Hi folks,
Hope you're doing all well!
I'm recently interested of the state of the art of bypassing the
ModSecurity WAF. Could you please help me with relevant methods and attacks
or any useful resources?
Many thanks in advance,
Regards,
--
Yasser ABOUKIR*
*
Information Security Major
*Computer Science Engineering Student at ENSIAS
http://www.ensias.mahttp://ma.linkedin.com/in/yasseraboukir
☏ +212 6 69 60 64 82
☞ www.yaboukir.com
There are two main evasion issues to be concerned with for any WAF -
There was a similar recent one found by my SpiderLabs colleague Andrew Wilson where clients can specify random/invalid content-types and ModSecurity would not inspect it but the app would handle it normally. This was fixed in recent OWASP CRS updates.
We had an SQL Injection Challenge last summer which included evasions for the ModSecurity OWASP CRS -
http://blog.spiderlabs.com/2011/07/modsecurity-sql-injection-challenge-lessons-learned.html
Hope this info helps.
Ryan
On Feb 10, 2012, at 5:18 PM, Yasser ABOUKIR yaboukir@gmail.com wrote:
Hi folks,
Hope you're doing all well!
I'm recently interested of the state of the art of bypassing the ModSecurity WAF. Could you please help me with relevant methods and attacks or any useful resources?
Many thanks in advance,
Regards,
--
Yasser ABOUKIR
Information Security Major
Computer Science Engineering Student at ENSIAS
☏ +212 6 69 60 64 82
☞ www.yaboukir.com
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
On Fri 10 Feb 2012 11:18:32 PM CET, Yasser ABOUKIR wrote:
Hi folks,
Hope you're doing all well!
I'm recently interested of the state of the art of bypassing the
ModSecurity WAF. Could you please help me with relevant methods and
attacks or any useful resources?
Many thanks in advance,
Regards,
--
Yasser ABOUKIR/
/
Information Security Major
Computer Science Engineering Student at ENSIAS
http://www.ensias.mahttp://ma.linkedin.com/in/yasseraboukir**
☏ +212 6 69 60 64 82
☞www.yaboukir.com http://www.yaboukir.com
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Hi Yassir,
First, you should know that ModSecurity by itself does "nothing". What
detects (and blocks/logs) malicious interactions (requests/responses)
is the rules it uses. Think of it like Snort and its signatures.
A rule could be as simple as
SecRule ARGS <script deny
which denies the request if an argument contains <script. As you may
have figured out, this rule is easily bypassed by a <scripT
and here comes the role of transformations. The previous bypass
wouldn't be possible with the following rule
SecRule ARGS <script t:lowercase,deny
There are different commercially supported rule sets but I believe that
the OWASP ModSecurity Core Rule Set is widely used. You may also come
across installations that use only certain parts of a Rule Set (as
there is a trade-off between performance and security). So there is no
magic method that works in all situations, even against the same
version of ModSecurity.
I advise you to play around with rule writing as it will give you some
great insight about how things work, and how you could bypass the
security measures.
This excellent blog post [1] on the ModSecurity blog documents a number
of bypasses from last year's ModSecurity SQL Injection challenge.
[1]
http://blog.spiderlabs.com/2011/07/modsecurity-sql-injection-challenge-lessons-learned.html
Cheers,
Hani
--
M. Hani Benhabiles
OWASP Algeria SC founder and president.
http://www.owaspalgeriasc.org
Email: hani.benhabiles@owasp.org
Blog: http://kroosec.blogspot.com
Twitter: https://twitter.com/#!/kroosec