Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- WAF Evasion/Bypass
- #Notes#
- Pre-processor exploitation
- * How does WAF handle unknown parameters? reject? convert?
- + PHP removes whitespaces from parameters or transforms into underscores
- + ASP removes % character that is not followed by two hexadecimal digits
- * Misconfigured web servers may accept malformed HTTP methods
- *A WAF that only inspects GET and POST requests may be bypassed
- HTTP Parameter Pollution
- * WAF sees two individual parameters and may not detect the payload
- + Payload [?productid=select 1,2,3 from table] can be divided into [?productid=select 1&productid=2,3 from table]
- * Double URL encoding
- + [āsā -> %73 -> %25%37%33]
- #Approach#
- 1. Reconn
- * Web server
- * Language
- * WAF and security model (offensive/defensive)
- * Internal IP/naming
- 2. Attack WAF pre-processor
- + Objective: Make WAF skip input validation
- *Identify which parts of a HTTP request are inspected by the WAF to develop an exploit:
- *Send individual requests that differ in the location of a payload
- *Observe which requests are blocked
- *Attempt to develop an exploit
- 3. Finding an impedance mismatch
- + Objective: make the WAF interpret a request differently than the back end and therefore not detecting it
- * Knowledge about back end technologies is needed
- 4. Bypassing rule set
- + Objective: find a payload that is not blocked by the WAFs rule set
- *Brute force by sending different payloads
- *Reverse-engineer the rule set in a trial and error approach:
- *Send symbols and keywords that may be useful to craft a payload
- *Observe which are blocked
- *Attempt to develop an exploit based on the results of the previous steps
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement