On a recent Red Team engagement, one of the flags we needed to capture came from a compromised user...
Unpacking common WAF vulnerabilities and configuration pitfalls (week 2)
Welcome back! A big thanks for following along and taking the time to read through this series, hopefully my thoughts make sense there's some value here somewhere! This week, we’re going delve deeper into the art of slipping past Web Application Firewalls now that we’ve got a better idea on how they function. Firstly, I will outline some key tests I would look for in an engagement and then we'll go nice and deep exploring a specific example of bypassing a clients WAF from a real world test.
Overview of some common WAF bypass techniques
Encoding and Obfuscation: Threat actors often employ various encoding methods (like Base64 or URL encoding) to obfuscate attacks to make them harder to detect by simple signature-based WAF rules.
HTTP Parameter Pollution (HPP): By exploiting how web servers parse incoming parameters, attackers can insert additional or duplicate HTTP parameters, confusing the WAF and causing it to overlook nefarious payloads.
Evading SQLi Protections: Despite WAFs being configured to fend off SQL Injection attacks, sophisticated injections using hex encoding or string concatenation can bypass poorly tuned SQLi rules.
IP Spoofing to Bypass IP Whitelists: Attackers might spoof IP addresses to bypass WAF rules that allow traffic from specific IP addresses.
Using HTTP Verb Tampering: Some WAF configurations might improperly handle less common HTTP verbs (like PUT or DELETE), which attackers use to slip past filters designed for GET and POST requests.
Malformed Headers and Splitting Attacks: Crafting HTTP requests that manipulate the WAF's parsing mechanism can lead to headers being interpreted differently by the server than by the WAF, allowing harmful payloads to pass through.
Mitigation Strategies
To defend against these bypass techniques, here’s what you can do:
- Enhance default WAF Rule Sets: Update and customise WAF rules to cover known obfuscation techniques, encoding vectors and also the known vulns in your app!
- Testing and then Test again: Make sure to continuously test and audit WAF configurations against these techniques. Any significant dev change can introduce a weakness in how the WAF will protect your application. More on this later!
- Advanced Detection Capabilities: I have seen newer implementations of WAFs effectively introducing machine learning or anomaly-based detection systems. The real benefit if see here are very effective behavioural based detections, even if I can slip something past the static based rulesets, if the behaviour is bad the action gets blocked.
The Misconfiguration that Unravelled Web Security: How CORS Errors Enabled a WAF Bypass
Now it's time for a tale from the trenches of a recent pen test that really brings to light how easy it is to slip up with something as basic as CORS settings. Combined with direct IP access, this small oversight cracked open the door to a major security gap. While this all was discovered and tested during a controlled pen test, for the interest of entertainment I’ll recount this in the narrative of a live cyberattack to help emphasize how some of these common misconfigurations can lead to a serious breach. This approach will help underline the severe risks these vulnerabilities can expose. Let’s delve into the details and explore the risks associated with these misconfigurations. All names and specific details have been changed to protect the innocent 😊
The Context: Understanding CORS and Its Importance
Cross-Origin Resource Sharing (CORS) is a security feature that allows or restricts requested resources on a web server based on where the HTTP requests were initiated. This mechanism is crucial for the security architecture of any modern web application as it helps control resources and prevent unwanted cross-site interactions. Properly configured, CORS policies strengthen the security posture of an application by defining a clear set of rules about who can interact with the app and how.
The Case of the Misconfigured CORS: A Security Oversight
We turn our attention to a well-established enterprise in the financial sector, distinguished by its dynamic online presence and an expanding portfolio of digital financial services. As transaction volumes on their platform surged, the company's IT department fortified their web domain with a sophisticated Web Application Firewall (WAF) to guard against cyber threats like CSRF, XSS, and SQL injections. However, in their comprehensive security measures, they overlooked one crucial detail—the proper configuration of their Cross-Origin Resource Sharing (CORS) policies. This oversight, while unfortunately common posed a significant risk, potentially exposing sensitive financial data to unauthorised access.
Discovery of the Oversight
The vulnerability was uncovered during a routine security audit. It was then that auditors realized the company's CORS policy was excessively lenient, allowing virtually any domain to access resources from their servers. Initially, this policy was implemented to simplify interactions for third-party vendors and internal developers. However, this approach inadvertently compromised the firm’s cybersecurity by opening potential gateways for unauthorised data access, a particularly alarming prospect for a financial enterprise handling sensitive transactions.
Exploitation of the Weakness: Chained Attack Strategy
Enter the cyber attackers, a group skilled in identifying and exploiting security loopholes. They quickly realized that while the company's Web Application Firewall (WAF) was proficient at intercepting harmful requests directed at the domain, it fell short in monitoring direct IP requests. This gap in the security measures provided them with a perfect opportunity to sidestep the WAF's robust domain-based defences.
As the attackers delved deeper, they uncovered another critical misconfiguration: the ability to arbitrarily set the Host header in incoming requests. This allowed them to craft requests that appeared as if they were originating from within the application itself. By manipulating the Host header, the attackers made their direct IP requests seem like legitimate internal traffic, which the WAF was configured to trust implicitly.
This sophisticated strategy exploited the initial oversight in CORS configuration and leveraged the additional misconfiguration of the Host header to bypass the WAF entirely. The ability to appear as internal traffic deceived the WAF, allowing the attackers unrestricted access to the system under the guise of legitimate operations. This multi-layered attack underscored the need for comprehensive security measures that cover all potential entry points, including those that might initially seem less likely avenues for attack.
Leveraging these vulnerabilities in a coordinated attack, the cybercriminals crafted a malicious script, cleverly hosted on an external, controlled domain. This script was designed to make AJAX requests directly to the company's server using its IP address, thereby circumventing the domain-centric security checks implemented by the WAF. The use of the manipulated Host header in these requests completed their disguise, allowing them to interact with the server as if they were legitimate internal communications. This sophisticated method exploited both the overly permissive CORS policy and the misconfigured Host header setting, leading to a significant breach of the financial institution’s data security protocols.
The Attack Unfolds
Leveraging the misconfigured CORS policy, the malicious script simulated legitimate requests from an authorised user. This allowed the attackers to execute commands that altered database information, initiated unauthorised transactions, and ultimately, extracted sensitive customer data. Additionally, the ineffective WAF, compromised by its inability to monitor and filter based on the integrity of CORS configurations and other headers, left the application's authentication and sanitisation checks vulnerable to exploitation. This flaw permitted attackers to bypass these critical security controls, intensifying the severity of their actions.
The Aftermath
The breach had serious repercussions. Sensitive data of thousands of customers, including credit card details and personal identifiers, were compromised. This led to immediate financial losses for the company and a noticeable dent in their reputation. Trust, a critical asset for their e-commerce operations, was significantly impacted. To address these challenges, the company invested in enhancing their cybersecurity measures and revising their security protocols to better safeguard against future incidents. These steps included technological upgrades and a thorough review of their security practices.
In-Depth Lessons and Strategic Mitigations
While the previous narrative explores the engagement with creative license, it does underscore the importance of foundational security within application development, complemented by robust, well-configured security layers like modern Web Application Firewalls (WAFs). So my thoughts as lessons learned to enhance the overall security posture:
1. Secure Development Lifecycle: Security should be integral to the development process from the start. Implement secure coding practices, perform regular security reviews, and engage in threat modelling throughout the application lifecycle to build inherently secure applications.
2. Advanced Traffic Filtering Techniques: Ensure that security tools like WAFs are adeptly configured to thoroughly inspect and filter both domain-based and direct IP-based traffic. This dual approach helps in identifying and mitigating potential threats more effectively, covering all aspects of traffic handling.
3. Comprehensive Security Audits: Regular and thorough security audits are essential. These should cover all layers of cybersecurity, assessing everything from application logic and user access controls to network configurations and endpoint security.
4. Ongoing Education and Training: Continuously update and train IT teams on the latest security threats and mitigation techniques. This includes understanding the intricacies of configurations like CORS and more general security practices that protect against a wide range of vulnerabilities.
5. Proactive Community Engagement and Incident Sharing: Maintain active participation in the cybersecurity community to stay informed about new threats and emerging technologies. It’s impossible to know everything in this field, make sure you have good people in your circles you can reach out to when you need to ask a “dumb” question (there is no such thing as a dumb question!).
So that’s a wrap for this week. I’m curious to know how this resonates with the people out there, some of these are unfortunately common misconfigurations I see regularly and often not fully understood the impact on the overall security. Hopefully your enjoying reading along, this has been quite a useful exercise in articulating some of my experiences I see out there.
For next week we’ll be looking some further bypass techniques “Week 3: The WAF Flaw You Can’t Patch – The Last Mile Attack Uncovered” where we will explore some additional methods attackers can use to sidestep WAF protections. Thanks again for reading!