Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Modern WAF Bypass Scripting Techniques for Autonomous Attacks

127 vues

Publié le

Video and slides synchronized, mp3 and slide download available at URL http://bit.ly/2mrAhWq.

Johnny Xmas talks how the various forms of “bot detection” out there work, and the philosophies behind how to modify/spoof the necessary client environments to bypass nearly all of them using anything from Python and JavaScript to Selenium, Puppeteer and beyond. Filmed at qconnewyork.com.

Johnny Xmas is a predominant personality in the Information Security community, most well-known for his work on the TSA Master Key leaks between 2014 and 2018. He is currently working with the Australian firm Kasada to defend against the automated abuse of web infrastructure.

Publié dans : Technologie
  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

Modern WAF Bypass Scripting Techniques for Autonomous Attacks

  1. 1. SORRY ABOUT YOUR WAF Bypassing the Modern WAF Johnny Xmas Johnny.Xmas@Kasada.io @J0hnnyXm4s
  2. 2. InfoQ.com: News & Community Site • 750,000 unique visitors/month • Published in 4 languages (English, Chinese, Japanese and Brazilian Portuguese) • Post content from our QCon conferences • News 15-20 / week • Articles 3-4 / week • Presentations (videos) 12-15 / week • Interviews 2-3 / week • Books 1 / month Watch the video with slide synchronization on InfoQ.com! https://www.infoq.com/presentations/ waf-scripting-techniques-autonomous- attacks/
  3. 3. Presented at QCon New York www.qconnewyork.com Purpose of QCon - to empower software development by facilitating the spread of knowledge and innovation Strategy - practitioner-driven conference designed for YOU: influencers of change and innovation in your teams - speakers and topics driving the evolution and innovation - connecting and catalyzing the influencers and innovators Highlights - attended by more than 12,000 delegates since 2007 - held in 9 cities worldwide
  4. 4. Blade Runner & Director of Field Engineering, North America & Europe @ kasada.io CISSP, GIAC, GPEN JOHNNY XMASJohnny.Xmas@Kasada.io PREVIOUS PROFESSIONAL ROLES: •Network Engineer •Systems Engineer •InformaGon Security Engineer •InformaGon Security Consultant •PenetraGon Tester •Industrial Security Researcher LINKS: •hIps://twiIer.com/j0hnnyxm4s •hIps://www.linkedin.com/in/johnnyxmas/ •hIps://www.youtube.com/c/johnnyxmas •hIps://github.com/johnnyxmas

  5. 5. WAFW E B A P P L I C AT I O N F I R E W A L L S BASIC •Very Basic Behavioral Analysis •Various levels of IP ReputaGon, header inspecGon and POST data inspecGon. •Just blacklists IPs (LOL) •Trivial to Bypass
  6. 6. SQLMap https://github.com/sqlmapproject/sqlmap
  7. 7. WAFW E B A P P L I C AT I O N F I R E W A L L S •OXen a Reverse Proxy •ParGally relies on js execuGon •Fingerprints client environment SOPHISTIOCATED
  8. 8. Also, they’re both preOy useless. . . …so let’s get hacking!
  9. 9. BARE MINIMUMS
  10. 10. •Huge # of “Free Proxy” sites • https://hide.me • https://hidester.com • https://www.proxysite.com/ •Srsly just google “Free Proxies” Rotate Your IP BARE MINIMUMS
  11. 11. •Huge # of “Free Proxy” sites
 •Hard to convince The Business to allow blocking residential IPs
 •Residential IPs are easy to lease in bulk
 •Residential IPs are not free
 •Services like HolaVPN and MonkeySocks use users’ IPs Use ResidenGal IPs BARE MINIMUMS
  12. 12. Use The Usual HTTP Headers BARE MINIMUMS • BUT ALSO: • Accept : */* • DNT : 1 • X-Headers (Sometimes) • User-Agent (NO QUOTES) • Session Cookies (Sometimes)
  13. 13. •Seriously, this gets past so many defenses •Rotate with each HTTP request, if possible •Also use this for whitelist fuzzing Rotate User-Agents •Auth’d sessions often have more lenient throttling •Some session cookies are *required* •WATCH OUT FOR SNEAKY WAF COOKIES Use Cookies BARE MINIMUMS
  14. 14. Use POSTMan https://www.getpostman.com/
  15. 15. (IT’S COOL, WE PROMISE) P L E A S E B E A R W I T H U S F O R L I K E 2 M I N U T E S SUPER BORING CODE DEMO
  16. 16. ADVANCED TACTICS FOR CLOUD WAFS BE THE LUCHADOR *AND* THE OSTRICHES
  17. 17. EDGE ENUMERATION • Find ASN’s owned by target (ARIN, etc) • Find domains owned by target to uncover additional ASNs (WHOIS) • Find which IPs are hosting web servers (ScanCannon) • Enumerate paths to find forms, APIs, data, etc (wfuzz, etc) Check Every System Smash DNS •Find ASN’s owned by target (ARIN, etc) •Find domains owned by target to uncover additional ASNs •Reverse Lookup on IPs to DNS names (human- language indicators) •DNS History lookups •DNS Zone Transfers •DNS name fuzzing
  18. 18. EDGE ENUMERATION •Discover all edge nodes •Hit one until it blocks you, then hit the next •This exploits the sync delay (often 15 minutes) and conserves IPs Round-Robin the Edge Nodes •Layer 7 WAFs & their associated CDNs have path rules •One application may have multiple login portals paths •Some of these may be accidental or intentionally unprotected Unprotected Paths •APIs are almost never fully-protected; often not at all •Great if all you need is to steal data •Can also be used to “test” credentials Smash the API
  19. 19. •Use previous enumeration (look for “origin” in DNS) •UUID or hash DNS names •Hitting these bypasses the WAF completely •Watch out for firewalls Find the Origins •Identify and block WAF javascript snippets •*RUN* WAF Javascript and replay the resulting fingerprint cookie Ditch the Script, Share the Cookies SOPHISTICATED WAFs OR. . .
  20. 20. AUTOMATE A REAL BROWSER
  21. 21. •Headless Chrome •Puppeteer •Selenium •Looks like human activity •Practically undetectable •Scriptable AF •Executes Javascript •Properly leverages Cookies •Multiple instances per IP AUTOMATE A REAL BROWSER https://github.com/GoogleChrome/puppeteer
  22. 22. RealisWc WebDriver •User_agent
 •Navigator_Platform
 •Color_depth
 •Pixel_ratio
 •Cpu_Class •Hardware_concurrency
 •Resolution
 •Available_resolutions
 •Timezone_offset
 •Session_storage
  23. 23. •Rotate IP Addresses • Use Residential IPs •Use the Usual HTTP Headers •Use POSTMan •Rotate your User- Agents •Rotate session cookies
 Rotate between targets •Hit the Origin directly •Use a Web Driver • Change the stock config! SUMMARY:
  24. 24. Johnny Xmas, CISSP, GIAC, GPEN THANKS FOR PLAYING! Johnny.Xmas@Kasada.io @J0hnnyXm4s hOps://www.github.com/johnnyxmas/Talk_Decks
  25. 25. Watch the video with slide synchronization on InfoQ.com! https://www.infoq.com/presentations/waf- scripting-techniques-autonomous-attacks/

×