SHARE
TWEET

Attacking WAF

a guest Jan 4th, 2017 224 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. WAF Evasion/Bypass
  2.  
  3. #Notes#
  4.  
  5.     Pre-processor exploitation
  6.  
  7.         * How does WAF handle unknown parameters? reject? convert?
  8.  
  9.             + PHP removes whitespaces from parameters or transforms into underscores
  10.        
  11.             + ASP removes % character that is not followed by two hexadecimal digits
  12.            
  13.        
  14.         * Misconfigured web servers may accept malformed HTTP methods
  15.        
  16.             *A WAF that only inspects GET and POST requests may be bypassed
  17.            
  18.            
  19.     HTTP Parameter Pollution
  20.  
  21.         * WAF sees two individual parameters and may not detect the payload
  22.  
  23.             + Payload [?productid=select 1,2,3 from table] can be divided into [?productid=select 1&productid=2,3 from table]
  24.  
  25.  
  26.         * Double URL encoding
  27.        
  28.             + [ā€™sā€™ -> %73 -> %25%37%33]
  29.    
  30. #Approach#
  31.  
  32.     1. Reconn
  33.         * Web server
  34.         * Language
  35.         * WAF and security model (offensive/defensive)
  36.         * Internal IP/naming
  37.        
  38.     2. Attack WAF pre-processor
  39.    
  40.         + Objective: Make WAF skip input validation
  41.        
  42.         *Identify which parts of a HTTP request are inspected by the WAF to develop an exploit:
  43.             *Send individual requests that differ in the location of a payload
  44.             *Observe which requests are blocked
  45.             *Attempt to develop an exploit
  46.            
  47.     3. Finding an impedance mismatch
  48.    
  49.         + Objective: make the WAF interpret a request differently than the back end and therefore not detecting it
  50.  
  51.         * Knowledge about back end technologies is needed
  52.        
  53.        
  54.     4. Bypassing rule set
  55.    
  56.         + Objective: find a payload that is not blocked by the WAFs rule set
  57.        
  58.         *Brute force by sending different payloads
  59.         *Reverse-engineer the rule set in a trial and error approach:
  60.             *Send symbols and keywords that may be useful to craft a payload
  61.             *Observe which are blocked
  62.             *Attempt to develop an exploit based on the results of the previous steps
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top