sorry about your waf
play

SORRY ABOUT YOUR WAF Bypassing the Modern WAF Johnny Xmas - PowerPoint PPT Presentation

May 31, 2023 •186 likes •418 views

SORRY ABOUT YOUR WAF Bypassing the Modern WAF Johnny Xmas Johnny.Xmas@Kasada.io @J0hnnyXm4s JOHNNY XMAS Johnny.Xmas@Kasada.io Blade Runner & Director of Field Engineering, North America & Europe @ kasada.io CISSP, GIAC, GPEN

  1. SORRY ABOUT YOUR WAF Bypassing the Modern WAF Johnny Xmas Johnny.Xmas@Kasada.io @J0hnnyXm4s

  2. JOHNNY XMAS Johnny.Xmas@Kasada.io Blade Runner & Director of Field Engineering, North America & Europe @ kasada.io CISSP, GIAC, GPEN PREVIOUS PROFESSIONAL ROLES: LINKS: • Network Engineer • hIps:/ /twiIer.com/j0hnnyxm4s • Systems Engineer • hIps:/ • InformaGon Security Engineer /www.linkedin.com/in/johnnyxmas/ • InformaGon Security Consultant • hIps:/ /www.youtube.com/c/johnnyxmas • PenetraGon Tester • hIps:/ /github.com/johnnyxmas 
 • Industrial Security Researcher

  3. WAF W E B A P P L I C AT I O N F I R E W A L L S BASIC •Very Basic Behavioral Analysis •Various levels of IP ReputaGon, header inspecGon and POST data inspecGon. •Just blacklists IPs (LOL) •Trivial to Bypass

  4. SQLMap https://github.com/sqlmapproject/sqlmap

  5. WAF W E B A P P L I C AT I O N F I R E W A L L S SOPHISTIOCATED •OXen a Reverse Proxy •ParGally relies on js execuGon •Fingerprints client environment

  6. Also, they’re both preOy useless. . . …so let’s get hacking!

  7. BARE MINIMUMS

  8. BARE MINIMUMS Rotate Your IP •Huge # of “Free Proxy” sites • https://hide.me • https://hidester.com • https://www.proxysite.com/ •Srsly just google “Free Proxies”

  9. BARE MINIMUMS Use ResidenGal IPs •Residential IPs are easy to •Huge # of “Free Proxy” sites 
 lease in bulk 
 •Hard to convince The •Residential IPs are not free 
 Business to allow blocking residential IPs 
 •Services like HolaVPN and MonkeySocks use users’ IPs

  10. BARE MINIMUMS Use The Usual HTTP Headers • BUT ALSO: • Accept : */* • DNT : 1 • X-Headers (Sometimes) • User-Agent (NO QUOTES) • Session Cookies (Sometimes)

  11. BARE MINIMUMS Rotate User-Agents •Seriously, this gets past so •Also use this for whitelist many defenses fuzzing •Rotate with each HTTP request, if possible Use Cookies •Auth’d sessions often have •WATCH OUT FOR more lenient throttling •Some session cookies are SNEAKY WAF COOKIES *required*

  12. Use POSTMan https://www.getpostman.com/

  13. SUPER BORING CODE DEMO P L E A S E B E A R W I T H U S F O R L I K E 2 M I N U T E S (IT’S COOL, WE PROMISE)

  14. ADVANCED TACTICS FOR CLOUD WAFS BE THE LUCHADOR *AND* THE OSTRICHES

  15. EDGE ENUMERATION Check Every System • Find ASN’s owned by target (ARIN, • Find which IPs are hosting web etc) servers (ScanCannon) • Find domains owned by target to • Enumerate paths to find forms, APIs, uncover additional ASNs (WHOIS) data, etc (wfuzz, etc) Smash DNS •Reverse Lookup on IPs to •Find ASN’s owned by DNS names (human- target (ARIN, etc) language indicators) •Find domains owned by •DNS History lookups target to uncover •DNS Zone Transfers additional ASNs •DNS name fuzzing

  16. EDGE ENUMERATION Round-Robin the Edge Nodes •Discover all edge nodes •This exploits the sync •Hit one until it blocks you, delay (often 15 minutes) then hit the next and conserves IPs Unprotected Paths Smash the API •APIs are almost never fully-protected; •Layer 7 WAFs & their often not at all associated CDNs •Some of these may •Great if all you need is to steal data have path rules be accidental or •Can also be used to “test” credentials •One application may intentionally have multiple login unprotected portals \ paths

  17. SOPHISTICATED WAFs Find the Origins •Use previous enumeration •Hitting these bypasses the WAF (look for “origin” in DNS) completely •UUID or hash DNS names •Watch out for firewalls Ditch the Script, Share the Cookies •*RUN* WAF Javascript and •Identify and block WAF replay the resulting fingerprint javascript snippets cookie OR. . .

  18. AUTOMATE A REAL BROWSER

  19. AUTOMATE A REAL BROWSER https://github.com/GoogleChrome/puppeteer •Looks like human activity •Properly leverages •Practically undetectable Cookies •Scriptable AF •Multiple instances per IP •Executes Javascript •Headless Chrome • Puppeteer • Selenium

  20. RealisWc WebDriver • User_agent 
 • Hardware_concurrency 
 • Navigator_Platform 
 • Resolution 
 • Color_depth 
 • Available_resolutions 
 • Pixel_ratio 
 • Timezone_o ff set 
 • Cpu_Class • Session_storage

  21. SUMMARY: •Rotate IP Addresses •Rotate session cookies 
 • Use Residential IPs Rotate between targets •Use the Usual HTTP •Hit the Origin directly Headers •Use a Web Driver •Use POSTMan • Change the stock •Rotate your User- config! Agents

  22. THANKS FOR PLAYING! Johnny Xmas, CISSP, GIAC, GPEN Johnny.Xmas@Kasada.io @J0hnnyXm4s hOps:/ /www.github.com/johnnyxmas/Talk_Decks

Recommend

More recommend