SQL Injection Filter Evasion Part 1
According to webappsec "Web Application Firewall (WAF): An intermediary device, sitting between a web-clientand a web server, analyzing OSI Layer-7 messages for violations in the programmedsecurity policy. A web application firewall is used as a security device protecting theweb server from attack."
Almost all Webapplication firewalls and IDS use Signature based protection, where they are looking of common inputs such as "'Or 1=1", "Or x=x" etc. But in my opinion webapplication firewalls are only good for detecting automated tools and script kiddies. However if the tool you are using for attacking a SQL Injection vulnerable database is an open source such as SQLMAP, You can easily modify it to evade a webapplication firewall.
Detecting A WAF:Before learning about bypassing the WAF, You must know how to detect a Webapplication firewall. There are numerous methods of detecting if the target website is using a Webapplication firewall.
1. If you are attacking a website and you get an error like "Hacking attempt detected" or "Page not found", you are up against a WAF.
The most common method of detecting a webapplication firewall is by capturing the http:// request, Lots of WAF's add their own cookie in the HTTP communication.
Here is a live brazilian website using WAF, The cookie value "WAT" shows that the target host is using a WAF:
GET /news.asp?PageId=254 HTTP/1.1Host: www.poupex.com.brUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:188.8.131.52)Accept: image/png,*/*;q=0.5Accept-Encoding: gzip,deflateKeep-Alive: 300Proxy-Connection: keep-aliveReferer: http://www.SomeSite.comCookie:ASPSESSIONCWKSPSVLTF=OUESYHFAPQLFMNBTKJHGQGXM;ns_af=xL9sPs2RIJMF5GhtbxSnol+xU0uSx;ns_af_.SomeSite.com_%2F_wat=KXMhOJ7DvSHNDkBAHDwMSNsFHMSFHEmSr?nmEkaen19mlrwBio1/lsrzV810C&
If you are up against a Dotdefender you will get the following error message:
Observing HTTP Response:
If you see a similar http response whenever you make a malicious http request, you are probably up against a MOD secuirty WAF.
HTTP/1.1 501 Method Not ImplementedDate: Fri, 27 Jun 2008 23:30:54 GMTAllow: TRACEContent-Length: 279Connection: closeContent-Type: text/html; charset=iso-8859-1http://ws.
WEBAPPLICATION Firewall Evasion:
There are tons and tone of methods to evade a webapplication firewall, Here is some of them:
2. Changing Cases.
And much more.
Example of a sample IDS and WAF Signature:
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg: “SQL Injection attempt detected, Your IP has been logged”;
flow: to_server, established; content: “' or 1=1 --”; nocase; sid: 1; rev:1;
The above signature is telling WAF that if the attackers inputs the following content into the webpage "' OR 1=1" display the message "SQL Injection attempt detected, Your IP has been logged".
Bypassing The Signature:
Such poorly written signatures can be easily bypassed. Think for a second what if the attacker inputs ' OR 2=2, Isn't 2=2, How about OR 3=3 and so on. So such poorly written signatures are good for nothing. You can also add comments in order to bypass more complex signatures, e.g OR 2/**/=/**/2.
Comments are one of the most easiest ways to defeat a WAF, As lots of signatures are not looking for the comments they are just looking for the malicious keywords.
Union statement against a WAF without comments:
www.site.com/a.php?id=123 union select 1,2,3,4,5-- BLOCKED
Union statement against a WAF with comments:
www.site.com/a.php?id=123 union/*We are bypassing the WAF*/select/*Rafay Hacking Artcles*/1,2,3,4,5-- ALLOWED
Some WAF's don't have any rule or signatures to detect upper cases, Here are some examples of a union statement with Uppercase.
uNiOn aLl sElEcT
UnIoN aLL SELECT
You can combine uppercase statements with comments for more better results:
www.site.com/a.php?id=123 uNiOn All sEleCt/*We are bypassing the WAF*/select/*Rafay Hacking Artcles*/1,2,3,4,5--
Well I hope you have liked this post, In this post we talked about detecting a WAF and some basic techniques on evading a webapplication firewall, However in the next post we will look at some more advanced techniques such as encoding, whitespaces etc to bypass a webapplication firewall.