These are the slides from a talk "Blind WAF identification" held at Sh3llCON 2019 (Santander / Spain)

1. Blind WAF identificationBlind WAF identification
Miroslav Stampar
(@stamparm)
Blind WAF identificationBlind WAF identification
Miroslav Stampar
(@stamparm)

2. Sh3llCON, Santander (Spain) January 26th, 2019 2
Who am I?Who am I?
FOSS programmer, Croatian Government CERT
(daily), #infosec researcher (nightly), CTF
enthusiast (sporadically)

3. Sh3llCON, Santander (Spain) January 26th, 2019 3
Talk overviewTalk overview
What is WAF?
How to (dummy) provoke it?
Typical reactions
Real-life examples
WAF detection
Non-blind WAF identification
Blind WAF identification
identYwaf (https://github.com/stamparm/identYwaf)

4. Sh3llCON, Santander (Spain) January 26th, 2019 4
What is WAF? (I)What is WAF? (I)
WAF (Web Application Firewall)
Protects web applications by monitoring and
filtering (HTTP/S) traffic
Security hardening by making more difficult
exploitation of web application security flaws
Does not replace the network firewall
Deployed between the network firewall and the
web server infrastructure (inspects
unencrypted traffic)
To (potentially) bypass it, penetration tester
(first) needs to recognize the type (!)

5. Sh3llCON, Santander (Spain) January 26th, 2019 5
What is WAF? (II)What is WAF? (II)
Source: avinetworks.com

6. Sh3llCON, Santander (Spain) January 26th, 2019 6
What is WAF? (III)What is WAF? (III)
Prevents exploitation of common web security
vulnerabilities (flaws):
SQL Injection (SQLi)
Cross-Site Scripting (XSS)
File Inclusion (FI)
Cross-Site Request Forgery (CSRF)
XML External Entity (XXE)
Local / Remote Code Execution (LCE / RCE)
Directory Traversal
…
Note: OWASP Top 10

7. Sh3llCON, Santander (Spain) January 26th, 2019 7
How to (dummy) provoke it?How to (dummy) provoke it?

8. Sh3llCON, Santander (Spain) January 26th, 2019 8
Typical reactionsTypical reactions
“Bad request”
“Access denied”
“Not acceptable”
“Request denied”
“URL was rejected”
“Forbidden”
“Request could not be satisfied”
“Attempt has been blocked”
“Blocked your request”
etc.

9. Sh3llCON, Santander (Spain) January 26th, 2019 9
Real-life examples (360)Real-life examples (360)

10. Sh3llCON, Santander (Spain) January 26th, 2019 10
Real-life examples (Cloudflare)Real-life examples (Cloudflare)

11. Sh3llCON, Santander (Spain) January 26th, 2019 11
Real-life examples (dotDefender)Real-life examples (dotDefender)

12. Sh3llCON, Santander (Spain) January 26th, 2019 12
Real-life examples (Incapsula)Real-life examples (Incapsula)

13. Sh3llCON, Santander (Spain) January 26th, 2019 13
Real-life examples (ModSecurity)Real-life examples (ModSecurity)

14. Sh3llCON, Santander (Spain) January 26th, 2019 14
Real-life examples (Sucuri)Real-life examples (Sucuri)

15. Sh3llCON, Santander (Spain) January 26th, 2019 15
Real-life examples (Virusdie)Real-life examples (Virusdie)

16. Sh3llCON, Santander (Spain) January 26th, 2019 16
Real-life examples (Wordfence)Real-life examples (Wordfence)

17. Sh3llCON, Santander (Spain) January 26th, 2019 17
WAF detection (I)WAF detection (I)
Sending dummy payload(s) (deliberate,
provocative, not dangerous):
<script>alert('XSS')</script>
' OR SLEEP(5) OR ' (etc.)
Usage of random-generated GET/POST
parameter names (e.g. ?oFx=...)
Detection of any kind of response
changes compared to the original:
HTTP code (200 OK → 403 Forbidden)
HTML title (Homepage → Attention Required!)
Occurrence(s) of rejection specific keywords (- →
...you have been blocked...)

18. Sh3llCON, Santander (Spain) January 26th, 2019 18
WAF detection (II)WAF detection (II)
Original
WAF provoked

19. Sh3llCON, Santander (Spain) January 26th, 2019 19
Non-blind WAF identification (I)Non-blind WAF identification (I)
After the (successful) detection phase, in
identification phase we are trying to identify
the web application security product (i.e. WAF)
In best case (non-blind) provoked WAF will
respond with specific response trails which
distinguishes it from other products
Keywords / sentences (e.g. dotDefender
Blocked Your Request)
HTTP codes (e.g. 999 No Hacking)
HTTP headers (e.g. Server: BinarySec)
HTTP cookies (e.g. jsl_tracking=….)
File paths (e.g. .../wzws-waf-cgi/...)

20. Sh3llCON, Santander (Spain) January 26th, 2019 20
Non-blind WAF identification (II)Non-blind WAF identification (II)
@sqlmap (case) / --identify-waf
WAF scripts (currently 77)
Each covers one specific WAF (protection
system)
4 (+1 NIL) dummy payloads / attack
vectors
Checking page content, headers and
(HTTP) code after each payloads

21. Sh3llCON, Santander (Spain) January 26th, 2019 21
Non-blind WAF identification (III)Non-blind WAF identification (III)

22. Sh3llCON, Santander (Spain) January 26th, 2019 22
Non-blind WAF identification (IV)Non-blind WAF identification (IV)

23. Sh3llCON, Santander (Spain) January 26th, 2019 23
Blind WAF identification (I)Blind WAF identification (I)
How to distinguish different WAF types when
there are only TRUE (generic rejected) and
FALSE (original) responses?
Similar problem like in boolean-based blind SQL
injection, though, with more constraints (i.e.
there is no data source to pull data from)
In theory, different WAFs should have different
protection engines with different set of rules
Hence, different WAFs should answer
differently to a predefined list of dummy
payloads (“battery of tests”)
Final goal: characteristic vectors (signatures)

24. Sh3llCON, Santander (Spain) January 26th, 2019 24
Blind WAF identification (II)Blind WAF identification (II)

25. Sh3llCON, Santander (Spain) January 26th, 2019 25
Blind WAF identification (III)Blind WAF identification (III)

26. Sh3llCON, Santander (Spain) January 26th, 2019 26
identYwaf (I)identYwaf (I)
WAF detection and identification tool
Non-blind support for 70 WAFs and blind
support for 64 WAFs (74 WAFs in total)
Non-blind recognition implemented by
usage of regular expressions over raw HTTP
response (including HTTP headers)
Blind recognition implemented by usage of
inference based on response(s) comparison
with predefined characteristic vectors
(signatures) of size 45 (payloads)
Based on extensive (empirical?) study

27. Sh3llCON, Santander (Spain) January 26th, 2019 27
identYwaf (II)identYwaf (II)

28. Sh3llCON, Santander (Spain) January 26th, 2019 28
identYwaf (III)identYwaf (III)

29. Sh3llCON, Santander (Spain) January 26th, 2019 29
identYwaf (IV)identYwaf (IV)
Calculating difference (distance) between
response vector and WAF characteristic
vectors (signatures)
Smaller the difference, greater the match
Periodic safe-checking for potential
complete blocking (dummy digit payload)
Detection of WAF “chaining” based on
different rejection HTTP codes (e.g. 403 and
500) or Server headers (e.g. nginx and
imunify360-webshield/1.5)
Auxiliary “hardness” score (i.e. strictness)

30. Sh3llCON, Santander (Spain) January 26th, 2019 30
identYwaf (V)identYwaf (V)

31. Sh3llCON, Santander (Spain) January 26th, 2019 31
identYwaf (VI)identYwaf (VI)

32. Sh3llCON, Santander (Spain) January 26th, 2019 32
identYwaf (VII)identYwaf (VII)

33. Sh3llCON, Santander (Spain) January 26th, 2019 33
identYwaf (VIII)identYwaf (VIII)

34. Sh3llCON, Santander (Spain) January 26th, 2019 34
Future workFuture work
Dealing with strict (rate-limiting) WAFs (e.g.
usage of proxy list)
Extensive testing of WAF capabilities (e.g.
POST body, different encodings, etc.)
Detailed reporting for the sake of bypassing
(e.g. only FI payloads are blocked, POST
body is not being processed, only
characters < and > are being blocked, etc.)
Collaborative sharing of unknown
signatures (e.g. automatic Github issue)
Bypass “recommendations”

35. Sh3llCON, Santander (Spain) January 26th, 2019 35
p.s. “Hardness” (not WAF scoring!)p.s. “Hardness” (not WAF scoring!)

36. Sh3llCON, Santander (Spain) January 26th, 2019 36
Questions?Questions?