Attacking WAF

1. WAF Evasion/Bypass
2.  
3. #Notes#
4.  
5. Pre-processor exploitation
6.  
7. * How does WAF handle unknown parameters? reject? convert?
8.  
9. + PHP removes whitespaces from parameters or transforms into underscores
10.  
11. + ASP removes % character that is not followed by two hexadecimal digits
12.  
13.  
14. * Misconfigured web servers may accept malformed HTTP methods
15.  
16. *A WAF that only inspects GET and POST requests may be bypassed
17.  
18.  
19. HTTP Parameter Pollution
20.  
21. * WAF sees two individual parameters and may not detect the payload
22.  
23. + Payload [?productid=select 1,2,3 from table] can be divided into [?productid=select 1&productid=2,3 from table]
24.  
25.  
26. * Double URL encoding
27.  
28. + [’s’ -> %73 -> %25%37%33]
29.  
30. #Approach#
31.  
32. 1. Reconn
33. * Web server
34. * Language
35. * WAF and security model (offensive/defensive)
36. * Internal IP/naming
37.  
38. 2. Attack WAF pre-processor
39.  
40. + Objective: Make WAF skip input validation
41.  
42. *Identify which parts of a HTTP request are inspected by the WAF to develop an exploit:
43. *Send individual requests that differ in the location of a payload
44. *Observe which requests are blocked
45. *Attempt to develop an exploit
46.  
47. 3. Finding an impedance mismatch
48.  
49. + Objective: make the WAF interpret a request differently than the back end and therefore not detecting it
50.  
51. * Knowledge about back end technologies is needed
52.  
53.  
54. 4. Bypassing rule set
55.  
56. + Objective: find a payload that is not blocked by the WAFs rule set
57.  
58. *Brute force by sending different payloads
59. *Reverse-engineer the rule set in a trial and error approach:
60. *Send symbols and keywords that may be useful to craft a payload
61. *Observe which are blocked
62. *Attempt to develop an exploit based on the results of the previous steps