Web Application Firewalls (WAFs):Not good enough

In an age where cybercrime is escalating exponentially, picking the right security solution has become extremely crucial. Web Application Firewalls (WAFs) are highly regarded by many leading InfoSec experts, but Pakistani ethical hacker and AppSec expert Rafay Baloch thinks otherwise. To make matters more interesting, he also has the required expertise and POCs to back up his claims.  

rafay-baloch-defcamp-2015
Rafay Baloch

Web Application Firewalls are basically security barriers (server plugin or cloud-based) that are placed in front of the web application for real-time inspection of user requests. This involves the monitoring of website traffic with the option of blocking it when malicious activity is detected. While very functional, this security solution needs to be re-configured every time the code changes.

When WAF configuration is not done properly; which is often the case; performance takes a massive hit. False Positives (FP) rise exponentially, leading to unintended blocking of users and unwanted Denial of Service (DoS) issues. This limitation often forces organizations to disable the blocking functionality of their Web Application Firewalls, basically turning them into monitoring tools.

In this article, Baloch will shatter the immune image the WAF has made for itself in recent years and show us why it simply is not enough as a stand-alone application security solution.

“Web Application Firewalls don’t impress me one bit.”

Rafay Baloch gets very lively when he starts discussing Web Application Firewalls (WAFs). While he does recognize the importance of implementing WAFs to provide runtime protection and acknowledges that they serve as an additional layer of defense for detecting malicious inputs, he firmly believes that it’s becoming a dated application security solution.

“A WAF primarily uses two different approaches, a Whitelist (Allow Known Good) or a Blacklist (Reject Known Bad),” Baloch told Checkmarx in this exclusive interview. “Due to the fact that majority of web apps nowadays are dynamic, it’s very difficult to predict all possible inputs in order to write a whitelist. Therefore, practically, blacklisting is the only solution.”

But Baloch also claims that constructing a blacklist that will produce a negligible amount of False Positives (FP) is simply unrealistic. He claims that the dynamic nature of the common scripting and programming languages (JavaScript, SQL, etc) don’t allow the creation of a truly effective blacklist. As a result, he has bypassed virtually all leading Web Application Firewalls today.

“Once I fingerprint the WAF, it’s doomed.”

The first step Baloch takes before working his magic is the fingerprinting of the Web Application Firewall via the web application it’s protecting. He says that virtually all leading WAFs today leave evidence inside their cookie values or HTTP responses, making it easy for him to devise a bypassing plan. For example, the “Citrix Netscaler” WAF can be fingerprinted with a basic GET request.

citrix

The “Citrix Netscaler” WAF getting fingerprinted with a basic GET request.  

As evident in the response displayed above, the red “ns_af” is a unique cookie used by Citrix Netscaler, which this specific web application is obviously using.

When asked about how he actually bypasses Web Application Firewalls, Baloch said his methodology is manual and based on his independently devised technique. He claims that tools such as  the as OWTF WAF-Bypasser are good for novices, but his personal technique involves three main stages – Brute forcing, Reg-ex Reversing and Exploiting of Browser Bugs.

1 – Brute Forcing – This involves the use of randomly crafted payloads to test the robustness and configuration of the WAF. If the filters are weak, this step is enough to bypass the WAF.

2- Reg-ex Reversing – Leading Web Application Firewalls are usually able to withstand Brute Forcing. This makes Baloch take it to the next level, which is basically Reg-ex Reversing. This technique exploits the WAF’s inherited tendency to compare the attack payloads with the signatures (typically complex regular expressions) in their databases.

Baloch explains: “I simply hit the WAF with multiple attack payloads. If they match the Reg-ex, the WAF triggers up, and vice versa. I spend some time reversing the signatures of the WAF and get a feel for what the WAF has been programmed to block. Once this is established, I can craft an effective malicious payload than can help me bypass the WAF.”

3 – Exploiting of Browser Bugs – There are times that Baloch is not able to break through with the two techniques mentioned above. This means he has to dig deep and declare war on the WAF. Web browser features along with their specific bugs now become an integral part of Baloch’s gameplan. This obviously requires a high level of skill and understanding.

One of Baloch’s methodologies involves Unicode Separators. Well configured WAFs are usually capable of blocking event handlers. The blocking expression can be: [on\w+\s*].

This blocking expression would look for starting with on* and filter it. Issues arise with “\s” meta-character, since it does not possess all separators (x0b is one such example). Every web browser has a separate set of valid separators, which can be used when needed. These can be found out by fuzzing the browsers a range of 0x00 to 0xff to obtain the separators.

  • Explorer = [0x09, 0x0B, 0x0C, 0x20, 0x3B]
  • Chrome = [0x09, 0x20, 0x28, 0x2C, 0x3B]
  • Safari = [0x2C, 0x3B]
  • Firefox = [0x09, 0x20, 0x28, 0x2C, 0x3B]
  • Opera = [0x09, 0x20, 0x2C, 0x3B]
  • Android = [0x09, 0x20, 0x28, 0x2C, 0x3B]

The x0b separator has been extensively used by Baloch. The Pakistani hacker has used the following POC to bypass the Mod-security WAF on more than one occasion:

<a/onmouseover[\x0b]=location=’\x6A\x61\x76\x61\x73\x63\x72\x69\x70\ x74\x3A\x61\x6C\x65\x72\x74\x28\x30\x29\x3B’>rhainfosec

As a result the python snippet would print all characters within the 0x00 to 0xff range.

snippet

Other browser bugs that Baloch exploits commonly include: Charset Bugs, Null Bytes, Parsing Bugs, Missing X-frame Options, Docmodes and DOM Based XSS. But the Pakistani expert is not the only one exploiting and bypassing Web Application Firewalls at will. The video below shows another POC from the recent DEFCON 16 event.

[youtube https://www.youtube.com/watch?v=brj_cFsDc7Y&w=421&h=346]

 “Security has to be a multi-layered approach”

The aforementioned bypassing techniques used by Rafay Baloch show why the Web Application Firewall (especially when working by blacklisting) is no longer capable of serving as a stand-alone solution.

“Developers, CISOs and administrators should always keep in mind that a WAF is only a sticking plaster which should be used for a defined time-manner for a known vulnerable controller/param until the vulnerability has been patched inside the source code,” Baloch summarized before signing off and getting back to his ethical hacking and application security endeavors.

The most effective security approach an organization can take today is to embrace a combo approach. This should ideally involve Static Code Analysis (SCA) during the development phase, complimented by a few cycles of Penetration (Pen) Testing before the application is released to the market. This multi-layered approach to security is proving to be very effective in recent times.

Rafay Baloch has been an ethical hacker since the tender age of 14. Now a professional InfoSec expert in Pakistan, he has found glaring vulnerabilities in Android, PayPal, HTML5 and more. Follow him on Twitter @rafaybaloch 

 

source: Sharon Solomon

Leave a Reply

Your email address will not be published. Required fields are marked *