How much does it take to hack a mobile network?
Is electronic government secure
in the era of WikiLeaks and Anonymous?

Is SCADA hacking a Hollywood fiction
or the nowadays reality?
Internet banking: is there any chance to win
over the fraudsters?

Cyber-crimes, cyber-espionage, cyber-war: where do we draw a borderline?


Wednesday, June 3, 2015

WAF Bypass at Positive Hack Days V

As it did last year, the PHDays forum on information security hosted WAF Bypass this year as well. The contest's participants tried to bypass the protection of PT Application Firewall, Positive Technologies' product. For this contest, the organizers developed the site Choo Roads, which contained common vulnerabilities, such as Cross-Site Scripting, SQL Injection, XML External Entities Injection, Open Redirect. Upon exploiting one of the vulnerabilities, a participant obtained a flag in the MD5 format and gained points. MD5 flags could be found in the file system, database, and cookie parameters and detected by a special bot that was developed by using Selenium.

Though the contest WAF configuration allowed bypassing, uncommon solutions were also presented. This was actually the goal of the contest: participants had the opportunity to try themselves in bypassing protection mechanisms, while we can improve our product due to the results. Let's have a look at those vulnerabilities and bypass techniques.


The vulnerability was in the script that tracked user activity on the site.

POST /online.php HTTP/1.1
Connection: keep-alive
Content-Length: 24
Content-Type: application/json
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36


Timestamp field values from the JSON data in the POST request were not validated before using them in the SQL request:
To bypass the check, you could substitute Content-Type with text/xml, and as a result the POST data were not processed as JSON (the check was disabled).

XSD validation

The site had a form for searching tickets by forming XML and sending the request to the back end.
XSD was used for the XML request.

According to the schema, the id attribute should contain 35 characters. The attribute value was added into the SQL request without validation. Bypassing required a vector that meets XSD requirements.

Open Redirect

The vulnerability was in the "to" parameter of the script redirect.php. The flag was sent to fragment portions of URL where the redirection was executed, i.e. it wasn't sent to the server end. To get the flag, you should send the bot to another site with a page that could retrieve the value from location.hash and send it to the logger.

Bypassing options: to=http%3a//\..\\

XML External Entities Injection

The script that handled XML data was vulnerable to XXE. Bypassing required using of the external entity in the parameter entity:

It was also possible to bypass it with UTF-16.

Cross-Site Scripting

The vulnerability was in the site's search page. To obtain the flag, you could send the bot's cookies to the site. Bypassing required using non-standard tag attributes that are processed by bootstrap-validator allowing executing the JS code:



The winner of the contest is bushwhackers: Georgy Noseevich, Andrey Petukhov, and Alexander Razdobarov. The team solved all the tasks during the first day! (They won the last year's competition as well.) Mikhail Stepankin (ArtSploit) took second place, Eldar Zaitov (kyprizel) was the third. The winner received an iPad Air 2; a Sony Xperia Z3 went to the second place team; the third place team received a license for Burp Suite Professional.

During the contest, 271,390 requests were blocked (twice as many as during the last year's contest). This time, 302 contestants registered (compared to 101 last year). Only 18 participants managed to capture at least one flag.

Thanks to everyone who took part in the contest.


  1. In my view, the last PHDays forum was quite successful. I discover a lot of innovate thing and receptions about software security and other stuff. Whats about general vulnerability I make some nice schemes, dissertation editing - they there. Thanks for nice photos!

  2. I don't need help writing a paper but I always look for someone who can help me with the script. It's such a trouble for me.

  3. academic writing platform is actually owned by Edutec Limited - company registered in Malta. Despite this, there is reason to believe this is a Russian business. If you want to find info about “is studybay legit”, welcome to Scamfighter.

  4. Although those who major in one of the physical sciences have an equal chance of acceptance when compared with “pre-pharmacy” students, pharmacy schools want to see evidence of a real interest in pharmaceuticals and the practice of the profession. A real interest is often due to a real interest in people, as pharmacists are in positions to education and influence patients. There is always the consideration of job security, but no one really goes to pharmacy school these days to become rich. There are easier ways to do that, like the entertainment industry or business administration. Make sure your reason for attending is the right reason. Click for detailed information.

  5. All Assignment Help review
    Most of the students who look for an academic writing solution simply search for such on a site on the most widely used search engine and select anyone firm from the top websites there.But little do they know that going through a review of such websites will give you much insight about it which you can’t know by simply visiting it.

  6. Need My Assignment Help ? Assignment help Provide best all Assignment Help to the student at cheapest cost.

  7. Avail the MBA assignment help services from Students Assignment Help by our expert writers who are proficient in writing Assignments. We cater assignment writing help to meet your requirements. We deliver all the academic writing works on time.

  8. This is a wonderful constrain. I enjoyed the accruement lot. I acquisition scoring this communicator. Thanks for cropped this mensurable nub.

  9. The Apple has a pool of applications for its gadgets, and the vast majority of them will be on it as it were. imessage for pc, imessage for android The applications which are found in the iTunes store are extraordinarily implied for the Apple gadgets like iPhone, iPad or Mac.

  10. I think this will surely helps students to make their work easily those who wants to start their career in this field and writing assignment services online is always appreciate the work which is related to students and for their better future.

  11. Your resource is so interesting and informative for me and this article explained everything in detail. You have done a superb job thanks for sharing this kind of stuff with us. Read more about the flutter vs react native 2018 and know which is the best app development platform

  12. Good news. Appreciate this post. Thank you for compiling and sharing it.
    Check out our latest research report of best mobile app marketing companies 2018 worldwide.

  13. A high-standard post with all imperative information about Assignment Help UK services. Looking forward to avail the premium services.

  14. xender download
    xender apps
    xender web
    xender software
    You have done a superb job thanks for sharing this kind of stuff with us.

  15. Garageband is a popular music app available on the iOS operating system. If you are finding how to get Garageband for Windows PC, then you should read this article.

  16. xender
    xender app
    xender apk
    xender downloading
    xender install

    If you are finding how to get Garageband for Windows PC, then you should read this article.

  17. Thanks for sharing such a good informatino

  18. Thanks for sharing very informative content.

  19. Thanks for sharing such a good information :)

  20. Hello
    My name is johns berry and this is very amazing post thanks for sharing with us.

    Best Law Assignment Help in us.

  21. Thank you so much. This is very kind of you to share such an amazing knowledge. Get all academic help by our qualified experts by just logging on to complete my assignment.

  22. Thanks for sharing such a good information.

  23. This is great and interesting article. Thanks for sharing this valuable list. I really like this post.

  24. Thanks for sharing a wonderful site all site are very good working i have check all site and mostly site are very good working such a great useful site, thanks once again a wonderful site list please keep it up.

  25. It is really unique and informative about Positive Hack Days, first time i hear through your post about positive hack days, so it was a little bit confusing but good informative,
    Get the my blog post here free TrakingPro Traking Device

  26. Thank you for sharing updated information.Keep up your information. Great job

  27. Hey I loved the way you shared the valuable information with the community. I would say that please continue these efforts and we want to hear mor e from you. krogerfeedback

  28. Hey I loved the way you shared the valuable information with the community. I would say that please continue these efforts and we want to hear more from

  29. AVAST, AVG ,Norton or McAfee antivirus which is regarded as one of uppermost antivirus across the globe and simultaneously protects compatible devices from dangerous malwares and viruses. Don’t worry we have top notch solution provider as our Avast antivirus technical service is available 24*7*365 if one faces error for this simply be connected with our toll-free number+1-888-534-8410. There are multiple operators who proffer solution for entire technical issues faced with avast antivirus. We are one of best Avast,AVG,Norton or McAfee antivirus service provider to clarify each and every issue within stipulated time period.

  30. one more reason for such problems could be the slow connectivity or slow network connection you are using that will not allow to open the QuickBooks even if you are putting right Username and Password. Sometimes when you could feel that the credentials are not correct but it can happens even if you put them right. The only available solution for this problem that would be to get in connects with the QuickBooks Technical Support Number +1-888-499-5520 Toll Free.

    Quickbooks Customer Support
    Quickbooks Help & Support
    Quickbooks Customer Service Number
    Quickbooks Support Phone Number
    Quickbooks Customer Care Number
    Quickbooks Helpline Number
    Quickbooks Toll Free Number
    Quickbooks Phone Number
    Quickbooks Help Number
    Quickbooks Support Number

  31. A very informative blog of bypass techniques.thanks for sharing.
    Engineering Assignment Help

  32. Thanks a lot for sharing this.. it's really helpful check vyvanse and kurupts moonrock

  33. After long time i got your post, it was really nice post!
    Arya Media

  34. The raindrops suddenly turn into color of pain. It was like I wanted to cry the day I lost each other. miss u!
    happy wheels
    basketball legends game

  35. Your resource is so interesting and informative for me and this article explained everything in detail. You have done a superb job thanks for sharing this kind of stuff with us. Read more about the flutter vs react native 2018 and know which is the best app development platform

  36. Thank you very much for sharing this wonderful and informative post.

    professional web design services

  37. Thanks for sharing this post. I want to share some helpful information regarding Mobile App Development Company assistance. We also provide services like Mobile app development company

  38. your post is very informatic, it is very useful for me thanking you..
    ielts center in mohali