Hi list,
I was wondering if such a thing existed and if not, would such a thing be
possible?
Or does WAF evasion always need some degree of intelligence to produce a
viable payload?
I must admit my WAF evasion knowledge is quite poor. I am awaiting The Web
Application Obfuscation book as a starting point.
Thanks,
Ryan
Ryan Dewhurst
blog www.ethicalhack3r.co.uk
projects www.dvwa.co.uk | www.webwordcount.com
twitter www.twitter.com/ethicalhack3r
On a related note the never ending obfuscation techniques to bypass any
filtering mechanism (WAF or otherwise) lead me to use additional WAF
techniques to help mitigate XSS attacks. I recently gave my "XSS
Street-Fight" presentation at Blackhat DC
(http://www.blackhat.com/html/bh-dc-11/bh-dc-11-briefings.html#Barnett)
which outlined these items. The preso slides aren't up on the BH site yet
so I posted them on them here -
http://www.modsecurity.org/documentation/XSS_Street_Fight-Ryan_Barnett-Black
hatDC-2011.pdf
The short of it is that you need to things like -
Sorry for the thread hijack
-Ryan
From: Ryan Dewhurst ryandewhurst@gmail.com
Date: Wed, 2 Feb 2011 21:36:44 +0000
To: websecurity@lists.webappsec.org
Subject: [WEB SECURITY] WAF XSS Fuzzer?!
Hi list,
I was wondering if such a thing existed and if not, would such a thing be
possible?
Or does WAF evasion always need some degree of intelligence to produce a
viable payload?
I must admit my WAF evasion knowledge is quite poor. I am awaiting The Web
Application Obfuscation book as a starting point.
Thanks,
Ryan
Ryan Dewhurst
blog www.ethicalhack3r.co.uk http://www.ethicalhack3r.co.uk
projects www.dvwa.co.uk http://www.dvwa.co.uk | www.webwordcount.com
http://www.webwordcount.com
twitter www.twitter.com/ethicalhack3r http://www.twitter.com/ethicalhack3r
_______________________________________________ The Web Security Mailing List
WebSecurity RSS Feed http://www.webappsec.org/rss/websecurity.rss Join WASC on
LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA WASC on Twitter
http://twitter.com/wascupdates websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
On 2 February 2011 21:36, Ryan Dewhurst ryandewhurst@gmail.com wrote:
I was wondering if such a thing existed and if not, would such a thing be
possible?
I'll probably add it to XSS Rays, it will consist of:-
for(var i=0;i<10;i++) {
vector = '<img src=1 onerror=alert('+(i+1)+')>';
}
It will probably work for most WAFs as Thornmaker and sdc has already proved
x5s tests for encoding issues that lead to XSS by using what could be
qualified as some obfuscation techniques. It's not doing all of the
obfuscation techniques you'd find in the new book
http://www.amazon.com/Web-Application-Obfuscation-WAFs-Evasion-Filters-alert
/dp/1597496049/.
It's more focused on charset and Unicode such as overlong utf-8, Unicode
characters that normalize and best-fit map to lower range ASCII. It also
does injects straight up ASCII probes. We have a new version with much
better approach awaiting some beta testing if you're interested let me know.
-CWeber
From: websecurity-bounces@lists.webappsec.org
[mailto:websecurity-bounces@lists.webappsec.org] On Behalf Of Ryan Dewhurst
Sent: Wednesday, February 02, 2011 1:37 PM
To: websecurity@lists.webappsec.org
Subject: [WEB SECURITY] WAF XSS Fuzzer?!
Hi list,
I was wondering if such a thing existed and if not, would such a thing be
possible?
Or does WAF evasion always need some degree of intelligence to produce a
viable payload?
I must admit my WAF evasion knowledge is quite poor. I am awaiting The Web
Application Obfuscation book as a starting point.
Thanks,
Ryan
Ryan Dewhurst
blog www.ethicalhack3r.co.uk
projects www.dvwa.co.uk | www.webwordcount.com
twitter www.twitter.com/ethicalhack3r
On Thu, Feb 3, 2011 at 10:43 AM, Chris Weber chris@casabasecurity.com wrote:
x5s tests for encoding issues that lead to XSS by using what could be
qualified as some obfuscation techniques. It’s not doing all of the
obfuscation techniques you’d find in the new book
http://www.amazon.com/Web-Application-Obfuscation-WAFs-Evasion-Filters-alert/dp/1597496049/.
Any plans to produce a tool (or update an existing one) that has these
techniques?
It’s more focused on charset and Unicode such as overlong utf-8, Unicode
characters that normalize and best-fit map to lower range ASCII. It also
does injects straight up ASCII probes. We have a new version with much
better approach awaiting some beta testing if you’re interested let me know.
I was definitely thinking the same thing, Chris -- x5s would be ideal
to test WAFs, but perhaps not perfect.
I'd also be curious to test for div overlays/hijacking and base/form
hijacking (and other issues with HTMLi). I will probably get some
opportunity to test everything mentions on a few WAFs soon. Feel free
to ping me about test cases or tool benchmarking.
So, I'm certainly interested in your beta projects. What's with
webappsec tool these days where the dev versions are significantly
more advanced than the releases? Whoever said that webappsec isn't
innovating obviously isn't involved in webappsec. It's just the stupid
appsec commercial product vendors that aren't innovating!
Cheers,
Andre
Awesome that someone put a book together on this subject; long
overdue. I didn't know there were others as geeked out on
canonicalization as you and I were, and the guys over at Depth
Security.
FYI WhiteHat Sentinel has been testing for a large number of these
"filter evasion"/canonicalization issues for 4+ years now. I published
stats about their frequency of occurrence a few years ago at BlackHat.
That was from a fairly small sample of applications compared to what
we work with today though, so it's probably time to take a look at
those numbers again.
What we find time and time again is that most of the obscure "filter
evasion" techniques tend to succeed as edge-cases. But there are a
heck of a lot of edge-cases out there. Some other observations about
these type of filter-evasion/canonicalization issues:
We have also worked fairly closely with several Web App Firewall
vendors integrating Sentinel, and sharing information with them about
these types of filter evasions. However, WAF vendors have a tough time
of it. Customers will tolerate false-negatives over false-positives.
Good or bad, that's just how the world works. Filtering on these types
of data constructs has an unfortunate tendency to generate false
positives - especially on internationlized websites using multiple
code pages/encoding formats. Likewise, remediation is often as
challenging for the developer to understand as mitigation. Tricky
problem.
Also, I know IBM Appscan has implemented some degree of tests
targeting these issues as well. I have not seen the other mainstream
webapp scanners perform any depth of testing here (they might, but I
haven't seen it in their test injections nor results). However - the
biggest problems the appsec scanning industry is facing today involves
scaling, and false-positives rates. Improved filter-evasion just isn't
a primary problem (yet) IMHO.
Interesting times. The appsec industry, the customer base, and the
technologies are all evolving rapidly today. The next 5 years in
appsec should be much more exciting than the last 5 years.
Keep up the excellent work, Chris (I'm assuming x5s is your project).
Arian Evans
On Thu, Feb 3, 2011 at 9:43 AM, Chris Weber chris@casabasecurity.com wrote:
x5s tests for encoding issues that lead to XSS by using what could be
qualified as some obfuscation techniques. It’s not doing all of the
obfuscation techniques you’d find in the new book
http://www.amazon.com/Web-Application-Obfuscation-WAFs-Evasion-Filters-alert/dp/1597496049/.
It’s more focused on charset and Unicode such as overlong utf-8, Unicode
characters that normalize and best-fit map to lower range ASCII. It also
does injects straight up ASCII probes. We have a new version with much
better approach awaiting some beta testing if you’re interested let me know.
-CWeber
From: websecurity-bounces@lists.webappsec.org
[mailto:websecurity-bounces@lists.webappsec.org] On Behalf Of Ryan Dewhurst
Sent: Wednesday, February 02, 2011 1:37 PM
To: websecurity@lists.webappsec.org
Subject: [WEB SECURITY] WAF XSS Fuzzer?!
Hi list,
I was wondering if such a thing existed and if not, would such a thing be
possible?
Or does WAF evasion always need some degree of intelligence to produce a
viable payload?
I must admit my WAF evasion knowledge is quite poor. I am awaiting The Web
Application Obfuscation book as a starting point.
Thanks,
Ryan
Ryan Dewhurst
blog www.ethicalhack3r.co.uk
projects www.dvwa.co.uk | www.webwordcount.com
twitter www.twitter.com/ethicalhack3r
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org