Bypassing Web Application Firewalls (WAFs)

By pavol lupták

Topic:  Bypassing Web Application Firewalls (WAF)

Date: 3.3.2010 at 19:00 (7:00pm)

Where: Progressbar, Cukrova, Bratislava

Presenter: Pavol Lupták


The goal of the presentation is to describe typical obfuscation attacks that allow attacker to bypass standard security measures such as various input filters, output encoding mechanisms used in web-based intrusion detection systems (IDS), intrusion prevention systems (IPS) and web application firewalls (WAFs). These attacks include different networking tricks, polymorphic shellcode and various code techniques.
At the beginning we analyze and compare different HTML parsing and interpretation approaches used by most-common browsers that can lead to unique attack vectors.
Javascript with full range of features represents another effective way that can be used to obfuscate or de-obfuscate code – some existing obfuscation tools are mentioned.
We describe how it is possible to construct a “nonalphanumeric Javascript code” which does not contain alphabetic or numeric characters, but still can contain malicious executable code. CSS (Cascading Style Sheets) have also many features that can be abused in very interesting ways (for example CSS history hack used against weak CSRF tokens).
However most of current applications are immune against SQL injection attacks, it is still possible to find many vulnerable applications. We focus on different fuzzy techniques (and useful open source SQL injection tools that implement them) which can be still used to bypass weak input validation controls.
We conclude our presentation with demonstration of the most basic obfuscation techniques that can be successfully used to bypass traditional web application firewalls (WAFs).
Finally we briefly describe current mitigation techniques that are recommended for an efficient malicious Javascript code analysis and sanitizing user input containing untrusted code.