In my previous post, I have described a basic diagram of WAF into any network. Now imagine if we just place WAF into a cloud and for an easy explanation,instead of reinventing the wheel, I will refer to the Sucuri’s diagram here
A certificate generally represent the ownership, which are actually issued by the certification authorities.
HTTPS consists of communication over Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security, whereas Transport Layer Security (TLS) is a protocol that ensures privacy between communicating applications and their users on the Internet. Or in other terms when a server and client communicate, TLS ensures that eavesdropping may not occur. I won’t go into the technical implementation of HTTPS or TLS as it is beyond the scope of this article. But one can verify the basic information of a website using an encrypted channel by clicking onto HTTPS or the lock symbol in the URL(Uniform Resource Locator) as shown above in the certificate information.
As you can see in the above image traffic is going to a domain called "cloudproxy10008.sucuri.net". Now you can use any of the publicly available DNS lookup tools to identify the IP. I personally like http://mxtoolbox.com as I generally use it for other purpose as well therefore I have used it and the result was as follows:
As now we have the IP we can use any of the e.g. "WHOIS" application to identify to whom it belongs to, I have used the inbuilt WHOIS in Linux and the result was as follows:
It is clearly stated in this diagram that Sucuri's network will protect your website against hackers who may perform injection attacks like XSS, SQL Injection, Command injection etc.
Now in real life to an end user, it is quite complicated to figure out whether there is a WAF in place or not and actually why an end user would be interested. His/Her only concern would be that their personal information should be properly taken care off while they’re visiting a website. But as an end customer how would you make sure that the information that you are providing will be taken care of and without your consent, it won’t be shared with any third party. Well it is quite a complex question, especially for the people who have nothing to do with the IT Security.
Now in real life to an end user, it is quite complicated to figure out whether there is a WAF in place or not and actually why an end user would be interested. His/Her only concern would be that their personal information should be properly taken care off while they’re visiting a website. But as an end customer how would you make sure that the information that you are providing will be taken care of and without your consent, it won’t be shared with any third party. Well it is quite a complex question, especially for the people who have nothing to do with the IT Security.
I once told my wife, whenever she needs to provide her personal or credit card information onto any website she should make sure that the target website is using HTTPS and this certifies that the website is secure and it is true upto some extent. Think about any E-Commerce website, that allows you to perform online transactions where you require to fill in tons of your personal information before you perform the transaction.
For the scope of this article, we will use www.gospelinlife.com as a target of reference. Imagine if an end user visit this website and try to book a room over it. Being a user I would think that if the website is using HTTPS, it could be secure and in addition to further make sure, I will check their certificate which also looks fine as below.
A certificate generally represent the ownership, which are actually issued by the certification authorities.
What does HTTPS technically means?
HTTPS consists of communication over Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security, whereas Transport Layer Security (TLS) is a protocol that ensures privacy between communicating applications and their users on the Internet. Or in other terms when a server and client communicate, TLS ensures that eavesdropping may not occur. I won’t go into the technical implementation of HTTPS or TLS as it is beyond the scope of this article. But one can verify the basic information of a website using an encrypted channel by clicking onto HTTPS or the lock symbol in the URL(Uniform Resource Locator) as shown above in the certificate information.
It gives following information :
- It has been verified from a CA(Certification Authority)
- Class of certificate
- Type of encryption used
- Expiry Date of certificate
Cryptography - Overview
For a brief understanding, I would like to give a small overview of cryptography. In cryptography, PKI (Public Key Infrastructure) is used to generate the public key certificates. The idea of the algorithm is based on two keys, public and the private key which are mathematically related to each other in a very complex way. Content encrypted by the sender’s private key can only be decrypted by its corresponding public key. On this basis receiver of the content can authenticate the sender by knowing that it has been sent by proper source and vice-versa.
But in any certificate, point to consider is who has issued the certificate and against whom. There are only a handful of major CAs (Symantec, Comodo, GoDaddy etc) that accounts for almost all the issued certificates on web. So it is quite easy to trust the CAs if it is one of them.
Considering the technical implementation of HTTPS, I would assume that eavesdropping will be impossible where HTTPS is implemented, until and unless we have the private key to decrypt the entire traffic.
I noticed that this website is using HTTPS and after checking the certificate, I felt relaxed too that it must be secure and no one can see my data in transit, though they have clearly mentioned on their website that "Sucuri Verified Site". But it doesn’t mean that they can decrypt my data and can verify what’s in there.
For the testing I started with throwing some random string in their search bar, I just used a probe string mentioned by Ashar Javed 
but all special characters were properly escaped. After crawling for some other input fields, I reached their account login page which required email and password to login. I went on to fuzzing the login page with some random values
but all special characters were properly escaped. After crawling for some other input fields, I reached their account login page which required email and password to login. I went on to fuzzing the login page with some random values
Username : b”c<@d.com, abc@d.com
Password : start123
with the first payload, I have got a response that, "Please enter a valid email address. For example johndoe@domain.com", with the second payload, I have got the same response back as "Invalid login or password". Now only for testing, I have tried to test the password field with some malicious characters with a valid email address and this time I entered 
into the password field and out of my surprise I was landed onto Sucuri’s page.
into the password field and out of my surprise I was landed onto Sucuri’s page.
Starting with a brief description, application is generally running either on an application server or a web server, depending on how it has been implemented. Now in order to raise the security, Sucuri WAF has been used but as the HTTPS has been implemented therefore Sucuri WAF has to sniff in the traffic to verify, "what could be an attack or legitimate traffic". Idea here is that the attacks should be blocked and the legit traffic shall pass through. We will not talk about the false positives here :)
Now in order properly function, Sucuri WAF should have the private key of the certificate so that it can decrypt the traffic or can eavesdrop in.
Now in order properly function, Sucuri WAF should have the private key of the certificate so that it can decrypt the traffic or can eavesdrop in.
This means when I have entered the into password field which was even invisible to me, Sucuri has decrypted the password and identified it was a possible attack.
into password field which was even invisible to me, Sucuri has decrypted the password and identified it was a possible attack.
Few question have been arises in my mind here?
- Imagine someone sitting behind Sucuri WAF monitoring the traffic, can see everything in clear text what is coming in
- What about privacy of information as it is being transferred to third party
- What about data protection laws
- As there is no more European Safe Harbor, what about the European Clients that are using Sucuri WAF
- Do website user's knows where their data is flowing on Web
One of the European Client where the traffic is going into the Sucuri's Cloud in Canada.
Target: https://www.robhost.de/
I have just used to sniff the traffic in order to identify where exactly it is going and the result was as follows:
As you can see in the above image traffic is going to a domain called "cloudproxy10008.sucuri.net". Now you can use any of the publicly available DNS lookup tools to identify the IP. I personally like http://mxtoolbox.com as I generally use it for other purpose as well therefore I have used it and the result was as follows:
As now we have the IP we can use any of the e.g. "WHOIS" application to identify to whom it belongs to, I have used the inbuilt WHOIS in Linux and the result was as follows:
It is clearly visible here that the IP and the Domain belongs to Sucuri located in Canada.
Note:There are plenty of other applications as well who are using Sucuri WAF and their data is going outside EU but for the sake of the this article, I have only mentioned one out of many.
Comments
Post a Comment