Qi Wang & Jianjun Chen & Run Guo & Chao Zhang & Haixin Duan_Break the Wall from Bottom Automated Discovery of Protocol-Level Evasion Vulnerabilities in Web Application Firewalls.pdf

《Qi Wang & Jianjun Chen & Run Guo & Chao Zhang & Haixin Duan_Break the Wall from Bottom Automated Discovery of Protocol-Level Evasion Vulnerabilities in Web Application Firewalls.pdf》由会员分享，可在线阅读，更多相关《Qi Wang & Jianjun Chen & Run Guo & Chao Zhang & Haixin Duan_Break the Wall from Bottom Automated Discovery of Protocol-Level Evasion Vulnerabilities in Web Application Firewalls.pdf（50页珍藏版）》请在三个皮匠报告上搜索。

1、#BHUSA BlackHatEventsBreak the Wall from Bottom:Automated Discovery of Protocol-Level Evasion Vulnerabilities in Web Application FirewallsSpeaker:Qi Wang(Eki)Contributors:Jianjun Chen,Run Guo,Chao Zhang,Haixin Duan#BHUSA BlackHatEvents2Talk RoadmapvWhat are WAFs and how do they work?vHow do we disco

2、ver new evasion cases automatically?vHow to bypass WAF at the protocol-level like a Pro?vBonus:Three useful tactics to bypass WAFs at the protocol-level#BHUSA BlackHatEvents3WebApps Security RiskvWebApp uses parameters in HTTP request messages as user inputsvMalicious user inputs can hijack the cont

3、rol flow of the WebAppA code snippet from a PHP WebApp with SQL injection vulnerability?id=0 union select*from secret#BHUSA BlackHatEvents4How WAF Protect WebApp from Security Risk?vWAFs monitor WebApp traffic to block malicious HTTP requestsVirtual Patch:protect the WebApp before the developers rel

4、ease the patch.?id=0 union select*from secret UserAttackerWebAppWAF#BHUSA BlackHatEvents5The never-ending battle between hackers and WAFsvCloudflare research*shows lots of activity since Log4jShellHackers have been looking for ways to bypass WAFAfter$jdni got blocked,the hackers applied encoding met

5、hods&log4j features*https:/ BlackHatEvents6The Working Principle of WAFsvParse-Match-ApplyAttackerWebAppGET/HTTP/1.1Content-Type:application/json”id”:”1or(1=1)#”Deny requestARGS:Key:id Value:1or(1=1)#WAF ParsingARGS contains or(1=1)#denyVariableOperatorActionWont send to server Matching#BHUSA BlackH

6、atEvents7Wait a minute？Looks like a weak rule！vJust change the case of keywords and use instead of=vNow you find payload-level evasion tacticsAttackerWebAppGET/HTTP/1.1Content-Type:application/json“id”:“1Or(10)#”Response with leaked dataARGS:Key:id Value:1Or(10)#WAFParsingARGS contains or(1=1)#denyF