SQL injection in particular is a constant among the output of automated code scans and a frequent fixture on industry lists of top vulnerabilities, including the OWASP Top 10, despite the fact that it is acknowledged and relatively straightforward to solve.

If an attacker can get through the capabilities of web application firewalls (WAFs) to monitor and block traffic, they frequently have a direct route to important information about the company and its customers. Thankfully, such bypasses have been rare and have often taken the form of isolated incidents directed at a certain vendor’s implementation.

Today, Team82 disclosed a new attack approach that functions as the first general bypass of numerous web application firewalls that are marketed by market-leading manufacturers. Their bypass is effective with WAFs provided by Palo Alto, F5, Amazon Web Services, Cloudflare, and Imperva, the five most prominent companies in this space. Every one of the impacted vendors has accepted Team82’s disclosure and has issued solutions that include support for JSON syntax into the SQL inspection procedures of their respective products.

Research on Cambium Networks’ wireless device management platform that was unrelated to the development of this approach was where they got the idea of this technique. 
This method depends first on comprehending the manner in which WAFs recognize and label SQL syntax as potentially harmful, and then on locating SQL syntax that the WAF is oblivious to. It turns out that this was a JSON file. When data is sent from a server to a web application, the JSON file format—which is an industry standard for file and data exchange—is often used.

Since over ten years ago, SQL databases have included support for JSON. The syntax of JSON is supported by default in modern database engines, and these engines also enable basic searches and changes, as well as a wide variety of JSON functions and operators. While most database engines provide support for JSON, same cannot be stated for web application firewalls (WAFs). Because vendors have been sluggish to add support for JSON, we were able to create new SQL injection payloads that incorporate JSON and were able to circumvent the protection that WAFs normally provide.

Using this innovative method, attackers might get access to a backend database and then utilize further vulnerabilities and exploits to steal information by either directly accessing the server or transferring it over the cloud.

This is particularly significant for operational technology (OT) and internet of things (IoT) platforms that have transitioned to cloud-based administration and monitoring systems. WAFs hold up the possibility of extra cloud-based security; yet, an attacker who is successful in evading these safeguards will have extensive access to the targeted systems.

Based on the results of our tests, they came to the conclusion that in general, WAFs use one of two methods to determine whether or not a request is malicious:

Search for terms that have been blacklisted The WAF is able to search for words that it identifies as SQL syntax, and if there are an excessive number of matches in a request, it will mark the request as an attempt at malicious SQLi.

The WAF is able to make an attempt to parse correct SQL syntax by using several components of the request in order to do this task. If the WAF is able to correctly identify SQL syntax in the request, it will mark the request as a potentially harmful attempt to execute SQLi.

In spite of the fact that most WAFs will utilize a mix of the two techniques in addition to anything else that is unique to the WAF, the two approaches have a single flaw: they both need the WAF to be familiar with the SQL syntax.

This simple JSON operator, in this instance @>, which checks to see whether the correct JSON is included in the incorrect one  caused the WAF to enter an infinite loop, which in turn enabled us to send malicious SQLi payloads and get over the WAF’s protections. They were able to exfiltrate sensitive information utilizing our SQLi vulnerability by just appending some basic JSON syntax at the beginning of the request. This allowed anyone to access sensitive data stored in the cloud.

It is feasible to create new SQLi payloads by making use of the syntax of JSON. Because these payloads are not well understood, it is possible that they may be utilized to evade detection and to circumvent a variety of security measures. They were able to construct a list of true statements in SQL by using syntax from a variety of database engines, and the list is as follows:

PostgreSQL: '{"b":2}'::jsonb <@ '{"a":1, "b":2}'::jsonb Is the left JSON contained in the right one? True.

SQLite: '{"a":2,"c":[4,5,{"f":7}]}' -> '$.c[2].f' = 7 Does the extracted value of this JSON equals 7? True. 

MySQL: JSON_EXTRACT('{"id": 14, "name": "Aztalan"}', '$.name') = 'Aztalan' Does the extracted value of this JSON equals to ‘Aztalan’? True.

Putting the Process Through Automation

They made the decision to add support for JSON syntax evasion methods to SQLMap, which is the most popular open-source exploitation tool. This was done so that they could demonstrate how significant this WAF bypass is.

Simply clone the most recent version of SQLMap from Github in order to utilize this script in order to test the bypass. If you would want to use this script.

The post New JSON-Based SQL Injection attacks allow bypassing Palo Alto, F5, AWS, Cloudflare, and Imperva WAF appeared first on Information Security Newspaper | Hacking News.

Bishop Fox developers mention that load balancers such as AWS ALB/CLB, NGINX, and Apache Traffic Server block H2C smuggling because the headers required for H2C connection upgrade compliance are not forwarded.

Experts also mention that not all backends comply, which they were able to test with the unsupported Connection:Upgrade variant in which the HTTP2-Settings value is ignored in the Connection header: “By redesigning the h2cSmuggler tool, it was possible to find multiple instances of ready-to-use configured services that allowed H2C updates, allowing evasion of authorization controls”.

This attack variant, introduced in late 2020, abuses front-ends that are not aware of H2C to tunnel to backend systems, allowing threat actors to bypass front-end rewrite rules and exploit internal HTTP headers.

It should be remembered that this is an outdated protocol, which updates a regular transient HTTP connection to a persistent connection using the HTTP2 binary protocol; When an HTTP request issued to a reverse proxy includes a Connection:Upgrade header, this proxy maintains a persistent connection and the scope of continuous communication between the client and the server: “When using H2C smuggling, it is possible to bypass routing rules, which reverse proxy uses when processing route-based requests,” experts mention.

In this regard, Microsoft Azure mentions that Azure application gateways offer the ability to connect the Azure WAF to the gateway: “With the access gateway removing HTTP2 settings from the update header but leaving the others intact, researchers can avoid routing rules.” 

On the other hand, rules applied by Cloudflare Access, an authentication service imposed by the Cloudflare load balancer, can be ignored because the request proxy modifies the update header to exclude HTTP2-Settings, but retains the other headers.

Cloudflare received a report through its rewards program, so the company has already established the necessary mechanisms to prevent the exploitation of this failure. To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Bypassing WAF in Azure, Cloudflare Access via H2C smuggling attack appeared first on Information Security Newspaper | Hacking News.

Before starting you must know, where web application firewall is used over the network. In the below image Web application firewall is between the classic firewall and the web server. Web application firewall monitor the traffic and protects from outside attacking.

FINGERPRINTING:-

Before knowing the web application firewall it is important to gather basic information of the target. Fingerprint is the method used to gather information about the target as much possible. The most common method for the pentesters is to fingerprint the target web presence. With this fingerprinting the pentester may develop an accurate attack scenario, which will find an vulnerability further, according to ethical hacking. Now we wil use basic telnet for fingerprinting a website.

FINGERPRINTING USING TELNET: 

Telnet is a tool mostly used by network administrators/pentesters. Telnet allows you to connect remote computers on any port as mentioned.

• Many of the web application firewall leave (or insert) HTTP parameters in response headers.
• With the help of telnet you can find basic fingerprinting information like server, cookies which can be in fingerprinting.
• Type telnet testsite.com 80

root@kali:/home/iicybersecurity# telnet testsite.com 80
Trying 14.139.40.44...
Connected to testsite.com.
Escape character is '^]'.

• After executing the above command type GET / HTTP / 1.1 and press enter key 2 times as shown below.
• You can also HEAD / HTTP / 1.1 and POST / HTTP / 1.1 for further analysis.

GET / HTTP/1.1
HTTP/1.1 200 OK
Server: Apache/2.2.9 (Debian) mod_fcgid/2.3.6
X-Powered-By: PHP/5.5.10-1~dotdeb.1
ETag: "2aa7c09658dda1cc89e2bd3b9673569d"
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: must-revalidate
Set-Cookie: SESSf528764d624db129b32c21fbca0cb8d6=o28jpp8kikr00m5io9l3boo1f4; expires=Thu, 27-Dec-2018 09:23:13 GMT; Max-Age=2000000; path=/
Last-Modified: Tue, 04 Dec 2018 05:44:52 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 63145
Date: Tue, 04 Dec 2018 05:49:53 GMT
X-Varnish: 1823464611
Age: 0
Via: 1.1 varnish
Connection: keep-alive
<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta charset="utf-8">

=============================SNIPP===========================


</body>
</html>Connection closed by foreign host.

• After using the telnet on the target port 80, it shows the server on which website is hosted and the backend language on which website has been written (marked in RED). The above information can be used in other hacking activities.
• Above output also returns “X-Varnish: 1823464611″
• Varnish is actually a caching HTTP reverse proxy. Varnish reduces the web application threats. This HTTP parameter in HTTP response we found using telnet shows the presence of Varnish in the target.

FINGERPRINTING USING NMAP :- 

• Nmap is the security auditing tool mostly used by pentesters and network adminstrators. Nmap is used in information gathering of the target.
• Type

nmap –script=http-waf-fingerprint testsite.com 

or type

nmap –script=http-waf-fingerprint –script-args http-waf-fingerprint.intensive=1 testsite.com

root@kali:/home/iicybersecurity# nmap --script=http-waf-fingerprint testsite.com
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-04 02:58 EST
Nmap scan report for testsite.com (200.252.149.141)
Host is up (0.38s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
80/tcp open http
| http-waf-fingerprint:
| Detected WAF
| Citrix Netscaler
443/tcp open https
8080/tcp closed http-proxy

Nmap done: 1 IP address (1 host up) scanned in 31.98 seconds

• After executing the nmap command, detect the web application firewall citrix netscaler.

FINGERPRINTING USING WAFW00F :-

• Wafw00f is the most well known tool to detect the web application firewall. Wafw00f sends the http request which identifies the web application firewall.
• Sometimes while sending HTTP request doesn’t work then wafw00f sends the malicious http request.
• If  sending an malicious HTTP request failed wafw00f analyze previously HTTP request and uses simple algorithm to check if web application firewall is responding our attacks or not.
• Wafw00f does not come preinstalled in kali linux distros. For installing type

git clone https://github.com/EnableSecurity/wafw00f.git

root@kali:/home/iicybersecurity# git clone https://github.com/EnableSecurity/wafw00f.git
Cloning into 'wafw00f'...
remote: Enumerating objects: 28, done.
remote: Counting objects: 100% (28/28), done.
remote: Compressing objects: 100% (26/26), done.
remote: Total 874 (delta 16), reused 13 (delta 2), pack-reused 846
Receiving objects: 100% (874/874), 195.05 KiB | 341.00 KiB/s, done.
Resolving deltas: 100% (522/522), done.

• Type cd wafw00f
• Then type ls

root@kali:/home/iicybersecurity# cd wafw00f
root@kali:/home/iicybersecurity/wafw00f# ls
CREDITS.txt docs LICENSE Makefile MANIFEST.in nose.cfg README.md setup.py wafw00f

• Type python setup.py install

root@kali:/home/iicybersecurity/wafw00f# python setup.py install
running install
running bdist_egg
running egg_info
creating wafw00f.egg-info
writing requirements to wafw00f.egg-info/requires.txt
writing wafw00f.egg-info/PKG-INFO
writing top-level names to wafw00f.egg-info/top_level.txt
writing dependency_links to wafw00f.egg-info/dependency_links.txt
writing manifest file 'wafw00f.egg-info/SOURCES.txt'
reading manifest file 'wafw00f.egg-info/SOURCES.txt'
reading manifest template 'MANIFEST.in'
writing manifest file 'wafw00f.egg-info/SOURCES.txt'
installing library code to build/bdist.linux-i686/egg
running install_lib
running build_py
creating build
creating build/lib.linux-i686-2.7
creating build/lib.linux-i686-2.7/wafw00f
copying wafw00f/manager.py -> build/lib.linux-i686-2.7/wafw00f
copying wafw00f/wafprio.py -> build/lib.linux-i686-2.7/wafw00f
copying wafw00f/main.py -> build/lib.linux-i686-2.7/wafw00f
copying wafw00f/__init__.py -> build/lib.linux-i686-2.7/wafw00f
creating build/lib.linux-i686-2.7/wafw00f/plugins
copying wafw00f/plugins/incapsula.py -> build/lib.linux-i686-2.7/wafw00f/plugins
copying wafw00f/plugins/comodo.py -> build/lib.linux-i686-2.7/wafw00f/plugins
copying wafw00f/plugins/f5bigipltm.py -> build/lib.linux-i686-2.7/wafw00f/plugins
copying wafw00f/plugins/teros.py -> build/lib.linux-i686-2.7/wafw00f/plugins
copying wafw00f/plugins/uspses.py -> build/lib.linux-i686-2.7/wafw00f/plugins
copying wafw00f/plugins/radware.py -> build/lib.linux-i686-2.7/wafw00f/plugins
copying wafw00f/plugins/ibmdatapower.py -> build/lib.linux-i686-2.7/wafw00f/plugins
copying wafw00f/plugins/modsecuritycrs.py -> build/lib.linux-i686-2.7/wafw00f/plugins
copying wafw00f/plugins/secureiis.py -> build/lib.linux-i686-2.7/wafw00f/plugins
copying wafw00f/plugins/netcontinuum.py -> build/lib.linux-i686-2.7/wafw00f/plugins
copying wafw00f/plugins/urlscan.py -> build/lib.linux-i686-2.7/wafw00f/plugins
copying wafw00f/plugins/barracuda.py -> build/lib.linux-i686-2.7/wafw00f/plugins
copying wafw00f/plugins/wallarm.py -> build/lib.linux-i686-2.7/wafw00f/plugins
copying wafw00f/plugins/missioncontrol.py -> build/lib.linux-i686-2.7/wafw00f/plugins
copying wafw00f/plugins/betterwpsecurity.py -> build/lib.linux-i686-2.7/wafw00f/plugins
copying wafw00f/plugins/airlock.py -> build/lib.linux-i686-2.7/wafw00f/plugins
copying wafw00f/plugins/netscaler.py -> build/lib.linux-i686-2.7/wafw00f/plugins
copying wafw00f/plugins/imperva.py -> build/lib.linux-i686-2.7/wafw00f/plugins
copying wafw00f/plugins/fortiweb.py -> build/lib.linux-i686-2.7/wafw00f/plugins
copying wafw00f/plugins/f5firepass.py -> build/lib.linux-i686-2.7/wafw00f/plugins
copying wafw00f/plugins/denyall.py -> build/lib.linux-i686-2.7/wafw00f/plugins
copying wafw00f/plugins/hyperguard.py -> build/lib.linux-i686-2.7/wafw00f/plugins
copying wafw00f/plugins/sucuri.py -> build/lib.linux-i686-2.7/wafw00f/plugins
copying wafw00f/plugins/naxsi.py -> build/lib.linux-i686-2.7/wafw00f/plugins
copying wafw00f/plugins/safedog.py -> build/lib.linux-i686-2.7/wafw00f/plugins
copying wafw00f/plugins/anquanbao.py -> build/lib.linux-i686-2.7/wafw00f/plugins
copying wafw00f/plugins/chinacache.py -> build/lib.linux-i686-2.7/wafw00f/plugins
copying wafw00f/plugins/nsfocus.py -> build/lib.linux-i686-2.7/wafw00f/plugins
copying wafw00f/plugins/__init__.py -> build/lib.linux-i686-2.7/wafw00f/plugins
copying wafw00f/plugins/modsecurity.py -> build/lib.linux-i686-2.7/wafw00f/plugins
copying wafw00f/plugins/edgecast.py -> build/lib.linux-i686-2.7/wafw00f/plugins
copying wafw00f/plugins/webknight.py -> build/lib.linux-i686-2.7/wafw00f/plugins
copying wafw00f/plugins/west263cdn.py -> build/lib.linux-i686-2.7/wafw00f/plugins
copying wafw00f/plugins/dosarrest.py -> build/lib.linux-i686-2.7/wafw00f/plugins
copying wafw00f/plugins/binarysec.py -> build/lib.linux-i686-2.7/wafw00f/plugins
copying wafw00f/plugins/nevisproxy.py -> build/lib.linux-i686-2.7/wafw00f/plugins
copying wafw00f/plugins/isaserver.py -> build/lib.linux-i686-2.7/wafw00f/plugins
copying wafw00f/plugins/wzb360.py -> build/lib.linux-i686-2.7/wafw00f/plugins
copying wafw00f/plugins/f5bigipasm.py -> build/lib.linux-i686-2.7/wafw00f/plugins
copying wafw00f/plugins/powercdn.py -> build/lib.linux-i686-2.7/wafw00f/plugins
copying wafw00f/plugins/f5trafficshield.py -> build/lib.linux-i686-2.7/wafw00f/plugins
copying wafw00f/plugins/blockdos.py -> build/lib.linux-i686-2.7/wafw00f/plugins
copying wafw00f/plugins/cloudflare.py -> build/lib.linux-i686-2.7/wafw00f/plugins
copying wafw00f/plugins/f5bigipapm.py -> build/lib.linux-i686-2.7/wafw00f/plugins
copying wafw00f/plugins/ciscoacexml.py -> build/lib.linux-i686-2.7/wafw00f/plugins
copying wafw00f/plugins/webscurity.py -> build/lib.linux-i686-2.7/wafw00f/plugins
copying wafw00f/plugins/awswaf.py -> build/lib.linux-i686-2.7/wafw00f/plugins
copying wafw00f/plugins/dotdefender.py -> build/lib.linux-i686-2.7/wafw00f/plugins
copying wafw00f/plugins/profense.py -> build/lib.linux-i686-2.7/wafw00f/plugins
copying wafw00f/plugins/ibm.py -> build/lib.linux-i686-2.7/wafw00f/plugins
creating build/lib.linux-i686-2.7/wafw00f/tests
copying wafw00f/tests/test_main.py -> build/lib.linux-i686-2.7/wafw00f/tests
copying wafw00f/tests/__init__.py -> build/lib.linux-i686-2.7/wafw00f/tests
creating build/lib.linux-i686-2.7/wafw00f/lib
copying wafw00f/lib/evillib.py -> build/lib.linux-i686-2.7/wafw00f/lib
copying wafw00f/lib/proxy.py -> build/lib.linux-i686-2.7/wafw00f/lib
copying wafw00f/lib/__init__.py -> build/lib.linux-i686-2.7/wafw00f/lib
creating build/bdist.linux-i686
creating build/bdist.linux-i686/egg
creating build/bdist.linux-i686/egg/wafw00f
creating build/bdist.linux-i686/egg/wafw00f/plugins
copying build/lib.linux-i686-2.7/wafw00f/plugins/incapsula.py -> build/bdist.linux-i686/egg/wafw00f/plugins
copying build/lib.linux-i686-2.7/wafw00f/plugins/comodo.py -> build/bdist.linux-i686/egg/wafw00f/plugins
copying build/lib.linux-i686-2.7/wafw00f/plugins/f5bigipltm.py -> build/bdist.linux-i686/egg/wafw00f/plugins
copying build/lib.linux-i686-2.7/wafw00f/plugins/teros.py -> build/bdist.linux-i686/egg/wafw00f/plugins
copying build/lib.linux-i686-2.7/wafw00f/plugins/uspses.py -> build/bdist.linux-i686/egg/wafw00f/plugins
copying build/lib.linux-i686-2.7/wafw00f/plugins/radware.py -> build/bdist.linux-i686/egg/wafw00f/plugins
py -> build/bdist.linux-i686/egg/wafw00f/plugins
copying build/lib.linux-i686-2.7/wafw00f/plugins/binarysec.py -> build/bdist.linux-i686/egg/wafw00f/plugins
copying build/lib.linux-i686-2.7/wafw00f/plugins/nevisproxy.py -> build/bdist.linux-i686/egg/wafw00f/plugins
copying build/lib.linux-i686-2.7/wafw00f/plugins/isaserver.py -> build/bdist.linux-i686/egg/wafw00f/plugins
copying build/lib.linux-i686-2.7/wafw00f/plugins/wzb360.py -> build/bdist.linux-i686/egg/wafw00f/plugins
copying build/lib.linux-i686-2.7/wafw00f/plugins/f5bigipasm.py -> build/bdist.linux-i686/egg/wafw00f/plugins
copying build/lib.linux-i686-2.7/wafw00f/plugins/powercdn.py -> build/bdist.linux-i686/egg/wafw00f/plugins
copying build/lib.linux-i686-2.7/wafw00f/plugins/f5trafficshield.py -> build/bdist.linux-i686/egg/wafw00f/plugins
copying build/lib.linux-i686-2.7/wafw00f/plugins/blockdos.py -> build/bdist.linux-i686/egg/wafw00f/plugins
copying build/lib.linux-i686-2.7/wafw00f/plugins/cloudflare.py -> build/bdist.linux-i686/egg/wafw00f/plugins
copying build/lib.linux-i686-2.7/wafw00f/plugins/f5bigipapm.py -> build/bdist.linux-i686/egg/wafw00f/plugins
copying build/lib.linux-i686-2.7/wafw00f/plugins/ciscoacexml.py -> build/bdist.linux-i686/egg/wafw00f/plugins
copying build/lib.linux-i686-2.7/wafw00f/plugins/webscurity.py -> build/bdist.linux-i686/egg/wafw00f/plugins
copying build/lib.linux-i686-2.7/wafw00f/plugins/awswaf.py -> build/bdist.linux-i686/egg/wafw00f/plugins
copying build/lib.linux-i686-2.7/wafw00f/plugins/dotdefender.py -> build/bdist.linux-i686/egg/wafw00f/plugins
copying build/lib.linux-i686-2.7/wafw00f/plugins/profense.py -> build/bdist.linux-i686/egg/wafw00f/plugins
copying build/lib.linux-i686-2.7/wafw00f/plugins/ibm.py -> build/bdist.linux-i686/egg/wafw00f/plugins
copying build/lib.linux-i686-2.7/wafw00f/manager.py -> build/bdist.linux-i686/egg/wafw00f
creating build/bdist.linux-i686/egg/wafw00f/tests
copying build/lib.linux-i686-2.7/wafw00f/tests/test_main.py -> build/bdist.linux-i686/egg/wafw00f/tests
copying build/lib.linux-i686-2.7/wafw00f/tests/__init__.py -> build/bdist.linux-i686/egg/wafw00f/tests
byte-compiling build/bdist.linux-i686/egg/wafw00f/plugins/f5bigipltm.py to f5bigipltm.pyc
byte-compiling build/bdist.linux-i686/egg/wafw00f/plugins/teros.py to teros.pyc
byte-compiling build/bdist.linux-i686/egg/wafw00f/plugins/uspses.py to uspses.pyc
byte-compiling build/bdist.linux-i686/egg/wafw00f/plugins/radware.py to radware.pyc
byte-compiling build/bdist.linux-i686/egg/wafw00f/plugins/ibmdatapower.py to ibmdatapower.pyc
byte-compiling build/bdist.linux-i686/egg/wafw00f/plugins/modsecuritycrs.py to modsecuritycrs.pyc
byte-compiling build/bdist.linux-i686/egg/wafw00f/plugins/secureiis.py to secureiis.pyc
byte-compiling build/bdist.linux-i686/egg/wafw00f/plugins/netcontinuum.py to netcontinuum.pyc
byte-compiling build/bdist.linux-i686/egg/wafw00f/plugins/urlscan.py to urlscan.pyc

byte-compiling build/bdist.linux-i686/egg/wafw00f/lib/proxy.py to proxy.pyc
byte-compiling build/bdist.linux-i686/egg/wafw00f/lib/__init__.py to __init__.pyc
creating build/bdist.linux-i686/egg/EGG-INFO
installing scripts to build/bdist.linux-i686/egg/EGG-INFO/scripts
running install_scripts
running build_scripts
creating build/scripts-2.7
copying and adjusting wafw00f/bin/wafw00f -> build/scripts-2.7
changing mode of build/scripts-2.7/wafw00f from 644 to 755
creating build/bdist.linux-i686/egg/EGG-INFO/scripts
copying build/scripts-2.7/wafw00f -> build/bdist.linux-i686/egg/EGG-INFO/scripts
changing mode of build/bdist.linux-i686/egg/EGG-INFO/scripts/wafw00f to 755
copying wafw00f.egg-info/PKG-INFO -> build/bdist.linux-i686/egg/EGG-INFO
copying wafw00f.egg-info/SOURCES.txt -> build/bdist.linux-i686/egg/EGG-INFO
copying wafw00f.egg-info/dependency_links.txt -> build/bdist.linux-i686/egg/EGG-INFO
copying wafw00f.egg-info/requires.txt -> build/bdist.linux-i686/egg/EGG-INFO
copying wafw00f.egg-info/top_level.txt -> build/bdist.linux-i686/egg/EGG-INFO
zip_safe flag not set; analyzing archive contents...
wafw00f.manager: module references __file__
creating dist
creating 'dist/wafw00f-0.9.6-py2.7.egg' and adding 'build/bdist.linux-i686/egg' to it
removing 'build/bdist.linux-i686/egg' (and everything under it)
Processing wafw00f-0.9.6-py2.7.egg
creating /usr/local/lib/python2.7/dist-packages/wafw00f-0.9.6-py2.7.egg
Extracting wafw00f-0.9.6-py2.7.egg to /usr/local/lib/python2.7/dist-packages
Adding wafw00f 0.9.6 to easy-install.pth file
Installing wafw00f script to /usr/local/bin

Installed /usr/local/lib/python2.7/dist-packages/wafw00f-0.9.6-py2.7.egg
Processing dependencies for wafw00f==0.9.6
Searching for pluginbase==0.7
Reading https://pypi.org/simple/pluginbase/
Downloading https://files.pythonhosted.org/packages/6e/f4/1db0a26c1c7fad81a1214ad1b02839a7bd98d8ba68f782f6edcc3d343441/pluginbase-0.7.tar.gz#sha256=c0abe3218b86533cca287e7057a37481883c07acef7814b70583406938214cc8
Best match: pluginbase 0.7
Processing pluginbase-0.7.tar.gz
Writing /tmp/easy_install-BcDc4t/pluginbase-0.7/setup.cfg
Running pluginbase-0.7/setup.py -q bdist_egg --dist-dir /tmp/easy_install-BcDc4t/pluginbase-0.7/egg-dist-tmp-Y1J4Tr
warning: no previously-included files matching '*.pyc' found under directory 'docs'
warning: no previously-included files matching '*.pyo' found under directory 'docs'
warning: no previously-included files matching '*.pyc' found under directory 'tests'
warning: no previously-included files matching '*.pyo' found under directory 'tests'
no previously-included directories found matching 'docs/_build'
creating /usr/local/lib/python2.7/dist-packages/pluginbase-0.7-py2.7.egg
Extracting pluginbase-0.7-py2.7.egg to /usr/local/lib/python2.7/dist-packages
Adding pluginbase 0.7 to easy-install.pth file

Installed /usr/local/lib/python2.7/dist-packages/pluginbase-0.7-py2.7.egg
Searching for beautifulsoup4==4.6.0
Reading https://pypi.org/simple/beautifulsoup4/
Downloading https://files.pythonhosted.org/packages/a6/29/bcbd41a916ad3faf517780a0af7d0254e8d6722ff6414723eedba4334531/beautifulsoup4-4.6.0-py2-none-any.whl#sha256=7015e76bf32f1f574636c4288399a6de66ce08fb7b2457f628a8d70c0fbabb11
Best match: beautifulsoup4 4.6.0
Processing beautifulsoup4-4.6.0-py2-none-any.whl
Installing beautifulsoup4-4.6.0-py2-none-any.whl to /usr/local/lib/python2.7/dist-packages
writing requirements to /usr/local/lib/python2.7/dist-packages/beautifulsoup4-4.6.0-py2.7.egg/EGG-INFO/requires.txt
Adding beautifulsoup4 4.6.0 to easy-install.pth file

Installed /usr/local/lib/python2.7/dist-packages/beautifulsoup4-4.6.0-py2.7.egg
Searching for html5lib==1.0.1
Best match: html5lib 1.0.1
Adding html5lib 1.0.1 to easy-install.pth file

Using /usr/lib/python2.7/dist-packages
Finished processing dependencies for wafw00f==0.9.6

• After installing required files type wafw00f.

root@kali:/home/iicybersecurity/wafw00f# wafw00f

^ ^
_ __ _ ____ _ __ _ _ ____
///7/ /.' \ / __////7/ /,' \ ,' \ / __/
| V V // o // _/ | V V // 0 // 0 // _/
|_n_,'/_n_//_/ |_n_,' \_,' \_,'/_/
<
...'

WAFW00F - Web Application Firewall Detection Tool

By Sandro Gauci && Wendel G. Henrique

Usage: wafw00f url1 [url2 [url3 ... ]]
example: wafw00f https://www.victim.org/

• Type wafw00f testsite.com

root@kali:/home/iicybersecurity/wafw00f# wafw00f testsite.com

^ ^
_ __ _ ____ _ __ _ _ ____
///7/ /.' \ / __////7/ /,' \ ,' \ / __/
| V V // o // _/ | V V // 0 // 0 // _/
|_n_,'/_n_//_/ |_n_,' \_,' \_,'/_/
<
...'

WAFW00F - Web Application Firewall Detection Tool

By Sandro Gauci && Wendel G. Henrique

Checking https://testsite.com
The site https://testsite.com is behind a Citrix NetScaler
Number of requests: 6

• After executing the wafw00f. It shows that the target website is using citrix netscaler web application firewall.
• The above information is vital and can be used in other hacking activities.

Another Example:-

• Type wafw00f certifiedhacker.com

root@kali:/home/iicybersecurity/wafw00f# wafw00f certifiedhacker.com

^ ^
_ __ _ ____ _ __ _ _ ____
///7/ /.' \ / __////7/ /,' \ ,' \ / __/
| V V // o // _/ | V V // 0 // 0 // _/
|_n_,'/_n_//_/ |_n_,' \_,' \_,'/_/
<
...'

WAFW00F - Web Application Firewall Detection Tool

By Sandro Gauci && Wendel G. Henrique

Checking https://targetsite.com
The site https://targetsite.com is behind a ModSecurity (OWASP CRS)
Number of requests: 11

• After executing the wafw00f. It shows that the target website is using ModeSecurity (OWASP CRS) web application firewall.
• The above information is vital and can be used in other hacking activities.

CONCLUSION:-

In this article we learned, how to detect web application firewalls. It’s an important part of the web penetration testing. This method is used initial phase of penetration testing.

Ethical hacking researcher says that having web application firewall (waf) is becoming important day by day and it is always important to analyze your web applications logs to find new attacks happening on the backend web application server. This is enable you to customize rules in your web application firewall to provide maximum security.

The post Detect Web Application Firewall (WAF) before you attack appeared first on Information Security Newspaper | Hacking News.

Garage4hackers presents Ranchoddas Webcast Series on  Bypassing Modern WAF’s Exemplified At XSS by Rafay Baloch

Let me explain you how will you be benefited productively by watching this video. The speaker will start at a very beginner level so that it is easy for you to understand.

You just need to have some basic understanding of JavaScript and Cross Site Scripting. I would suggest you to listen to Rafay keenly and make notes of all the rules, which will help you in the CTF Challenge.

You can easily win the challenge if you have thoroughly listened to him and have understood the techniques. The webcast is loaded with lots of live demonstration on bypassing WAF’s in real world scenarios.

I would suggest you to watch the complete video and then from the knowledge gained you should be able to bypass our CTF App protection mechanism. The Link to Rancho CTF App is here  . I hope that you gain as much info as you could from our webcast and it shall benefit you in your career.

Garage4hackers Ranchoddas CTF Challenge reward 

The bug hunter winning the Hard level will be awarded $150, Medium Level with $125 and Low Level 65$. The panel will select the winning payload based upon its time of submission, uniqueness as well as length.The bounty will be donated towards the Garage4hackers

Maharashtra Drought Relief Fund. If you have any question feel free to ask here or Tweet your question with #g4hwebcast. We will make sure that all your questions has been answered. A small request from our end to you, Please fill the feedback form  here after watching the video, it will help us to understand you better and we shall improve our quality of delivery in our future webcast.

If you are able to gain some knowledge as well as you are able to Bypass our Rancho CTF App or it has benefited you in any way I would encourage you to write a blog about it and send us your link toranchoddas@garage4hackers.com

Source:https://securityaffairs.co/

The post Garage4hackers Webcast – Bypass Modern WAF’s Exemplified at XSS appeared first on Information Security Newspaper | Hacking News.