Web Application Firewall Bypassing - DefCamp - 2016
Offered By: DefCamp via YouTube
Course Description
Overview
Syllabus
DefCamp Web Application Firewall Bypassing - an approach for pentesters SECURITY CONSULTANT EUROSEC - SECURITY SINCE 1998
NORMALIZATION FUNCTIONS Simplifies the writing of rules • No Knowledge about different forms of input needed
INPUT VALIDATION Security Models define how to enforce rules • Rules consist of regular expressions • Three Security Models: 1. Positive Security Model 2. Negative Security Model 3. Hybrid Security Model
Bypassing Methods and Techniques
SKIPPING PARAMETER VERIFICATION PHP removes whitespaces from parameter names or transforms them into underscores
APPROACH FOR PENETRATION TESTERS
PHASE O - DISABLE WAF Objective find security flaws in the application more easily assessment of the security level of an application is more accurate
RECONNAISSANCE Objective: Gather information to get a overview of the target - Basis for the subsequent phases Gather information about - web server programming language - WAF & Security Model - Internal IP Addresses
ATTACKING THE PRE-PROCESSOR Objective make the WAF skip input validation • Identify which parts of a HTTP request are inspected by the WAF to develop an exploit: 1. Send individual requests that differ in the location of a pryload 2. Observe which requests are blocked
FINDING AN IMPEDANCE MISMATCH Objective make the WAF interpret a request differently than the back end and therefore not detecting it Knowledge about back end technologies is needed
BYPASSING THE RULE SET Objective. find a payload that is not blocked by the WAFs rule
OTHER VULNERABILITIES Objective find other vulnerabilities that can not be detected by the WAF • Broken authentication mechanism . Privilege escalation
AFTER THE PENTEST Objective: Inform customer about the vulnerabilities • Advise customer to fix the root cause of a vulnerability . For the time being the vulnerability should be virtually patched by adding specific rules to the WAF Explain that a WAF can help to mitigate a vulnerability, but can not thoroughly fix it
Taught by
DefCamp
Related Courses
The Model of Post-Quantum Signature Using Verkle Tree - DefCamp - 2022DefCamp via YouTube The Anatomy of Wiper Malware - DefCamp - 2022
DefCamp via YouTube Internet Balkanization in an Era of Military Conflict - Dan Demeter - DefCamp - 2022
DefCamp via YouTube How We Analyzed and Built an Exploit PoC for CVE-2022-24086, a Magento RCE - Catalin Filip - DefCamp - 2022
DefCamp via YouTube To Log, or Not to Log! That Is the Question - DefCamp - 2022
DefCamp via YouTube