The WAF Story!
By Mohammed Oosman - September 3, 2018
Day-by-day evolving technology needs the same paced sporadic effective measures in order to prevent misuse of the same.
When coming to the famous and rapidly evolving web application technology. Undoubtedly, even though all our brilliant brains are behind achieving this, we still need some kind of first line defense.
The Web Application Firewall (WAFs) can play a very helpful role in achieving our first line of defense. Let’s quickly look how this can be helpful to us
What is Firewall?
A firewall in simple terms is a network security implementation used to monitor the ingoing and the outgoing traffic based on the rules defined for a network.
what is Web application firewall?
A Web Application Firewall is a firewall which is used in web applications to protect the servers from major attacks like XSS and SQL injection by defining various rules.
Web Application Firewalls may be a server plugin or a separate application altogether with a main agenda of protecting servers from attackers.
Some of the examples of famous WAFs are as follows:
Open Source WAFs-
ModSecurity: One of the most Famous Open Source WAFs
NAXSI: Nginx Anti XSS and SQL Injection
WebKnight-> Used For Microsoft IIS.
It is very helpful in securing the application from the following:
As we all know, there is always something bad wherever there is good. So, we even have the bad guys in to encounter this heroic first line of defense which makes use of the flaws. Some of them are as follows:
Web Applications Firewall are not perfect for the following reasons:
1. Need proper implementation of rules in case of open source WAFs:
The WAFs especially some of the open source WAFs are dependent on the admin to define various rules in order to filter the incoming requests. As we all know we humans are prone to do mistakes (which is good, as we tend to learn through this) can cause misbehavior of WAFs leading to compromise.
if ($path == "/admin")
if ($ipaddr == $internal_ipaddr)
So, as we can see in the above code, the admin has made a minor mistake while defining the rule and has made the same visible to all the external IP addresses, making it vulnerable to complete compromise.
2. No protection against 0-day Exploits
The Web Application firewall looks at the signatures of the request being sent and the different payloads which are sent to the server. Eventually, when the zero day exploits are out in wild, the check mechanisms of the wafs also need to be updated, this might take some time by the vendor. Hence, the targets get susceptible to zero day attacks until the patches are applied.
Enough of the blah blah theory, lets have some hands on. As we have mentioned above Wafs can be bypassed to know the actual ip of the target. This can be done using some of the following tools:
The example site we use here to show our demo is webstresser.org, which uses cloudflare waf technology.
So by proper enumeration. We come to know that the above site uses cloudflare.
Let’s try to access webstresser.org using IP so that we can perform some nasty stuff. For this we need to know it’s IP. There are many methods to do so, but my personal favorite is this method:
This method is pretty straight and simple.
Damn Cloudflare, it’s not allowing even that. What to do now?...., relax, we can find out the real ip, how is that?
Well, we have some tools. Some of them are as follows:
a. The tool can be downloaded into your kali using the following command.
#git clone https://github.com/HatBashBR/HatCloud
b. As the script requires ruby, make use of the following command:
#ruby hatcloud.rb –b [target ip]
c. Hell yeah!, you’ll be able to successfully find the real ip behind cloudflare.