingerprint the rules Detect allowed / denied strings Combinations of allowed or denied strings Modify your attack to not match the blacklist OWASP 18 Friday, 4 December 2009
More on bypassing WAFs Encoding and language support, character sets Spaces, comments, case sensitive mutation, Unicode (%uc0af and %c0%af), etc The web server may parse, decode and interpret and HTTP request differently from the WAF HTML and JS is very flexible Various methods to split and encode your strings OWASP 19 Friday, 4 December 2009
Bypassing rules “Our Favorite XSS Filters and how to Attack Them” by Eduardo Vela & David Lindsay Bypass the rules by splitting the attack (eval('al'%2b'lert(0)') “Shocking News in PHP Exploitation” by Stefan Esser Using “malformed” multipart/form-data to bypass most Modsecurity rules F5 BIG-IP ASM could be bypassed by sending it multipart/form-data that was interpreted differently by PHP than ASM OWASP 20 Friday, 4 December 2009
OWASP 21 Friday, 4 December 2009
The positive model It’s well known that the negative model is broken What about positive model? They are really secure? If we find a positive model should we give up? OWASP 22 Friday, 4 December 2009
Friday, 4 December 2009
Testing WAFs for bypasses is a tedious job Which is why we automate it :-) WAFFUN - works in progress Checks if the script echos back (esp in the case of xss) Can check if error suppression is supported Finds out how the WAF responds when a it reacts to an attack Goes through a list of well known blacklisted strings If any were blocked, it tries different encoding methods, null characters, unicode OWASP 24 Friday, 4 December 2009
Friday, 4 December 2009
WAFFUN: XSS constructor Tries a number of tags to find out which are allowed through Tries a number of DHTML event handlers Tries a number of Javascript methods OWASP 26 Friday, 4 December 2009
OWASP 27 Friday, 4 December 2009
WAFs may be vulnerable too! Security software is not necessarily secure Web Application specific issues: XSS, SQLi Overflows DoS OWASP 28 Friday, 4 December 2009
Known issues ModSecurity 2.5.9 addresses 2 vulnerabilities  "Fixed PDF XSS issue where a non-GET request for a PDF file would crash the Apache httpd process."  "Fixed parsing multipart content with a missing part header name which would crash Apache." Profense 2.6.3 Profense Web Application Firewall Cross-Site Scripting and Cross-Site Request Forgery DotDefender 3.8-5 (this week) Command Execution in dotDefender Site Management  (requires authentication)  seems like it is vulnerable to XSRF OWASP 29 Friday, 4 December 2009
Friday, 4 December 2009
Thank you Do you have ideas / resources to improve our tools? wsguglielmetti [em] gmail [ponto] com sandro [em] enablesecurity [ponto] com Questions? OWASP 31 Friday, 4 December 2009

Recomendados

CloudFlare vs Incapsula: Round 2
CloudFlare vs Incapsula: Round 2CloudFlare vs Incapsula: Round 2
CloudFlare vs Incapsula: Round 2
Zero Science Lab
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
Avinash Thapa
 
Owasp universal-http-do s
Owasp universal-http-do sOwasp universal-http-do s
Owasp universal-http-do s
E Hacking
 
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4hackers.com
 
CloudFlare vs Incapsula vs ModSecurity
CloudFlare vs Incapsula vs ModSecurityCloudFlare vs Incapsula vs ModSecurity
CloudFlare vs Incapsula vs ModSecurity
Zero Science Lab
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or Succeed
Prathan Phongthiproek
 
Обход файрволов веб-приложений
Обход файрволов веб-приложенийОбход файрволов веб-приложений
Обход файрволов веб-приложений
Positive Hack Days
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
testuser1223
 

Recomendados

CloudFlare vs Incapsula: Round 2
CloudFlare vs Incapsula: Round 2CloudFlare vs Incapsula: Round 2
CloudFlare vs Incapsula: Round 2
Zero Science Lab
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
Avinash Thapa
 
Owasp universal-http-do s
Owasp universal-http-do sOwasp universal-http-do s
Owasp universal-http-do s
E Hacking
 
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4hackers.com
 
CloudFlare vs Incapsula vs ModSecurity
CloudFlare vs Incapsula vs ModSecurityCloudFlare vs Incapsula vs ModSecurity
CloudFlare vs Incapsula vs ModSecurity
Zero Science Lab
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or Succeed
Prathan Phongthiproek
 
Обход файрволов веб-приложений
Обход файрволов веб-приложенийОбход файрволов веб-приложений
Обход файрволов веб-приложений
Positive Hack Days
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
testuser1223
 
DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)
Soham Kansodaria
 
Web Application Frewall
Web Application FrewallWeb Application Frewall
Web Application Frewall
Abhishek Singh
 
WAFEC
WAFECWAFEC
WAFEC
Conferencias FIST
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
Noppadol Songsakaew
 
OWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meetingOWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum
 
Web Security - CSP & Web Cryptography
Web Security - CSP & Web CryptographyWeb Security - CSP & Web Cryptography
Web Security - CSP & Web Cryptography
Samsung Open Source Group
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
n|u - The Open Security Community
 
Naxsi, an open source WAF for Nginx
Naxsi, an open source WAF for NginxNaxsi, an open source WAF for Nginx
Naxsi, an open source WAF for Nginx
Positive Hack Days
 
[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation
OWASP
 
OWASP OTG-configuration (OWASP Thailand chapter november 2015)
OWASP OTG-configuration (OWASP Thailand chapter november 2015)OWASP OTG-configuration (OWASP Thailand chapter november 2015)
OWASP OTG-configuration (OWASP Thailand chapter november 2015)
Noppadol Songsakaew
 
Wireless Pentesting: It's more than cracking WEP
Wireless Pentesting: It's more than cracking WEPWireless Pentesting: It's more than cracking WEP
Wireless Pentesting: It's more than cracking WEP
Joe McCray
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction
alessiomarziali
 
Csrf protector
Csrf protectorCsrf protector
Csrf protector
Minhaz A V
 
Web Intrusion Detection
Web Intrusion Detection Web Intrusion Detection
Web Intrusion Detection
Abhishek Singh
 
OWASP CSRF Protector
OWASP CSRF ProtectorOWASP CSRF Protector
OWASP CSRF Protector
Minhaz A V
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
Marco Morana
 
Freeware Security Tools You Need
Freeware Security Tools You NeedFreeware Security Tools You Need
Freeware Security Tools You Need
amiable_indian
 
[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail
OWASP
 
Breaking Bad CSP
Breaking Bad CSPBreaking Bad CSP
Breaking Bad CSP
Lukas Weichselbaum
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
Mateusz Olejarka
 
Why You Need A Web Application Firewall
Why You Need A Web Application FirewallWhy You Need A Web Application Firewall
Why You Need A Web Application Firewall
Port80 Software
 
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
Neil Matatall
 

Más contenido relacionado

La actualidad más candente

Web Application Frewall
Web Application FrewallWeb Application Frewall
Web Application Frewall
Abhishek Singh
 
OWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meetingOWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum
 
Naxsi, an open source WAF for Nginx
Naxsi, an open source WAF for NginxNaxsi, an open source WAF for Nginx
Naxsi, an open source WAF for Nginx
Positive Hack Days
 
[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation
OWASP
 
Web Intrusion Detection
Web Intrusion Detection Web Intrusion Detection
Web Intrusion Detection
Abhishek Singh
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
Marco Morana
 
[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail
OWASP
 

La actualidad más candente (20)

DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)
 
Web Application Frewall
Web Application FrewallWeb Application Frewall
Web Application Frewall
 
WAFEC
WAFECWAFEC
WAFEC
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
 
OWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meetingOWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meeting
 
Web Security - CSP & Web Cryptography
Web Security - CSP & Web CryptographyWeb Security - CSP & Web Cryptography
Web Security - CSP & Web Cryptography
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 
Naxsi, an open source WAF for Nginx
Naxsi, an open source WAF for NginxNaxsi, an open source WAF for Nginx
Naxsi, an open source WAF for Nginx
 
[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation
 
OWASP OTG-configuration (OWASP Thailand chapter november 2015)
OWASP OTG-configuration (OWASP Thailand chapter november 2015)OWASP OTG-configuration (OWASP Thailand chapter november 2015)
OWASP OTG-configuration (OWASP Thailand chapter november 2015)
 
Wireless Pentesting: It's more than cracking WEP
Wireless Pentesting: It's more than cracking WEPWireless Pentesting: It's more than cracking WEP
Wireless Pentesting: It's more than cracking WEP
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction
 
Csrf protector
Csrf protectorCsrf protector
Csrf protector
 
Web Intrusion Detection
Web Intrusion Detection Web Intrusion Detection
Web Intrusion Detection
 
OWASP CSRF Protector
OWASP CSRF ProtectorOWASP CSRF Protector
OWASP CSRF Protector
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
 
Freeware Security Tools You Need
Freeware Security Tools You NeedFreeware Security Tools You Need
Freeware Security Tools You Need
 
[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail
 
Breaking Bad CSP
Breaking Bad CSPBreaking Bad CSP
Breaking Bad CSP
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
 

Destacado

Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall Eng
Dmitry Evteev
 
Web Application Firewall intro
Web Application Firewall introWeb Application Firewall intro
Web Application Firewall intro
Rich Helton
 
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
Lionel Briand
 
The Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile PlatformsThe Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile Platforms
kosborn
 
Cross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload VulnerabilityCross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload Vulnerability
Ronan Dunne, CEH, SSCP
 

Destacado (20)

Why You Need A Web Application Firewall
Why You Need A Web Application FirewallWhy You Need A Web Application Firewall
Why You Need A Web Application Firewall
 
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
 
Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall Eng
 
XML Attack Surface - Pierre Ernst (OWASP Ottawa)
XML Attack Surface - Pierre Ernst (OWASP Ottawa)XML Attack Surface - Pierre Ernst (OWASP Ottawa)
XML Attack Surface - Pierre Ernst (OWASP Ottawa)
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictions
 
Lie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsLie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application Firewalls
 
External XML Entities
External XML EntitiesExternal XML Entities
External XML Entities
 
Web Application Firewall intro
Web Application Firewall introWeb Application Firewall intro
Web Application Firewall intro
 
SSRF vs. Business-critical applications. XXE tunneling in SAP
SSRF vs. Business-critical applications. XXE tunneling in SAPSSRF vs. Business-critical applications. XXE tunneling in SAP
SSRF vs. Business-critical applications. XXE tunneling in SAP
 
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
 
{{more}} Kibana4
{{more}} Kibana4{{more}} Kibana4
{{more}} Kibana4
 
Apache安装配置mod security
Apache安装配置mod securityApache安装配置mod security
Apache安装配置mod security
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injection
 
File upload vulnerabilities & mitigation
File upload vulnerabilities & mitigationFile upload vulnerabilities & mitigation
File upload vulnerabilities & mitigation
 
Sql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseSql injection bypassing hand book blackrose
Sql injection bypassing hand book blackrose
 
Sql injection with sqlmap
Sql injection with sqlmapSql injection with sqlmap
Sql injection with sqlmap
 
Spot the Web Vulnerability
Spot the Web VulnerabilitySpot the Web Vulnerability
Spot the Web Vulnerability
 
The Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile PlatformsThe Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile Platforms
 
Cross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload VulnerabilityCross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload Vulnerability
 

Similar a Web Application Firewalls Detection, Bypassing And Exploitation

OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationOWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfiguration
Nikola Milosevic
 
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Braindev Kyiv
 
Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010
Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010
Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010
SecurityTube.Net
 
Learning By Breaking O W A S P B W A Doug Wilson Shmoo 2010
Learning By Breaking O W A S P B W A Doug Wilson Shmoo 2010Learning By Breaking O W A S P B W A Doug Wilson Shmoo 2010
Learning By Breaking O W A S P B W A Doug Wilson Shmoo 2010
SecurityTube.Net
 
Shake Hooves With BeEF - OWASP AppSec APAC 2012
Shake Hooves With BeEF - OWASP AppSec APAC 2012Shake Hooves With BeEF - OWASP AppSec APAC 2012
Shake Hooves With BeEF - OWASP AppSec APAC 2012
Christian Frichot
 
OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012
DefCamp
 
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
Sherif Koussa
 
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Tom Eston
 

Similar a Web Application Firewalls Detection, Bypassing And Exploitation (20)

Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
 
OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationOWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfiguration
 
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
 
OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010
 
Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010
Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010
Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010
 
Learning By Breaking O W A S P B W A Doug Wilson Shmoo 2010
Learning By Breaking O W A S P B W A Doug Wilson Shmoo 2010Learning By Breaking O W A S P B W A Doug Wilson Shmoo 2010
Learning By Breaking O W A S P B W A Doug Wilson Shmoo 2010
 
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
 
Break IT Down by Josh Smith
Break IT Down by Josh SmithBreak IT Down by Josh Smith
Break IT Down by Josh Smith
 
Owasp london training course 2010 - Matteo Meucci
Owasp london training course 2010 - Matteo MeucciOwasp london training course 2010 - Matteo Meucci
Owasp london training course 2010 - Matteo Meucci
 
Shake Hooves With BeEF - OWASP AppSec APAC 2012
Shake Hooves With BeEF - OWASP AppSec APAC 2012Shake Hooves With BeEF - OWASP AppSec APAC 2012
Shake Hooves With BeEF - OWASP AppSec APAC 2012
 
OWASP_Top_10_Introduction_and_Remedies_2017.ppt
OWASP_Top_10_Introduction_and_Remedies_2017.pptOWASP_Top_10_Introduction_and_Remedies_2017.ppt
OWASP_Top_10_Introduction_and_Remedies_2017.ppt
 
[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf
 
WordCamp Miami 2016 SiteLock Presentation
WordCamp Miami 2016 SiteLock PresentationWordCamp Miami 2016 SiteLock Presentation
WordCamp Miami 2016 SiteLock Presentation
 
Palestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry morePalestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry more
 
AppSec DC 2009 - Learning by breaking by Chuck Willis
AppSec DC 2009 - Learning by breaking by Chuck WillisAppSec DC 2009 - Learning by breaking by Chuck Willis
AppSec DC 2009 - Learning by breaking by Chuck Willis
 
OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012
 
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
 
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
 
OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE
 
Preventing In-Browser Malicious Code Execution
Preventing In-Browser Malicious Code ExecutionPreventing In-Browser Malicious Code Execution
Preventing In-Browser Malicious Code Execution
 

Más de Sandro Gauci

The various ways your RTC may be crushed
The various ways your RTC may be crushedThe various ways your RTC may be crushed
The various ways your RTC may be crushed
Sandro Gauci
 

Más de Sandro Gauci (9)

CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
 
TADSummit 2022 - How to bring your own RTC platform down
TADSummit 2022 - How to bring your own RTC platform downTADSummit 2022 - How to bring your own RTC platform down
TADSummit 2022 - How to bring your own RTC platform down
 
The OpenSIPS security audit - OpenSIPS Summit - Sandro Gauci
The OpenSIPS security audit - OpenSIPS Summit - Sandro GauciThe OpenSIPS security audit - OpenSIPS Summit - Sandro Gauci
The OpenSIPS security audit - OpenSIPS Summit - Sandro Gauci
 
Tools for offensive RTC Security: introducing SIPVicious PRO and the demo server
Tools for offensive RTC Security: introducing SIPVicious PRO and the demo serverTools for offensive RTC Security: introducing SIPVicious PRO and the demo server
Tools for offensive RTC Security: introducing SIPVicious PRO and the demo server
 
Bounty bout 0x01 - WebRTC edition
Bounty bout 0x01 - WebRTC editionBounty bout 0x01 - WebRTC edition
Bounty bout 0x01 - WebRTC edition
 
The various ways your RTC may be crushed
The various ways your RTC may be crushedThe various ways your RTC may be crushed
The various ways your RTC may be crushed
 
A tale of two RTC fuzzing approaches
A tale of two RTC fuzzing approachesA tale of two RTC fuzzing approaches
A tale of two RTC fuzzing approaches
 
Scanning The Intertubes For Voip
Scanning The Intertubes For VoipScanning The Intertubes For Voip
Scanning The Intertubes For Voip
 
Troopers09: The Truth about Web Application Firewalls: What the vendors do NO...
Troopers09: The Truth about Web Application Firewalls: What the vendors do NO...Troopers09: The Truth about Web Application Firewalls: What the vendors do NO...
Troopers09: The Truth about Web Application Firewalls: What the vendors do NO...
 

Último

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 

Último (20)

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 

Web Application Firewalls Detection, Bypassing And Exploitation

  • 1. Web Application Firewalls: Detection, Bypassing and Exploitation Sandro Gauci and Wendel Guglielmetti Henrique EnableSecurity and Trustwave sandro@enablesecurity.com OWASP December 2nd, 2009 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org Friday, 4 December 2009
  • 2. $ whois WendelGH PT Consultant at Trustwave's SpiderLabs Over 7 years in the security industry Vulnerability discovery Webmails, AP, Citrix, etc Spoke in YSTS 2.0, Defcon 16, H2HC and others Affiliated to Hackaholic team OWASP 2 Friday, 4 December 2009
  • 3. $ whois SandroGauci Founder and CSO EnableSecurity From .mt Security software VOIPPACK (CANVAS addon) Surfjack - insecure cookies SIPVicious Security research papers Been around for > 9 years OWASP 3 Friday, 4 December 2009
  • 4. Introduction WAF - Web Application Firewall next generation protection what can we do? can be identified, detected bypassing the rules exploit WAFs OWASP 4 Friday, 4 December 2009
  • 5. What is WAF? Attack signatures or abnormal behavior based WAFs products: software or hardware appliance. Flavors: a reverse proxy embedded connected in a switch (SPAN or RAP) WAF products detect both inbound Some also detect outbound attacks OWASP 5 Friday, 4 December 2009
  • 6. Who uses WAFs? Many banks around the world Companies which need high protection Many companies in compliance with PCI DSS (Payment Card Industry - Data Security Standard) OWASP 6 Friday, 4 December 2009
  • 7. Operation Modes Negative model (blacklist based) Positive model (whitelist based) Mixed / Hybrid OWASP 7 Friday, 4 December 2009
  • 8. The negative model Relies on a database of known attacks Eg. XSS strings like <script>, </script>, String.fromCharCode, etc. Often regular expressions OWASP 8 Friday, 4 December 2009
  • 9. Whitelist model Whitelist based Learning mode to create a security policy of known “good” HTTP traffic Known as dynamic profiling technology by some Example: Page news.jsp, the field "id" only accept numbers [0-9] and starting at 0 until 65535 news.jsp?id=-1 would not be allowed OWASP 9 Friday, 4 December 2009
  • 10. Common Weaknesses Design issues WAFs have to be similar to the web apps and http servers that they need to protect Blacklists are by design “flawed” Bad implementation Parsing issues Again - a WAF needs to do a lot of things that the web app and http server does ergo they can have similar security flaws! OWASP 10 Friday, 4 December 2009
  • 11. Detection A number of products can be detected sometimes by design Detection is not a big deal but ... sometimes we’re told that WAFs are ‘invisible’ the better you know your enemy (or client), the better helps in a penetration test or targeted attack shows that stealth attacks are possible OWASP 11 Friday, 4 December 2009
  • 12. Detection Cookies Reason: some WAFs are also load balancers Headers Header rewriting Most obvious would be "Server" Sometimes is a feature called “server cloaking” “Connection” header might be changed to Cneonction or nnCoection Response codes 404 error codes for existent scripts and 403 for non existent ones OWASP 12 Friday, 4 December 2009
  • 13. Detection via response codes 404 error codes for existent scripts Different error codes (404, 400, 401, 403, 501, etc) for hostile parameters (even non existent ones) in valid pages. OWASP 13 Friday, 4 December 2009
  • 16. Automating WAF detection WAFW00F Detect 20 different WAF products  the number keeps changing thanks to contributions :-) Options to detect multiple WAFs in place Generic detection methods included! Get your copy waffit.googlecode.com Please contribute OWASP 16 Friday, 4 December 2009
  • 18. Bypassing a WAF Fingerprint the rules Detect allowed / denied strings Combinations of allowed or denied strings Modify your attack to not match the blacklist OWASP 18 Friday, 4 December 2009
  • 19. More on bypassing WAFs Encoding and language support, character sets Spaces, comments, case sensitive mutation, Unicode (%uc0af and %c0%af), etc The web server may parse, decode and interpret and HTTP request differently from the WAF HTML and JS is very flexible Various methods to split and encode your strings OWASP 19 Friday, 4 December 2009
  • 20. Bypassing rules “Our Favorite XSS Filters and how to Attack Them” by Eduardo Vela & David Lindsay Bypass the rules by splitting the attack (eval('al'%2b'lert(0)') “Shocking News in PHP Exploitation” by Stefan Esser Using “malformed” multipart/form-data to bypass most Modsecurity rules F5 BIG-IP ASM could be bypassed by sending it multipart/form-data that was interpreted differently by PHP than ASM OWASP 20 Friday, 4 December 2009
  • 21. OWASP 21 Friday, 4 December 2009
  • 22. The positive model It’s well known that the negative model is broken What about positive model? They are really secure? If we find a positive model should we give up? OWASP 22 Friday, 4 December 2009
  • 24. Testing WAFs for bypasses is a tedious job Which is why we automate it :-) WAFFUN - works in progress Checks if the script echos back (esp in the case of xss) Can check if error suppression is supported Finds out how the WAF responds when a it reacts to an attack Goes through a list of well known blacklisted strings If any were blocked, it tries different encoding methods, null characters, unicode OWASP 24 Friday, 4 December 2009
  • 26. WAFFUN: XSS constructor Tries a number of tags to find out which are allowed through Tries a number of DHTML event handlers Tries a number of Javascript methods OWASP 26 Friday, 4 December 2009
  • 27. OWASP 27 Friday, 4 December 2009
  • 28. WAFs may be vulnerable too! Security software is not necessarily secure Web Application specific issues: XSS, SQLi Overflows DoS OWASP 28 Friday, 4 December 2009
  • 29. Known issues ModSecurity 2.5.9 addresses 2 vulnerabilities  "Fixed PDF XSS issue where a non-GET request for a PDF file would crash the Apache httpd process."  "Fixed parsing multipart content with a missing part header name which would crash Apache." Profense 2.6.3 Profense Web Application Firewall Cross-Site Scripting and Cross-Site Request Forgery DotDefender 3.8-5 (this week) Command Execution in dotDefender Site Management  (requires authentication)  seems like it is vulnerable to XSRF OWASP 29 Friday, 4 December 2009
  • 31. Thank you Do you have ideas / resources to improve our tools? wsguglielmetti [em] gmail [ponto] com sandro [em] enablesecurity [ponto] com Questions? OWASP 31 Friday, 4 December 2009