31 de marzo de 2020

Fingerprinting web application firewalls

Hello there, Today I'll show you how to automatically fingerprint web application firewalls (WAFs) using three of the most known WAF scanners out there.

Wafw00f

Wafw00f is probably the most known and effective tool when it comes to detecting WAFs. When you run wafw00f against a website, it first sends a normal HTTP request to the web and analyses the response identifying a number of WAFs, if that's not successful, it sends a potentially malicious request to the website in order to identify (once more) the WAF behind the website. Finally, if the previous tests aren't able to identify the firewall, it tries to analyse the two previous responses more exhaustively than before to see if there is a WAF actively blocking our attacks.

Installation

Installing wafw00f is very straight forward. First, clone the GitHub repository in a location of your choice: git clone https://github.com/EnableSecurity/waf Then, cd to the project folder and run setup.py to install the program. cd wafw00f python setup.py install

Running wafw00f

Now you will be able to run wafw00f directly from your console. The following command will display the program's help: waafw00f -h As you can see, running wafw00f is pretty easy and it only takes one parameter to scan a website, its URL. Ex: wafw00f https://www.amazon.com/

Nmap

As you probably know, Nmap its not all about port scanning. Using NSE (Nmap Scripting Engine) you can create or import custom scripts to automate network tasks (such as fingerprinting WAFs). For this, we will use two scripts that come by default with the Nmap package.

Installing Nmap

This actually depends on the Linux version that you are using but I'll assume that you already know how to download packages on your SO. For Debian/Ubuntu users do the following to install Nmap:

sudo apt install nmap

Detecting WAFs with Nmap

This one is also very easy to run and it acts in a similar way as wafw00f:

nmap --script=http-waf-detect amazon.com

Unluckily, this script doesn't really like some characters (like slashes at the end of an URL. Ex: amazon.com/ ) and usually it is less effective than wafw00f, but chances are you already have Nmap installed on your machine so if you are in a hurry or if you are forced to only use Nmap (for whatever reason) this is an alternative that definitely deserves to be known.

W3af

W3af (Web Application Attack and Audit Framework) main purpose is not to detect WAFs but to find common vulnerabilities in your web applications. Nevertheless W3af comes with a bunch of plugins that extend the program's functionality. The one that I use to fingerprint WAFs is fingerprint_waf.

Installation

git clone --depth 1 https://github.com/andresriancho/w3af.git cd w3af

Using W3af

W3af comes with both a GUI mode and a console mode, being the GUI the intended way to run the program.

./w3af_gui ./w3af_console

As I don't want to make this post too long I won't explain how to use W3af at all. Have fun discovering it by yourself.It's not that hard and there is enough documentation.

Conclusion

Out of all three programs, I consider wafw00f to be the best one and the most consistent. Nmap could be the most common one (being installed in many OS by default) and W3af might the “hardest” to install but it comes nice GUI. All of them are free and open source and they all run in Linux. Nmap has a Windows version and W3af older versions are also available in Windows.

6 de marzo de 2020

Bypassing Cloudflare's WAF for XSS atacks (for open redirect)

Hello there,

Today i'll show you how I found a XSS bypass for Cloudflare's WAF that allows a tag to cause open redirect.

Introduction:

It all started when I randomly came across on Twitter with the account of an American university (who's name I wont reveal for obvious reasons) that was advertising their study plan on their website. As I was bored I decided to follow the ancient tradition of submitting “><img> in every form I see from every website I visit. Surprisingly I was able to successfully inject the tag into the response so I decided to escalate it to actually execute some code in my browser. My next step was to inject <svg onload=“alert(1)”> but it got instantly blocked by the website's WAF. In that very moment I knew that even if the website had an obvious vulnerability, things weren't going to be that easy for me to inject some code on it. My first step was to identify what was actually blocking my petitions and if there was any kind of public unfixed bypass for it, so I ran a very known python script called Wafw00f (https://github.com/EnableSecurity/wafw00f) to see what was going on. After that, things were pretty clear for me, I had to deal with Cloudflare's WAF and all public XSS bypasses were already fixed, so I had to create my own.

Messing with the WAF and finding the bypass:

For testing the WAF I started with the most known payloads in order to see how it blocks them while I slowly remove or replace components. While doing this I discovered that the <script> tag is always blocked, however the <svg> and <img> tags are allowed. Other important thing is that any event inside a <svg> tag is always blocked if it has quotes on it, but since quotes are not necesary because most modern browsers autocompletes them, we can avoid that block. Example: <svg onload=“thisIsNotEvenJS”> Blocked <svg onload=thisIsNotEvenJS> Not blocked

From this point, I only had to obfuscate the content of the onLoad() function. Obviously the alert(1) was blacklisted and any kind of similar alternative was also forbidden, “ale”+“rt(1)”, al\x65rt\x2814\x29``, alert;throw 1337 (this last one was harder to pull off because of the space between the “throw” and the “1337” was breaking the quotes autocomplete from the browser). I also tried using JSFuck (http://www.jsfuck.com/) but the WAF was blocking the brackets and the square brackets () []. Note: Brackets were only blocked if they were opened and closed “( )”, single brackets were allowed “(” or “)”. The same goes for square brackets and diacritical accents. Finally after some testing I came up with this payload that doesn't uses brackets in order to redirect the user to a malicious website from the attacker:

<svg onload=document.location=“https://example.com">

Getting a POC:

Lucky for us, Cloudflare has a vulnerable web for testing their WAF, so you can see how the bypass works (as long it's not fixed), even though if you are interested in working aside Cloudflare's knowledge, keep in mind they probably store everything is tested in this web. https://waf.cumulusfire.net/xss?globalHtml=

https://waf.cumulusfire.net/xss?globalHtml=<svg+onload=document.location="https://example.com">

See you next time and remember, a WAF will never be a patch to a security flaw.