WAF Bypass Techniques Using HTTP Standard and Web Servers’ Behavior

WAF Bypass Techniques Using HTTP Standard and Web Servers’ Behavior - Soroush Dalili

Рет қаралды 7,783

Күн бұрын

OWASP AppSec EU 2018 Hacker Track - Day 2, talk 5
Although web application firewall (WAF) solutions are very useful to prevent common or automated attacks, most of them are based on blacklist approaches and are still far from perfect. This talk illustrates a number of creative techniques to smuggle and reshape HTTP requests using the strange behaviour of web servers and features such as request encoding or HTTP pipelining. These methods can come in handy when testing a website behind a WAF and can help penetration testers and bug bounty hunters to avoid drama and pain! Knowing these techniques is also beneficial for the defence team in order to design appropriate mitigation techniques. Additionally, it shows why developers should not solely rely on WAFs as the defence mechanism.
Finally, an open source Burp Suite extension will be introduced that can be used to assess or bypass a WAF solution using some of the techniques discussed in this talk. The plan is to keep improving this extension with the help of the http.ninja project.
Managed by the official OWASP Media Project www.owasp.org/...

Пікірлер: 6

@domaincontroller 4 жыл бұрын

00:48 we don't have enough time 02:20 XSS, SQLi, access denied 02:50 WAFs are based on whitelists or blacklists, whitelists are more secured, black are less secured, are very hard to, configure, high maintenance 03:10 whitelists WAF, very hard, to be trained, to be configured 03:37 blacklists on the other hand are cheap 04:01 blacklist ones are the most popular ones 04:06 WAFs in the Cloud 05:35 WAF bypass categories 05:47 new or missed payloads 07:01 payload delivery, 07:23 for example, blog post, issue, vulnerability, WAF couldn't understand SSL cypher twitter.com/irsdl/status/1014078211809075200?s=20 ============================================ HTTP 0.9 ============================================ 08:16 HTTP 08:36 HTTP v0.9, very old, doesn't support headers, GET/ that's it 09:16 what can go wrong with HTTP 0.9 ? 09:30 during my researches I realized that all the web servers that I was testing were supporting HTTP 0.9 10:08 apache tomcat 10:32 Hiding Wookiees in HTTP kzbin.info/www/bejne/moe4apxrhdiAhrs 11:00 So how can you send HTTP v0.9, Fiddler, ZAP, I tried Burp Suite, wireshark 11:15 telnet , netcat, OpenSSL 11:37 Burp, HTTP pipelining 13:02 first example, content heading, two request at the same time 15:48 blocked the word admin 18:16 python DIY ============================================ Request Mutation ============================================ 18:44 request mutation, HTTP parameter pollution 19:39 mishapped requests, read the RFCs, find the vulnerabilities, find the vague statements, recommended, any servers or proxy in the middle may have implemented differently, cannot even be parsed by WAF 21:40 custom implementation, fuzz it, semi-colon character, ampersand 24:24 content encoding, you can use as in the request as well in the response, request encoding is challenging 26:30 HTTP smuggler 28:50 side effect, asp.net antiXSS, useful , stored XSS, bypass some validation 33:15 How can you stop that ? request encoding ============================================ TESTCASES ============================================ 34:02 testcase walkthrough