Video and slides synchronized, mp3 and slide download available at URL http://bit.ly/2mrAhWq.
Johnny Xmas talks how the various forms of “bot detection” out there work, and the philosophies behind how to modify/spoof the necessary client environments to bypass nearly all of them using anything from Python and JavaScript to Selenium, Puppeteer and beyond. Filmed at qconnewyork.com.
Johnny Xmas is a predominant personality in the Information Security community, most well-known for his work on the TSA Master Key leaks between 2014 and 2018. He is currently working with the Australian firm Kasada to defend against the automated abuse of web infrastructure.
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Modern WAF Bypass Scripting Techniques for Autonomous Attacks
1. SORRY ABOUT YOUR WAF
Bypassing the Modern WAF
Johnny Xmas
Johnny.Xmas@Kasada.io
@J0hnnyXm4s
2. InfoQ.com: News & Community Site
• 750,000 unique visitors/month
• Published in 4 languages (English, Chinese, Japanese and Brazilian
Portuguese)
• Post content from our QCon conferences
• News 15-20 / week
• Articles 3-4 / week
• Presentations (videos) 12-15 / week
• Interviews 2-3 / week
• Books 1 / month
Watch the video with slide
synchronization on InfoQ.com!
https://www.infoq.com/presentations/
waf-scripting-techniques-autonomous-
attacks/
3. Presented at QCon New York
www.qconnewyork.com
Purpose of QCon
- to empower software development by facilitating the spread of
knowledge and innovation
Strategy
- practitioner-driven conference designed for YOU: influencers of
change and innovation in your teams
- speakers and topics driving the evolution and innovation
- connecting and catalyzing the influencers and innovators
Highlights
- attended by more than 12,000 delegates since 2007
- held in 9 cities worldwide
4. Blade Runner &
Director of Field Engineering,
North America & Europe @ kasada.io
CISSP, GIAC, GPEN
JOHNNY XMASJohnny.Xmas@Kasada.io
PREVIOUS PROFESSIONAL ROLES:
•Network Engineer
•Systems Engineer
•InformaGon Security Engineer
•InformaGon Security Consultant
•PenetraGon Tester
•Industrial Security Researcher
LINKS:
•hIps://twiIer.com/j0hnnyxm4s
•hIps://www.linkedin.com/in/johnnyxmas/
•hIps://www.youtube.com/c/johnnyxmas
•hIps://github.com/johnnyxmas
5. WAFW E B A P P L I C AT I O N F I R E W A L L S
BASIC
•Very Basic Behavioral Analysis
•Various levels of IP ReputaGon, header
inspecGon and POST data inspecGon.
•Just blacklists IPs (LOL)
•Trivial to Bypass
7. WAFW E B A P P L I C AT I O N F I R E W A L L S
•OXen a Reverse Proxy
•ParGally relies on js execuGon
•Fingerprints client environment
SOPHISTIOCATED
10. •Huge # of “Free Proxy” sites
• https://hide.me
• https://hidester.com
• https://www.proxysite.com/
•Srsly just google “Free Proxies”
Rotate Your IP
BARE MINIMUMS
11. •Huge # of “Free Proxy” sites
•Hard to convince The
Business to allow blocking
residential IPs
•Residential IPs are easy to
lease in bulk
•Residential IPs are not free
•Services like HolaVPN and
MonkeySocks use users’ IPs
Use ResidenGal IPs
BARE MINIMUMS
12. Use The Usual HTTP Headers
BARE MINIMUMS
• BUT ALSO:
• Accept : */*
• DNT : 1
• X-Headers (Sometimes)
• User-Agent (NO QUOTES)
• Session Cookies (Sometimes)
13. •Seriously, this gets past so
many defenses
•Rotate with each HTTP
request, if possible
•Also use this for whitelist
fuzzing
Rotate User-Agents
•Auth’d sessions often have
more lenient throttling
•Some session cookies are
*required*
•WATCH OUT FOR
SNEAKY WAF COOKIES
Use Cookies
BARE MINIMUMS
17. EDGE ENUMERATION
• Find ASN’s owned by target (ARIN,
etc)
• Find domains owned by target to
uncover additional ASNs (WHOIS)
• Find which IPs are hosting web
servers (ScanCannon)
• Enumerate paths to find forms, APIs,
data, etc (wfuzz, etc)
Check Every System
Smash DNS
•Find ASN’s owned by
target (ARIN, etc)
•Find domains owned by
target to uncover
additional ASNs
•Reverse Lookup on IPs to
DNS names (human-
language indicators)
•DNS History lookups
•DNS Zone Transfers
•DNS name fuzzing
18. EDGE ENUMERATION
•Discover all edge nodes
•Hit one until it blocks you,
then hit the next
•This exploits the sync
delay (often 15 minutes)
and conserves IPs
Round-Robin the Edge Nodes
•Layer 7 WAFs & their
associated CDNs
have path rules
•One application may
have multiple login
portals paths
•Some of these may
be accidental or
intentionally
unprotected
Unprotected Paths
•APIs are almost never fully-protected;
often not at all
•Great if all you need is to steal data
•Can also be used to “test” credentials
Smash the API
19. •Use previous enumeration
(look for “origin” in DNS)
•UUID or hash DNS names
•Hitting these bypasses the WAF
completely
•Watch out for firewalls
Find the Origins
•Identify and block WAF
javascript snippets
•*RUN* WAF Javascript and
replay the resulting fingerprint
cookie
Ditch the Script, Share the Cookies
SOPHISTICATED WAFs
OR. . .
21. •Headless Chrome •Puppeteer •Selenium
•Looks like human activity
•Practically undetectable
•Scriptable AF
•Executes Javascript
•Properly leverages
Cookies
•Multiple instances per IP
AUTOMATE A REAL BROWSER
https://github.com/GoogleChrome/puppeteer
23. •Rotate IP Addresses
• Use Residential IPs
•Use the Usual HTTP
Headers
•Use POSTMan
•Rotate your User-
Agents
•Rotate session cookies
Rotate between targets
•Hit the Origin directly
•Use a Web Driver
• Change the stock
config!
SUMMARY:
24. Johnny Xmas, CISSP, GIAC, GPEN
THANKS FOR PLAYING!
Johnny.Xmas@Kasada.io
@J0hnnyXm4s
hOps://www.github.com/johnnyxmas/Talk_Decks
25. Watch the video with slide synchronization
on InfoQ.com!
https://www.infoq.com/presentations/waf-
scripting-techniques-autonomous-attacks/