Skip to main content

Cloud based WAF against cyber attacks? - Part II

Cloud based WAF against cyber attacks? - Part II

In my previous blog I have criticized cloud based Web Application Firewall (Sucuri) and have provided a proof of concept in that regards. Following the same tail, in my humble opinion most of the companies place WAF in their architecture in the following way : 

The above Figure shows a very abstract architecture where we have two separate network lines from two different service provider, in order to ensure availability if one line is down.
Then in any typical network we have network firewall where we create Access Control Lists (ACL) based on the company’s policies and requirements. After the network firewalls, we have two separate Web Application Firewalls. From the  implementation point of view different kinds of WAFs provide different features as far as the operations is concerned, in some cases they can communicate with each other in order to maintain the configuration synchronized via a single management console and in some cases one needs to manually merge the changes from one WAF to another.
Now considering the Figure given above, for all the applications that are hosted into the data center and registered into WAF, all the traffic is passing by WAF. And from company to company there may be some other security measures  as well e.g., IDS and IPS etc.
In most of the web applications the GET parameter becomes the part of URL e.g.,”onmouseover=”ale... In my previous blog, the attack vector was part of the GET parameter (Search Query) as you can see below
But in this case, web application is using base64 encoding (in the form of a JavaScript function) on the client-side before sending the data to the server and therefore the GET parameter in the URL is in encoded form. If you try to use any base64 decoding then you can easily analyze what the result could be, as an example below:
JTIyb25tb3VzZW92ZXIlM0QlMjJhbGVydCgxKQ== = %22onmouseover%3D%22alert(1)
Note: This clearly means that the Cloud based WAF(Sucuri)  couldn’t able to parse the malicious query in the URL and hence it is clearly bypassed.

Now out of my curiosity I wanted to verify again whether this issue was fixed or not so I tried the same malicious vector but this time there was no popup so I tried to check the source and the attack vector was clearly visible in the source that means that WAF was again bypassed because of the same reason (base64 encoding).
But  this time as we can see the developers have removed “=”, () unfortunately even after some efforts from the developers we can still insert malicious JavaScript code within the attribute context and and closes the tag prematurely. Moreover as the developer is remove parentheses so instead of (), we can use `` as according to new ECMA Script Template strings allows embedded expressions. You can use multi-line strings and string interpolation features with them
and the result was as follows:
Decoded String: JTIyJTNFJTNDc2NyaXB0JTNFY29uZmlybSU2MDElNjAlM0MlMkZzY3JpcHQlM0U= = %22%3E%3Cscript%3Econfirm%601%60%3C%2Fscript%3E

As you can see above there are mainly 4-5 big players based on the report from Gartner - July 2015. Unfortunately Sucuri is not mentioned there  but what I would like to point out is whether the other WAFs supports base64 decoding or not?
And I have found some evidences as follows:
  • Barracuda WAF 
Base64 Decode Parameter Value - Set to Yes to apply base64 
decoding to the parameter values. If the parameter value adheres to the Data URI Scheme, the base64 decoding is applied on the parameter value irrespective of Base64 Decode Parameter Value is set to Yes or No. If not, the base64 decoding is applied to the parameter value only when Base64 Decode Parameter Value is set to Yes. Once the decoding is successful, other parameter checks are enforced as per the policy settings.
  • F5
Adding base64 decoding to a new user-input parameter When enabled, the system can apply base64 decoding for a user-input parameter. If the decoding is successful, the system applies the parameter checks specified in the security policy. If the decoding is not successful, the system issues the Illegal base64 parameter value violation and responds to the offending request according the associated blocking policy
Source: F5 - Base64
Sucuri Vulnerable Outdated Software If existing detection signatures are unable to separate legitimate requests from malicious ones, our heuristic detection and auditing will flag new samples for research. The new signature is quickly analyzed and decoded. In a recent vulnerability that our research team discovered and disclosed responsibly, the exploit used a base64 encoded string to send its malicious payload, which is hard to detect as it only contained random alphanumeric characters. To detect it, the Website Firewall was set to review different elements such as the size of the particular parameter:
SourceSUCURI - Base64

Summary :
The purpose of WAF is to provide an extra layer of protection against the attackers but one should always prioritize the “secure coding” instead of relying solely on WAF.
e.g. always consider the white-list approach.
And if an enterprise is using a WAF then they should continuously monitor the logs and fine tune the policies in WAF based on the false positives and attacks. Moreover they should clearly identify the use cases before implementing any WAF i.e. they should verify the capabilities of WAF whether it suits their environment or not.


Popular posts from this blog

Splunk - Drop Down Management Dashboard for Attacks

Scenario: You might have many security devices as input resource and many of them have standard apps already designed for Splunk(Also available for free) but even then in some cases you would like to create your own Dashboards based on your own requirements especially when you would like to report to the management customers and so on. Here I will explain a Web Application Firewall as an input resource where we might have multiple services registered into WAF and in Splunk you would like to create a dashboard for management based on a drop down menu for different services.
To start with, we will use the same lookup that we have created in my previous blog. First you need to know what you would like to present in a dashboard. In my case, I am taking a simple scenario that I would like to present the number of attacks from a country that is happening to any particular service in a given period of time. It would also present some additional details like as follows: Time Source IP Country Act…


DOM When  a web page is loaded, browser creates a Document Object Model. It is a platform and language-neutral interface that allows scripts to dynamically access and update the content, structure, and style of a document.
DOM-Based XSS : It is a Cross-Site-Scripting attack wherein the attack payload is executed as a result of modifying DOM environment in the victim’s browser used by itself. The important thing to consider here that the HTTP response does not change but the client side code in the page behaves differently because of the malicious code injected by the attacker. Note: DOM XSS can be executed in Chrome, therefore if you would like to repeat the steps mentioned below, it is recommended to use chrome browser. Firefox has an inbuilt protection against DOM-Based XSS therefore DOM attacks might not work in Firefox. Few Findings in Wild Target : Global Rank : 81 Rank in US: 55 If you open and go to their privacy policy, you might notice th…

Why not a GDPR for India?

Why not a GDPR for India?
After the recent scandal from Cambridge Analytica, millions of people are concerned over the privacy of their data and so are the Indians. India, one of the biggest markets of Facebook is most exciting market for such companies to test their concepts on artificial intelligence and machine learning. Cheap internet, wide adoption of smartphones and a huge young population totally unaware of the consequences of using the unsafe internet has set the internet product companies to exploit high-value Intel and data generated from India in a much easier way. I will start today with where does India stand in the world of “world wide web or internet” usage. Below are some figures on the number of internet user in millions globally.

Number of Internet users in millions
As the data shows, India stands second in terms of the number of Internet users and it’s increasing at a very rapid rate. Though I must mention that at the moment, India has one of the lowest internet penetr…