Scribd
Upload
36 views

The OWASP Foundation: Web Application Firewalls: What The Vendors Do NOT Want You To Know

OWASP AppSecEU09 Poland 2 $ whois Sandro Gauci Founder and CSO EnableSecurity. Negative security models recognize attacks by relying on a database of expected attack signatures. Positive security models enforce positive behavior by learning the application logic and then building a policy.

Uploaded by

api-15302036
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
36 views

The OWASP Foundation: Web Application Firewalls: What The Vendors Do NOT Want You To Know

OWASP AppSecEU09 Poland 2 $ whois Sandro Gauci Founder and CSO EnableSecurity. Negative security models recognize attacks by relying on a database of expected attack signatures. Positive security models enforce positive behavior by learning the application logic and then building a policy.

Uploaded by

api-15302036
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 35

Web Application Firewalls:

What the vendors do NOT want


you to know
Sandro
Gauci
EnableSecurity
[email protected]

and Wendel G. Henrique


Trustwave
[email protected]

Copyright © The OWASP Foundation


Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.

The OWASP Foundation


http://www.owasp.org
$ whois WendelGHenrique

PT Consultant at Trustwave's SpiderLabs.

Over 7 years in the security industry.

Vulnerability discovery Webmails, AP, Citrix, etc.

Spoke in YSTS 2.0, Defcon 16, H2HC and others.

Affiliated to Hackaholic team.

OWASP AppSecEU09 Poland 2


$ whois SandroGauci

Founder and CSO EnableSecurity.

VOIPPACK (CANVAS addon).

Security research papers.

SIPVicious and SurfJack.

Over 9 years in the security industry.

OWASP AppSecEU09 Poland 3


Introduction

WAF - Web Application Firewall.

Can be identified, detected.

Security software is not necessarily secure.

OWASP AppSecEU09 Poland 4


What is WAF

WAFs are often called 'Deep Packet Inspection


Firewall'.

Some WAFs look for attack signatures while others


look for abnormal behavior.

WAFs products: software or hardware appliance.

OWASP AppSecEU09 Poland 5


What is WAF

WAFs can be installed as a reverse proxy,


embedded or connected in a switch (SPAN or RAP).

Nowadays many WAF products detect both


inbound and outbound attacks.

OWASP AppSecEU09 Poland 6


Who uses WAF?

Many banks around the world.

Companies which need high protection.

Many companies in compliance with PCI DSS


(Payment Card Industry - Data Security Standard).

OWASP AppSecEU09 Poland 7


Operation Modes:

Negative model (blacklist based).

Positive model (whitelist based).

Mixed / Hybrid (mix negative and positive model


protection).

OWASP AppSecEU09 Poland 8


Operation Mode: Negative

A negative security model recognize attacks by


relying on a database of expected attack
signatures.

Example:

Do not allow in any page, any argument value (user


input) which match potential XSS strings like
<script>, </script>, String.fromCharCode, etc.

OWASP AppSecEU09 Poland 9


Operation Mode: Positive

A positive security model enforces positive


behavior by learning the application logic and then
building a security policy of valid know good
requests.

Example:

Page news.jsp, the field "id" only accept numbers


[0-9] and starting at 0 until 65535.

OWASP AppSecEU09 Poland 10


Common Weaknesses

Bad design.

Bad implementation.

Vulnerable to the same flaws they intend to


protect.

OWASP AppSecEU09 Poland 11


Detection

Cookies: Some WAF products add their own cookie


in the HTTP communication.

OWASP AppSecEU09 Poland 12


demo

OWASP AppSecEU09 Poland 13


Detection

Header Rewrite: Some WAF products allow the


rewriting of HTTP headers. The most common field
is "Server", this is used to try to deceive the
attackers (server cloaking).

Example:

Connection might be changed to Cneonction or


nnCoection.

OWASP AppSecEU09 Poland 14


demo

OWASP AppSecEU09 Poland 15


Detection

Different 404 error codes for hostile and non


existent pages.

Different error codes (404, 400, 401, 403,


501, etc) for hostile parameters (even non
existent ones) in valid pages.

OWASP AppSecEU09 Poland 16


demo

OWASP AppSecEU09 Poland 17


Detection

WAF systems leave several signs which permit us


to detect them, one of them are Drop Connection:

Example:

Drop Action: Immediately initiate a "connection


close" action to tear down the TCP connection by
sending a FIN packet.

OWASP AppSecEU09 Poland 18


Detection

WAF systems leave several signs which permit us


to detect them, one of them are Pre Built-in Rules:

Pre Built-in Rules: All (at least all that we know)


WAF systems have a built-in group of rules in
negative mode, these rules are different in each
products, this can help us to detect them.

OWASP AppSecEU09 Poland 20


Detection

You should be thinking…

It’s so boring.

We have to know a lot of products to identify them


correctly.

What about create a tool for that?

OWASP AppSecEU09 Poland 22


WAFW00F

That’s our answer for your prays:

Detect over 20 different WAF products.

Do not stop at the first WAF system found.

Follow HTTP redirects to identify more systems.

Much more coming soon.

OWASP AppSecEU09 Poland 23


OWASP AppSecEU09 Poland 24
demo

OWASP AppSecEU09 Poland 25


Bypassing

WAF systems can be bypassed by changing


the attack to do not match the rules:

Detect allowed / denied strings.

Detect sequences of good and bad strings


together.

Modify your attack to match the good rules.

OWASP AppSecEU09 Poland 26


Bypassing

WAF systems allow us to bypass them in different


ways, one of them are using old tricks like encoding
and language support:

Spaces, comments, case sensitive mutation,


Unicode, etc.

The web server can parse, decode and interpret


and HTTP request differently from the WAF.

OWASP AppSecEU09 Poland 28


Bypassing

WAF systems allow us to bypass them in different


ways, one of them are using the flexibility of the
web languages:

HTML and JS is very flexible.

Example:

XSS Case.
OWASP AppSecEU09 Poland 30
demo

OWASP AppSecEU09 Poland 31


Bypassing

WAIT!

What about positive model?

They are really secure?

If we find a positive model we should give up?

OWASP AppSecEU09 Poland 32


demo

OWASP AppSecEU09 Poland 33


Bypassing

You should be thinking…

It’s time consuming.

The are so much different techniques to remember.

There are so many specific techniques product


dependent.

 What about a tool for that?


OWASP AppSecEU09 Poland 34
WAFFUN

That’s our answer for your prays:

Test the target and point weakness in the


WAF system.

Use with WAFW00F for better results.

Working in Windows and Unix.

Beta version! We need the community help.


OWASP AppSecEU09 Poland 35
demo

OWASP AppSecEU09 Poland 36


Other Vulnerabilities

XSS (in the own WAF system?)

Overflows

DoS

OWASP AppSecEU09 Poland 37


demo

OWASP AppSecEU09 Poland 38


Thank you!

Do you have ideas / resources to improve our


tools?

Do you just don’t have with who talk?

wsguglielmetti [em] gmail [ponto] com

sandro [em] enablesecurity [ponto] com

OWASP AppSecEU09 Poland 39

You might also like