WAF Bypass By Origin IP Exposure

on

1. What is WAF?

    1. Web Application Firewall.
    2. Same like a firewall but provides security to Web applications.
    3. It typically protects web applications from attacks such as cross-site forgery, cross-site-scripting (XSS), file inclusion, and SQL injection, among others.
    4. A WAF is a protocol layer 7 defense (in the OSI model), and is not designed to defend against all types of attacks ( business logics ).
    5. Signature based or behavior based protection.

2. Network Firewall vs Web Application Firewall

  • OSI layer: -
    •       NF works on layer 3-4 (network and transport layer, 
    •        WAF works on layer 7 (application layer)
  •        Scope:
    •       NF acts as a filter which blocks incoming non-legit traffic from entering in the network.
    •        Protects application from non-legit HTTP/HTTPS network traffic.
  •       Access Control: - 
    •      Possible in Network firewall as it manages ACL.
    •        Not possible in WAF cases.

3     3. WAF Scenarios and its Implementation 

                   Case 1: Normal application access with genuine users.

Case 2: Malicious users accessing application and trying all possible attacks



                       Case 3: Malicious users are accessing application but WAF is protecting it from cyber attacks.




s   4. WAF Bypass

  •       Two Methods: -
    •       Customize your payloads in order to bypass the rules in place.
    •        Skillset required – High.
  •       To find the origin IP of the web server. 
    •       Probably the easiest option, no technical skills required
    •        It’s also part of the recon process so no time wasted. 

5. Origin IP Exposure Vulnerability: -



  1.               First channel (Blue communication): -
    1.              Client is accessing application with WAF.
    2.               Client sends a request for an application access, but request goes to WAF.
    3.              WAF analyses the request, checks whether it is legit or not and serves accordingly.
  2.              Second channel (Red communication): -
    1.             This channel was in use  before WAF implementation.
    2.               We need to check whether this channel is available after WAF implementation or not.

6. Origin IP ?: -

  1.        Origin IP is an IP of a server where application is hosted.
  2.        One server can host multiple applications.
  3.        All these applications are known as virtual hosts.

7. How to find Origin IP (Recon): -

               1. Below mentioned commands can be used: -
1. host
2. fierce
3. nslookup
4. ping
5. whois
6. whatweb

         2. DNS Historical web applications: -
1. https://securitytrails.com/ >> check for Historical Data.
2. https://www.virustotal.com/gui/ >> URL >> Details


8. Demo: -

  1.               Confirms the WAF instance: - We added wrong hostname and WAF incident receives in response
  2.              Wrong hostname and edit the target with Origin IP which you found on "securitytrails/virustotal" web applications and then analyze the response
  3.              Correct hostname and edit the Target with Origin IP which you found and then analyze the response

  4.              Edit hostname resolution under project options tab.
  5.              Clear the browser cache and start analyzing application. It will give you direct communication to the server. NO WAF in between.








Comments

Post a Comment