Sunday, February 19, 2017

WAF ByPASS Trick-- SIMPLE and SWEET

This post originates from the BLOG of Mr Haddix (Link HERE) which is one of the most interesting hacks i have seen. Simple and Sweet

WAF- Web Application Firewall(OWASP Definition)or (Wiki Definition)

It is a very awesome strategy for the DID (Defense in Depth) Model as they offer a great means of keeping the malicious data outside the boundary's of the Web Application but are of course not a substitute for the flaw in the application.

The industry has adopted WAF in a significant manner and Pen Testers encounter them very often in their tests.

Usually the WAF is placed before the WebServer so that the malicious traffic is sorted out before it can reach the application asset.

There are a couple of ways in which we can identify the existence of a WAF. One of the ways can be checking out a cookie as some WAF's add their own cookie in the communication.


Another method can be examining the HTTP headers as WAFs may make the header to be changed or re-written.

There may also be a possibility of a WAF if the sessions are expiring very quickly.

Sometimes we end up getting the bad characters as well which might be an indication of a WAF.

Also there are a couple of automated tools which gives us some indication for WAF.

One such tool is called as WAFWOOF. Nmap our favorite also has a script which can be called via the NSE engine to check the presence of a WAF.

You can also look into the following blog for more details on detection

(http://foxtrot7security.blogspot.in/2012/01/real-world-waf-detection-and-bypass.html)

Now lets look into on how can we evade this evil boy.

Usually we use the payloads in encoded format to evade the rules of WAF but gone were those days (still it works for a couple of them).

One of the other ways is described below but before that lets look on why this thing actually works.

Ideally the WAF should look for a proper lookup into the originating or incoming request the WAF sometimes if not configured properly keeps on looking on to the request HTTP Headers. 

If it does so we have a lot of headers in control that we can take advantage of like:
  • X-forwarded-for
  • X-remote-IP
  • X-originating-IP
  • x-remote-addr
So here we are going to fool the WAF to believe that the request was from itself by adding the following request header and pointing it to localhost.

GET /?login.aspx HTTP/1.1
Host: 192.168.56.104
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
X-originating-IP: 127.0.0.1
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1

There are various things that we can play around with the use of these headers. I love this image from @Jhaddix



Now lets see on how can this be automated via BURP(mostly everybodys fav proxy)

Open up BURP proxy and navigate to the PROXY tab.Click on the OPTIONS tab and scroll down to the MATCH and REPLACE section.

Here we are going to add some rules for our mission.

Click on Add and you will get a window asking some options. Give the details as:

In the TYPE section choose REQUEST HEADER
In the REPLACE section write the header you want to use
In the comment section write some comments significant to the rule
Click OK and you are good to go.

Refer the screenshot below.



Once added just enable the same by checking the check box next to your rule as shown below and VOILAA you are good to go :)



HAPPY HUNTING :)

No comments:

Post a Comment