Séria prezentácií – Bypassing Web Application Firewalls (WAFs)

2011-02-13 21:06 Pavol Lupták

Prečítanie kníh XSS Attacks: Cross Site Scripting Exploits and Defense, Web Application Obfuscation a osobné konzultácie s autormi týchto kníh na OWASP Summite 2011 ma viedli k vytvoreniu zaujímavej technickej prezentácie ako je možné obchádzať súčasné webové aplikačné firewally (WAFs) a tvoriť “obfuskovaný” kód.

Uvedenú prednášku bude možné vidieť naživo:

17.2.2011 o 10:45 na konferencii Oracle Security Day v Bratislave

22.2.2011 o 11:00 na konferencii Trendy v internetové bezpečnosti v Prahe 

3.3.2011 o 19:00 v Progressbare v Bratislave

29.3.2011 o 16:30 na MFF UK v Bratislave, miestnosť F1-108 v rámci predmetu Moderné Informačné Technológie 2

10.5.2011 na konferencii Security and Protection of Information v Brne

Prednáška bude prispôsobená cieľovému publiku a množstvom času na samotnú prezentáciu – na Oracle Security Day bude viac manažérsky orientovaná, naopak v Progressbare a MFF UK pôjde viac do hĺbky.

Abstrakt uvedenej prezentácie (v angličtine):

The goal of the presentation is to describe typical obfuscation attacks that allow attacker to bypass standard security measures such as various input filters, output encoding mechanisms used in web-based intrusion detection systems (IDS), intrusion prevention systems (IPS) and web application firewalls (WAFs). These attacks include different networking tricks, polymorphic shellcode and various code techniques.
At the beginning we analyze and compare different HTML parsing and interpretation approaches used by most-common browsers that can lead to unique attack vectors.
Javascript with full range of features represents another effective way that can be used to obfuscate or de-obfuscate code – some existing obfuscation tools are mentioned.
We describe how it is possible to construct a “nonalphanumeric Javascript code” which does not contain alphabetic or numeric characters, but still can contain malicious executable code. CSS (Cascading Style Sheets) have also many features that can be abused in very interesting ways (for example CSS history hack used against weak CSRF tokens).
However most of current applications are immune against SQL injection attacks, it is still possible to find many vulnerable applications. We focus on different fuzzy techniques (and useful open source SQL injection tools that implement them) which can be still used to bypass weak input validation controls.
We conclude our presentation with demonstration of the most basic obfuscation techniques that can be successfully used to bypass traditional web application firewalls (WAFs).
Finally we briefly describe current mitigation techniques that are recommended for an efficient malicious Javascript code analysis and sanitizing user input containing untrusted code.