[OWASP-Bulgaria] G. Geshev - Web Application Firewalls from an Attacker's Perspective
Preview:
DESCRIPTION
Citation preview
- 1. OWASP Plan - Strawman G. Geshev Chapter Leader
georgi.geshev@owasp.orgOWASP +359-884-237-20703.04.10 Copyright The
OWASP Foundation Permission is granted to copy, distribute and/or
modify this document under the terms of the OWASP License. The
OWASP Foundation http://www.owasp.org
- 2. OWASP Plan - Strawman Cant get there from here? Georgi
Geshev OWASP Bulgaria LeaderOWASP georgi.geshev@owasp.org03.04.10
+359-884-237-207 Copyright The OWASP Foundation Permission is
granted to copy, distribute and/or modify this document under the
terms of the OWASP License. The OWASP Foundation
http://www.owasp.org
- 3. OWASP Plan - Strawman Cant get there from here? The web
application Georgi Geshev firewall from OWASP Bulgaria Leader an
attackers perspective.OWASP georgi.geshev@owasp.org03.04.10
+359-884-237-207 Copyright The OWASP Foundation Permission is
granted to copy, distribute and/or modify this document under the
terms of the OWASP License. The OWASP Foundation
http://www.owasp.org
- 4. AgendaPart 1: Introduction Why would you be interested in
bypassing a WAF? OWASP 4
- 5. AgendaPart 1: Introduction Why would you be interested in
bypassing a WAF?Part 2: Real-World Stories The ModSecurity SQL
Injection Challenge OWASP 5
- 6. Whos Who? Just in case you give a darn sh*tAbout me: FOSS
evangelist Offsex enthusiast Bug hunter Internet troll OWASP 6
- 7. Whos Who? Just in case you give a darn sh*tAbout me: FOSS
evangelist Offsex enthusiast Bug hunter Internet troll OWASP 7
- 8. Whos Who? Just in case you give a darn sh*tAbout me: FOSS
evangelist Offsec enthusiast Bug hunter Internet troll OWASP 8
- 9. Whos Who? Just in case you give a darn sh*tAbout me: FOSS
evangelist Offsec enthusiast Bug hunter Internet troll OWASP 9
- 10. Whos Who? Just in case you give a darn sh*tAbout me: FOSS
evangelist Offsec enthusiast Bug hunter Internet troll OWASP
10
- 11. Bypassing WAFs for fun and...Why would you hack around a
WAF? OWASP 11
- 12. Bypassing WAFs for fun and...Why would you hack around a
WAF? Vulnerability assessment OWASP 12
- 13. Bypassing WAFs for fun and...Why would you hack around a
WAF? Vulnerability assessment Penetration testing scenario OWASP
13
- 14. Bypassing WAFs for fun and...Why would you hack around a
WAF? Vulnerability assessment Penetration testing scenario
Improving your own product OWASP 14
- 15. Bypassing WAFs for fun and...Why would you hack around a
WAF? Vulnerability assessment Penetration testing scenario
Improving your own product Just for fun? ;) OWASP 15
- 16. What about the challenge?This is a SQL Injection and..
OWASP 16
- 17. What about the challenge?This is a SQL Injection and Filter
Evasion Challenge. OWASP 17
- 18. What about the challenge?This is a SQL Injection and Filter
Evasion Challenge. Intentionally broken demo sites OWASP 18
- 19. What about the challenge?This is a SQL Injection and Filter
Evasion Challenge. Intentionally broken demo sites Attackers
traffic being passed through a WAF proxy OWASP 19
- 20. What about the challenge?This is a SQL Injection and Filter
Evasion Challenge. Intentionally broken demo sites Attackers
traffic being passed through a WAF proxy Identify a SQL injection
vector within the target site OWASP 20
- 21. What about the challenge?This is a SQL Injection and Filter
Evasion Challenge. Intentionally broken demo sites Attackers
traffic being passed through a WAF proxy Identify a SQL injection
vector within the target site Find out if theres a way to hack
around the WAF proxy OWASP 21
- 22. What about the challenge? (cont.) Targets.. IBM (AppScan)
Cenzic (HailStorm) HP (WebInspect) Acunetix (Acunetix) OWASP
22
- 23. Challenge Scenario ModSecurity Proxy TargetsHacker OWASP
23
- 24. Challenge Scenario ModSecurity Proxy TargetsHacker OWASP
24
- 25. Objectives..Successfully enumerate the following
information: OWASP 25
- 26. Objectives..Successfully enumerate the following
information: Database Username(s) OWASP 26
- 27. Objectives..Successfully enumerate the following
information: Database Username(s) Database Name(s) OWASP 27
- 28. Objectives..Successfully enumerate the following
information: Database Username(s) Database Name(s) Table Name(s)
OWASP 28
- 29. Objectives..Successfully enumerate the following
information: Database Username(s) Database Name(s) Table Name(s)
Column Name(s) OWASP 29
- 30. What about the challenge? (cont.) Levels..There are two
levels. OWASP 30
- 31. What about the challenge? (cont.) Levels..There are two
levels. We focus on the second one. OWASP 31
- 32. What about the challenge? (cont.) Levels..There are two
levels. We focus on the second one. Level 1: Speed Hacking OWASP
32
- 33. What about the challenge? (cont.) Levels..There are two
levels. We focus on the second one. Level 1: Speed Hacking Level 2:
Filter Evasion OWASP 33
- 34. The Winners Johannes Dahse Vladimir Vorontsov PT Research
Ahmad Maulana Travis Lee Roberto Salgado SQLMap Developers
HackPlayers Georgi Geshev OWASP 34
- 35. What about the techniques? Less known and version specific
featuresEx. MySQL Comment Extensions for conditional code execution
Mixture of (unterminated) commentsEx. double dash, C-style
comments, etc. Splitting the query across multiple locationsEx.
Multiple GET/POST parameters Parameter pollution a.k.a. HPP Less
known attack vector locationsEx. Cookies, file names/contents, etc.
Mixture of space separators and CR/LFsEx. %09, %0a, %0b, %0c, %0d,
%a0 OWASP 35
- 36. Examples (pt. 1) Injection Fragmentation Splitting up the
SQLi payload so that each individual payload would not trigger any
filters however, when placed into the back-end SQL query, they
would force boolean logic of true/false. OWASP 36
- 37. Examples (pt. 2) HTTP Parameter Pollution HPP allows an
attacker to leverage how an ASP/ASP.NET-based applications treats
multiple parameters with the same name - which is to concatenate
the payloads into one and separating them with commas. OWASP
37
- 38. Examples (pt. 3) Tricky Comments The intruder was able to
leverage some platform and version specific attack techniques,
exploiting the way the back-end database handles/interprets
different types of comments. OWASP 38
- 39. Examples (pt. 4) Unusual Locations In this case, the
evasion was possible due to the attack vector location - Request
Cookie data. OWASP 39
- 40. Statistics Estimated number of participants: >650 Avg.
number of Requests to find an evasion: 433 Avg. Duration (Time to
find an evasion): 72 hrs Shortest number of Requests to find an
evasion: 118 Shortest Duration (Time to find an evasion): 10 hrs
OWASP 40
- 41. Shout outs go to.. All the OWASP enthusiasts around the
globe - For being awesome Ryan Barnett - For all the efforts P.
Serafimov - For kindly contributing to this talk ;) OWASP 41
- 42. References OWASP ModSecurity Core Rule Set Project:
http://goo.gl/H3f49 Challenge Announce: http://goo.gl/88EDL Lessons
Learned: http://goo.gl/gWLNP OWASP 42
- 43. Thanks for you time!P. S. Ping me for OWASP stickers. OWASP
43