Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Blind WAF identification
1. Blind WAF identificationBlind WAF identification
Miroslav Stampar
(@stamparm)
Blind WAF identificationBlind WAF identification
Miroslav Stampar
(@stamparm)
2. Sh3llCON, Santander (Spain) January 26th, 2019 2
Who am I?Who am I?
FOSS programmer, Croatian Government CERT
(daily), #infosec researcher (nightly), CTF
enthusiast (sporadically)
4. Sh3llCON, Santander (Spain) January 26th, 2019 4
What is WAF? (I)What is WAF? (I)
WAF (Web Application Firewall)
Protects web applications by monitoring and
filtering (HTTP/S) traffic
Security hardening by making more difficult
exploitation of web application security flaws
Does not replace the network firewall
Deployed between the network firewall and the
web server infrastructure (inspects
unencrypted traffic)
To (potentially) bypass it, penetration tester
(first) needs to recognize the type (!)
8. Sh3llCON, Santander (Spain) January 26th, 2019 8
Typical reactionsTypical reactions
“Bad request”
“Access denied”
“Not acceptable”
“Request denied”
“URL was rejected”
“Forbidden”
“Request could not be satisfied”
“Attempt has been blocked”
“Blocked your request”
etc.
17. Sh3llCON, Santander (Spain) January 26th, 2019 17
WAF detection (I)WAF detection (I)
Sending dummy payload(s) (deliberate,
provocative, not dangerous):
<script>alert('XSS')</script>
' OR SLEEP(5) OR ' (etc.)
Usage of random-generated GET/POST
parameter names (e.g. ?oFx=...)
Detection of any kind of response
changes compared to the original:
HTTP code (200 OK → 403 Forbidden)
HTML title (Homepage → Attention Required!)
Occurrence(s) of rejection specific keywords (- →
...you have been blocked...)
18. Sh3llCON, Santander (Spain) January 26th, 2019 18
WAF detection (II)WAF detection (II)
Original
WAF provoked
19. Sh3llCON, Santander (Spain) January 26th, 2019 19
Non-blind WAF identification (I)Non-blind WAF identification (I)
After the (successful) detection phase, in
identification phase we are trying to identify
the web application security product (i.e. WAF)
In best case (non-blind) provoked WAF will
respond with specific response trails which
distinguishes it from other products
Keywords / sentences (e.g. dotDefender
Blocked Your Request)
HTTP codes (e.g. 999 No Hacking)
HTTP headers (e.g. Server: BinarySec)
HTTP cookies (e.g. jsl_tracking=….)
File paths (e.g. .../wzws-waf-cgi/...)
20. Sh3llCON, Santander (Spain) January 26th, 2019 20
Non-blind WAF identification (II)Non-blind WAF identification (II)
@sqlmap (case) / --identify-waf
WAF scripts (currently 77)
Each covers one specific WAF (protection
system)
4 (+1 NIL) dummy payloads / attack
vectors
Checking page content, headers and
(HTTP) code after each payloads
23. Sh3llCON, Santander (Spain) January 26th, 2019 23
Blind WAF identification (I)Blind WAF identification (I)
How to distinguish different WAF types when
there are only TRUE (generic rejected) and
FALSE (original) responses?
Similar problem like in boolean-based blind SQL
injection, though, with more constraints (i.e.
there is no data source to pull data from)
In theory, different WAFs should have different
protection engines with different set of rules
Hence, different WAFs should answer
differently to a predefined list of dummy
payloads (“battery of tests”)
Final goal: characteristic vectors (signatures)
24. Sh3llCON, Santander (Spain) January 26th, 2019 24
Blind WAF identification (II)Blind WAF identification (II)
26. Sh3llCON, Santander (Spain) January 26th, 2019 26
identYwaf (I)identYwaf (I)
WAF detection and identification tool
Non-blind support for 70 WAFs and blind
support for 64 WAFs (74 WAFs in total)
Non-blind recognition implemented by
usage of regular expressions over raw HTTP
response (including HTTP headers)
Blind recognition implemented by usage of
inference based on response(s) comparison
with predefined characteristic vectors
(signatures) of size 45 (payloads)
Based on extensive (empirical?) study
29. Sh3llCON, Santander (Spain) January 26th, 2019 29
identYwaf (IV)identYwaf (IV)
Calculating difference (distance) between
response vector and WAF characteristic
vectors (signatures)
Smaller the difference, greater the match
Periodic safe-checking for potential
complete blocking (dummy digit payload)
Detection of WAF “chaining” based on
different rejection HTTP codes (e.g. 403 and
500) or Server headers (e.g. nginx and
imunify360-webshield/1.5)
Auxiliary “hardness” score (i.e. strictness)
34. Sh3llCON, Santander (Spain) January 26th, 2019 34
Future workFuture work
Dealing with strict (rate-limiting) WAFs (e.g.
usage of proxy list)
Extensive testing of WAF capabilities (e.g.
POST body, different encodings, etc.)
Detailed reporting for the sake of bypassing
(e.g. only FI payloads are blocked, POST
body is not being processed, only
characters < and > are being blocked, etc.)
Collaborative sharing of unknown
signatures (e.g. automatic Github issue)
Bypass “recommendations”