Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Script obfuscation, filter evasion, IDS/IPS/WAF bypassing... this is where it should live. Because this topic is too big to live anywhere else. Phj33r! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
WAF Bypass using HPP
Posted by: lava
Date: June 13, 2009 12:15AM

Hi Guys,

You might have heard about HTTP Parameter Pollution, which was presented at OWASP Europe recently.

It is a very effective attack to bypass Web Application Firewalls and carry out SQL Injection on ASP/ASP.NET applications.

I have put my work in a whitepaper, you can read it at - http://lavakumar.com/Split_and_Join.pdf

I did all my testing on ModSecurity, because it was the only product I had access to, since it is free ;)

However I believe other commercial offerings could be vulnerable as well, as this vector has never been openly discussed before.

Am sure some of you would have access to some commercial WAF in your lab or at work, it would be interesting to see how they fare against this attack.

All comments and suggestions are most welcome, thanks.

Cheers,
Lavakumar

http://www.andlabs.org

Options: ReplyQuote
Re: WAF Bypass using HPP
Posted by: sirdarckcat
Date: June 14, 2009 03:09AM

Hello!

Cool :)

I beleive that mod_security is a very (really) extremely (impressively) bad IDS/IPS/WAF/ApacheMod/SecuritySolution/Etc

Their default rules set really *sucks*, and the mod is limited in such a way that is impossible to make really safe rules.

I would really recommend PHP-IDS, sadly the way they work are very different.. so it's not a "just change mod_security with mod_phpids"..

Anyway!! HPP is a good way of making filter evasion, more on that on the blackhat talk (I'll post the slides/video/whitepaper/etc.. here once its possible).

Greetz!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 1 time(s). Last edit at 06/14/2009 03:09AM by sirdarckcat.

Options: ReplyQuote
Re: WAF Bypass using HPP
Posted by: rvdh
Date: June 16, 2009 03:28PM

I don't really agree that mod security is unsafer than a PHP IDS which depends ON PHP. What if you got a PHP buffer overflow, attacking the core of PHP and thus the software that runs on it, itself? mod security doesn't seem to have that problem. And it's easier to delete the PHPIDS that is installed in user land for example than it is to remove mod security that is installed as root once you are in.

I don't believe in stopping attacks while they already passed -or are processed real time- the high level scripting languages, one either build something into the server software that parses rules real time or, load rules into memory like mod security does, or like the way a firewall works e.g. stop at the door.

Yet, there are many factors that determines the real security issues but I don't think one can favor one above the other based on emotion alone. Maybe it's best to find a way in between and use them both in some fashion.

Options: ReplyQuote
Re: WAF Bypass using HPP
Posted by: sirdarckcat
Date: June 16, 2009 09:01PM

I didn't said PHPIDS was safer, I said PHPIDS has a better filter.

Greetz!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: WAF Bypass using HPP
Posted by: Reiners
Date: June 17, 2009 10:23AM

Quote

What if you got a PHP buffer overflow, attacking the core of PHP and thus the software that runs on it, itself? mod security doesn't seem to have that problem.

I doubt that mod security will have a filter then for your BoF.

Options: ReplyQuote
Re: WAF Bypass using HPP
Posted by: rvdh
Date: June 17, 2009 06:56PM

The problem here -and I'm speaking from real life hacking, not just theory- is that often it's possible to jump from domains that run on the same IP e.g. virtual hosting, now if they have a hole, it will never see the light of day in your IDS or WAF, because when all things are lined up correctly -and that sadly happens quite too often- it means that I get access to PHP, thus am able to remove c.q. bypass any PHP IDS or WAF that runs in these high scripting languages, whereas running a WAF or IDS on root level, or below the scripting like for example in Apache, will not suffer from this.

Granted that you have bigger issues to deal with, but the point being here is not the rules itself, -since there will always be vectors that go unnoticed- especially those who are unlisted or simply not publicly discussed, which result in the discussion on how effective a IDS really is -no matter which one- because that doesn't really make a difference.

The real difference is though, is whether you allow low level attacks to modify your processes, if you do, -in case of a PHP type IDS- you will be screwed. Whereas a process that runs lower, like mod_security or SNORT will not suffer from this, unless it's configure to Apache or some other user.

Options: ReplyQuote
Re: WAF Bypass using HPP
Posted by: rvdh
Date: June 17, 2009 07:04PM

So, I would never advise to settle for either one of them alone. If possible, use them both as additions to the layer you want to secure, but don't expect to replace mod_security for a PHP IDS or vice versa, because that won't work. Hence the practical irrelevancy of discussing whether which one is "better" imho.



Edited 1 time(s). Last edit at 06/17/2009 07:04PM by rvdh.

Options: ReplyQuote
Re: WAF Bypass using HPP
Posted by: sirdarckcat
Date: June 17, 2009 09:04PM

rvdh, PHPIDS doesnt work like that.. If you are inside the server, it's already too late for PHPIDS (and for mod_security). We are discussing web-ids.. not host IDS (like ossec for example), so the scenario you describe doesn't apply when judging mod_security or phpids. Because this both are judged by their rules.

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: WAF Bypass using HPP
Posted by: Reiners
Date: June 18, 2009 08:51AM

like you said rvdh, when someone is able to successfully run a BoF on your system you got bigger issues to deal with as to worry if someone disables your WAF. since both filtersets probably wont detect such an attack and it doesnt fall in their scope, I think its a bad idea to compare a WAF on how reliable it is on lower level attacks. I see your point that it is a good feature, but you are screwed anyway after a successful attack, having the WAF disabled or not.



Edited 2 time(s). Last edit at 06/18/2009 08:54AM by Reiners.

Options: ReplyQuote
Re: WAF Bypass using HPP
Posted by: Gareth Heyes
Date: June 18, 2009 09:22AM

Plus there's no reason why you couldn't create a mod_phpids and just use the regexp rules

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: WAF Bypass using HPP
Posted by: rvdh
Date: June 19, 2009 07:07PM

sirdarckcat Wrote:
-------------------------------------------------------
> rvdh, PHPIDS doesnt work like that.. If you are
> inside the server, it's already too late for
> PHPIDS (and for mod_security). We are discussing
> web-ids.. not host IDS (like ossec for example),
> so the scenario you describe doesn't apply when
> judging mod_security or phpids. Because this both
> are judged by their rules.

Hence the irrelevancy in favoritism regarding a WAF when haven't got a network firewall like snort for example, which prevents or detects hopping from virtual domains, but then again it's the total picture isn't it. If you haven't got stuff jailed, all these things don't mean a thing anymore once you have a hole in some domain next to you.

I had it with a client of mine last month. They run everything virtual (pretty normal in bulk hosting land, e.g. rackshackers). The site I created was fully secured in the application layer, but a domain next to it got rooted due to f*king Joomla or some shit, and they got root to the whole box including access to my clients site who insisted on cheap hosting. Took me couple of hours to trace the culprits and another hour to sanitize the damages being made.

Turned out, I uploaded my own PHP shell and got access to all domains on that box, tapped the web host on it's fingers, and they remain in silence ever since, but that's the usual way of handling these issues I guess...

;-)



Edited 1 time(s). Last edit at 06/19/2009 07:08PM by rvdh.

Options: ReplyQuote
Re: WAF Bypass using HPP
Posted by: sirdarckcat
Date: June 20, 2009 06:33AM

Sorry, but I dont understand what mod_security has to do with your last post.

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: WAF Bypass using HPP
Posted by: rvdh
Date: June 20, 2009 06:49PM

It means that everyone depends on everyone else, with the story to illustrate it. That's why ever IDS fails, because I could have run a a IDS on that box, but it wouldn't make a difference since it got hacked through my client's neighbor. Point being here, is that the whole picture of security, the sum of it's parts.

Options: ReplyQuote
Re: WAF Bypass using HPP
Posted by: Pragmatk
Date: September 09, 2009 09:47AM

Oh, and if you BoF PHP, you get code execution with the Apache worker thread privs ("www" or "guest" or "nobody" on most distros). In whichs scope does mod_security run?

Options: ReplyQuote
Re: WAF Bypass using HPP
Posted by: rvdh
Date: January 12, 2010 04:51PM

@Pragmatk it's probably not owned by Apache unless it's a webinstall which I doubt. I don't know, maybe the mod_securtiy webpage can tell, but it's probably installed/chowned to/from a user with more privileges than Apache (read PHP). If it's not, it's stupid. (:

Options: ReplyQuote


Sorry, only registered users may post in this forum.