Hi folks, Hope you're doing all well! I'm recently interested of the state of the art of bypassing the ModSecurity WAF. Could you please help me with relevant methods and attacks or any useful resources? Many thanks in advance, Regards, -- *Yasser ABOUKIR** * *Information Security Major* *Computer Science Engineering Student at ENSIAS <http://www.ensias.ma><http://ma.linkedin.com/in/yasseraboukir> *** *☏ +212 6 69 60 64 82* *☞ www.yaboukir.com*

There are two main evasion issues to be concerned with for any WAF - 1) Evasion of the engine/parsing itself These are usually impedance mispatches between the WAF and underlying app. There were some issues in the past with handling null bytes and multi-part filenames identified by Stefan Esser http://www.suspekt.org/downloads/RSS09-WebApplicationFirewallBypassesAndPHPExploits.pdf There was a similar recent one found by my SpiderLabs colleague Andrew Wilson where clients can specify random/invalid content-types and ModSecurity would not inspect it but the app would handle it normally. This was fixed in recent OWASP CRS updates. 2) Evasion of the rules There are always issues with negative security rules. You can test out evasions here - http://www.modsecurity.org/demo/crs-demo.html We had an SQL Injection Challenge last summer which included evasions for the ModSecurity OWASP CRS - http://blog.spiderlabs.com/2011/07/modsecurity-sql-injection-challenge-lessons-learned.html Hope this info helps. Ryan On Feb 10, 2012, at 5:18 PM, Yasser ABOUKIR <yaboukir@gmail.com> wrote: > Hi folks, > > Hope you're doing all well! > > I'm recently interested of the state of the art of bypassing the ModSecurity WAF. Could you please help me with relevant methods and attacks or any useful resources? > > Many thanks in advance, > > Regards, > > -- > Yasser ABOUKIR > Information Security Major > Computer Science Engineering Student at ENSIAS > ☏ +212 6 69 60 64 82 > ☞ www.yaboukir.com > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

On Fri 10 Feb 2012 11:18:32 PM CET, Yasser ABOUKIR wrote: > Hi folks, > > Hope you're doing all well! > > I'm recently interested of the state of the art of bypassing the > ModSecurity WAF. Could you please help me with relevant methods and > attacks or any useful resources? > > Many thanks in advance, > > Regards, > > -- > *Yasser ABOUKIR*/ > / > *Information Security Major* > *Computer Science Engineering Student at ENSIAS > <http://www.ensias.ma><http://ma.linkedin.com/in/yasseraboukir>*** > *☏ +212 6 69 60 64 82* > *☞www.yaboukir.com <http://www.yaboukir.com>* > > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org Hi Yassir, First, you should know that ModSecurity by itself does "nothing". What detects (and blocks/logs) malicious interactions (requests/responses) is the rules it uses. Think of it like Snort and its signatures. A rule could be as simple as SecRule ARGS <script deny which denies the request if an argument contains <script. As you may have figured out, this rule is easily bypassed by a <scripT and here comes the role of transformations. The previous bypass wouldn't be possible with the following rule SecRule ARGS <script t:lowercase,deny There are different commercially supported rule sets but I believe that the OWASP ModSecurity Core Rule Set is widely used. You may also come across installations that use only certain parts of a Rule Set (as there is a trade-off between performance and security). So there is no magic method that works in all situations, even against the same version of ModSecurity. I advise you to play around with rule writing as it will give you some great insight about how things work, and how you could bypass the security measures. This excellent blog post [1] on the ModSecurity blog documents a number of bypasses from last year's ModSecurity SQL Injection challenge. [1] http://blog.spiderlabs.com/2011/07/modsecurity-sql-injection-challenge-lessons-learned.html Cheers, Hani -- M. Hani Benhabiles OWASP Algeria SC founder and president. http://www.owaspalgeriasc.org Email: hani.benhabiles@owasp.org Blog: http://kroosec.blogspot.com Twitter: https://twitter.com/#!/kroosec