1. OWASP Plan - Strawman G. Geshev Chapter Leader
[email protected] +359-884-237-20703.04.10 Copyright The
OWASP Foundation Permission is granted to copy, distribute and/or
modify this document under the terms of the OWASP License. The
OWASP Foundation http://www.owasp.org
2. OWASP Plan - Strawman Cant get there from here? Georgi
Geshev OWASP Bulgaria LeaderOWASP [email protected]
+359-884-237-207 Copyright The OWASP Foundation Permission is
granted to copy, distribute and/or modify this document under the
terms of the OWASP License. The OWASP Foundation
http://www.owasp.org
3. OWASP Plan - Strawman Cant get there from here? The web
application Georgi Geshev firewall from OWASP Bulgaria Leader an
attackers perspective.OWASP [email protected]
+359-884-237-207 Copyright The OWASP Foundation Permission is
granted to copy, distribute and/or modify this document under the
terms of the OWASP License. The OWASP Foundation
http://www.owasp.org
4. AgendaPart 1: Introduction Why would you be interested in
bypassing a WAF? OWASP 4
5. AgendaPart 1: Introduction Why would you be interested in
bypassing a WAF?Part 2: Real-World Stories The ModSecurity SQL
Injection Challenge OWASP 5
6. Whos Who? Just in case you give a darn sh*tAbout me: FOSS
evangelist Offsex enthusiast Bug hunter Internet troll OWASP 6
7. Whos Who? Just in case you give a darn sh*tAbout me: FOSS
evangelist Offsex enthusiast Bug hunter Internet troll OWASP 7
8. Whos Who? Just in case you give a darn sh*tAbout me: FOSS
evangelist Offsec enthusiast Bug hunter Internet troll OWASP 8
9. Whos Who? Just in case you give a darn sh*tAbout me: FOSS
evangelist Offsec enthusiast Bug hunter Internet troll OWASP 9
10. Whos Who? Just in case you give a darn sh*tAbout me: FOSS
evangelist Offsec enthusiast Bug hunter Internet troll OWASP
10
11. Bypassing WAFs for fun and...Why would you hack around a
WAF? OWASP 11
12. Bypassing WAFs for fun and...Why would you hack around a
WAF? Vulnerability assessment OWASP 12
13. Bypassing WAFs for fun and...Why would you hack around a
WAF? Vulnerability assessment Penetration testing scenario OWASP
13
14. Bypassing WAFs for fun and...Why would you hack around a
WAF? Vulnerability assessment Penetration testing scenario
Improving your own product OWASP 14
15. Bypassing WAFs for fun and...Why would you hack around a
WAF? Vulnerability assessment Penetration testing scenario
Improving your own product Just for fun? ;) OWASP 15
16. What about the challenge?This is a SQL Injection and..
OWASP 16
17. What about the challenge?This is a SQL Injection and Filter
Evasion Challenge. OWASP 17
18. What about the challenge?This is a SQL Injection and Filter
Evasion Challenge. Intentionally broken demo sites OWASP 18
19. What about the challenge?This is a SQL Injection and Filter
Evasion Challenge. Intentionally broken demo sites Attackers
traffic being passed through a WAF proxy OWASP 19
20. What about the challenge?This is a SQL Injection and Filter
Evasion Challenge. Intentionally broken demo sites Attackers
traffic being passed through a WAF proxy Identify a SQL injection
vector within the target site OWASP 20
21. What about the challenge?This is a SQL Injection and Filter
Evasion Challenge. Intentionally broken demo sites Attackers
traffic being passed through a WAF proxy Identify a SQL injection
vector within the target site Find out if theres a way to hack
around the WAF proxy OWASP 21
22. What about the challenge? (cont.) Targets.. IBM (AppScan)
Cenzic (HailStorm) HP (WebInspect) Acunetix (Acunetix) OWASP
22
25. Objectives..Successfully enumerate the following
information: OWASP 25
26. Objectives..Successfully enumerate the following
information: Database Username(s) OWASP 26
27. Objectives..Successfully enumerate the following
information: Database Username(s) Database Name(s) OWASP 27
28. Objectives..Successfully enumerate the following
information: Database Username(s) Database Name(s) Table Name(s)
OWASP 28
29. Objectives..Successfully enumerate the following
information: Database Username(s) Database Name(s) Table Name(s)
Column Name(s) OWASP 29
30. What about the challenge? (cont.) Levels..There are two
levels. OWASP 30
31. What about the challenge? (cont.) Levels..There are two
levels. We focus on the second one. OWASP 31
32. What about the challenge? (cont.) Levels..There are two
levels. We focus on the second one. Level 1: Speed Hacking OWASP
32
33. What about the challenge? (cont.) Levels..There are two
levels. We focus on the second one. Level 1: Speed Hacking Level 2:
Filter Evasion OWASP 33
34. The Winners Johannes Dahse Vladimir Vorontsov PT Research
Ahmad Maulana Travis Lee Roberto Salgado SQLMap Developers
HackPlayers Georgi Geshev OWASP 34
35. What about the techniques? Less known and version specific
featuresEx. MySQL Comment Extensions for conditional code execution
Mixture of (unterminated) commentsEx. double dash, C-style
comments, etc. Splitting the query across multiple locationsEx.
Multiple GET/POST parameters Parameter pollution a.k.a. HPP Less
known attack vector locationsEx. Cookies, file names/contents, etc.
Mixture of space separators and CR/LFsEx. %09, %0a, %0b, %0c, %0d,
%a0 OWASP 35
36. Examples (pt. 1) Injection Fragmentation Splitting up the
SQLi payload so that each individual payload would not trigger any
filters however, when placed into the back-end SQL query, they
would force boolean logic of true/false. OWASP 36
37. Examples (pt. 2) HTTP Parameter Pollution HPP allows an
attacker to leverage how an ASP/ASP.NET-based applications treats
multiple parameters with the same name - which is to concatenate
the payloads into one and separating them with commas. OWASP
37
38. Examples (pt. 3) Tricky Comments The intruder was able to
leverage some platform and version specific attack techniques,
exploiting the way the back-end database handles/interprets
different types of comments. OWASP 38
39. Examples (pt. 4) Unusual Locations In this case, the
evasion was possible due to the attack vector location - Request
Cookie data. OWASP 39
40. Statistics Estimated number of participants: >650 Avg.
number of Requests to find an evasion: 433 Avg. Duration (Time to
find an evasion): 72 hrs Shortest number of Requests to find an
evasion: 118 Shortest Duration (Time to find an evasion): 10 hrs
OWASP 40
41. Shout outs go to.. All the OWASP enthusiasts around the
globe - For being awesome Ryan Barnett - For all the efforts P.
Serafimov - For kindly contributing to this talk ;) OWASP 41