应用安全 - 安全设备 - WAF原理/检测/绕过

原理

基于Cookie值

Citrix Netscaler(2013年使用广泛)

“Citrix Netscaler”会在HTTP返回头部Cookie位置加入“ns_af”的值,可以以此判断为Citrix Netscaler的WAF,国内此类WAF很少

1 GET / HTTP/1.1 
2 Host: target.com
3 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
5 Accept-Language: en-US,en;q=0.5
6 Accept-Encoding: gzip, deflate
7 Cookie: ASPSESSIONIDAQQSDCSC=HGJHINLDNMNFHABGPPBNGFKC; ns_af=31+LrS3EeEOBbxBV7AWDFIEhrn8A000;ns_af_.target.br_%2F_wat=QVNQU0VTU0lPTklEQVFRU0RDU0Nf?6IgJizHRbTRNuNoOpbBOiKRET2gA&
8 Connection: keep-alive
9 Cache-Control: max-age=0
View Code

F5 BIG IP ASM

 1 F5 BiG IP ASM会在Cookie中加入“TS+随机字符串”的Cookie信息,一个非恶意的请求如下:
 2 GET / HTTP/1.1
 3 Host: www.target.com
 4 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
 5 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 6 Accept-Language: en-US,en;q=0.5
 7 Accept-Encoding: gzip, deflate
 8 Cookie: target_cem_tl=40FC2190D3B2D4E60AB22C0F9EF155D5; s_fid=77F8544DA30373AC-31AE8C79E13D7394; s_vnum=1388516400627%26vn%3D1; s_nr=1385938565978-New; s_nr2=1385938565979-New; s_lv=1385938565980; s_vi=[CS]v1|294DCEC0051D2761-40000143E003E9DC[CE]; fe_typo_user=7a64cc46ca253f9889675f9b9b79eb66; TSe3b54b=36f2896d9de8a61cf27aea24f35f8ee1abd1a43de557a25c529fe828; TS65374d=041365b3e678cba0e338668580430c26abd1a43de557a25c529fe8285a5ab5a8e5d0f299
 9 Connection: keep-alive
10 Cache-Control: max-age=0
View Code

基于HTTP响应

Mod_Security

Mod_Security是为Apache设计的开源Web防护模块,一个恶意的请求Mod_Security会在响应头返回“406 Not acceptable”

1 请求:
 2 GET /<script>alert(1);</script>HTTP/1.1
 3 Host: www.target.com
 4 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
 5 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 6 Accept-Language: en-US,en;q=0.5
 7 Accept-Encoding: gzip, deflate
 8 Connection: keep-alive
 9 响应:
10 HTTP/1.1 406 Not Acceptable
11 Date: Thu, 05 Dec 2013 03:33:03 GMT
12 Server: Apache
13 Content-Length: 226
14 Keep-Alive: timeout=10, max=30
15 Connection: Keep-Alive
16 Content-Type: text/html; charset=iso-8859-1
17 <head><title>Not Acceptable!</title></head><body><h1>Not Acceptable!</h1><p>An appropriate representation of the requested resource could not be found on this server. This error was generated by Mod_Security.</p></body></html>
View Code

WebKnight

WebKnight是用来设计在IIS下面使用的WAF设备,较为常见。WebKnight会对恶意的请求返回“999 No Hacking”

 1 请求:
 2 GET /?PageID=99<script>alert(1);</script>HTTP/1.1
 3 Host: www.aqtronix.com
 4 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
 5 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 6 Accept-Language: en-US,en;q=0.5
 7 Accept-Encoding: gzip, deflate
 8 Connection: keep-alive
 9 响应:
10 HTTP/1.1 999 No Hacking
11 Server: WWW Server/1.1
12 Date: Thu, 05 Dec 2013 03:14:23 GMT
13 Content-Type: text/html; charset=windows-1252
14 Content-Length: 1160
15 Pragma: no-cache
16 Cache-control: no-cache
17 Expires: Thu, 05 Dec 2013 03:14:23 GMT
View Code

F5 BIG IP

 F5 BIG IP会对恶意请求返回“419 Unknown”的信息,如下:

1 GET /<script> HTTP/1.0
2 HTTP/1.1 419 Unknown
3 Cache-Control: no-cache
4 Content-Type: text/html; charset=iso-8859-15
5 Pragma: no-cache
6 Content-Length: 8140
7 Date: Mon, 25 Nov 2013 15:22:44 GMT
8 Connection: keep-alive
9 Vary: Accept-Encoding
View Code

dotDefender

dotDefender用来防护.net的程序,会对恶意请求返回“dotDefender Blocked Your Request”

GET /---HTTP/1.1
Host: www.acc.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cache-Control: max-age=0

HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: text/html
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Thu, 05 Dec 2013 03:40:14 GMT
Content-Length: 2616
<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>dotDefender Blocked Your Request</title>
……
View Code

基于特定资源文件

部分特定WAF在返回的告警页面含特定的CSS或者JS文件,可以作为判断的依据,这类情况在WAF类里比较少,可归并到HTTP响应中。

<html><center><iframe width="100%" align="center" height="870" frameborder="0" scrolling="no" src="http://safe.webscan.360.cn/stopattack.html"></iframe></center>  </body>  </html>
HTTP/1.1 405 Not Allowed
Server: ASERVER/1.2.9-3
Date: Fri, 27 Dec 2013 14:15:14 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By-Anquanbao: MISS from uni-tj-ky-sb3
Content-Length: 7188
<div class="wrapper">
<div class="titlelogo"></div>
<div class="err_tips">由于您访问的URL有可能对网站造成安全威胁,您的访问被阻断。</div>
<div class="feedback">
<form action="http://report.anquanbao.com/api.php" method="post">
<input type="hidden" name="black_code" value="" class="hidden_rule_id" />
<input type="hidden" name="deny_time" value="" class="hidden_intercept_time" />
<input type="hidden" name="server_id" value="" class="hidden_server_title" />
<input type="hidden" name="deny_url" value="" class="deny_url" />
<input type="submit" class="submit_img" value="" />
</form>
</div>
<a href="javascript:;">站长点击查看详情</a>
<a href="javascript:;">站长点击查看详情</a>
View Code

防火墙识别

nmap
nmap NSE模块
--script=http-waf-detect
--script=http-waf-fingerprint

wafw00f

sqlmap
sqlmap -u “www.xxx.com/xxx?id=1”--identify-waf

WVS

APPSCAN

绕过技巧

绕过技巧 - HTTP协议层 - 利用pipline绕过 | 会被安全狗拦截

burp Repeater -》update Content-Length 取消选中 -》 截获post请求
id = 1 and 1=1 # 被拦截

绕过技巧 - HTTP协议层 - 利用分块编码传输绕过 | 该方法可绕安全狗防火墙

绕过技巧 - HTTP协议层 - ModSecurity绕过

绕过技巧 - HTTP协议层 - 协议未覆盖绕过 | 可绕过安全狗

POST /sqlinject.php HTTP/1.0
Host: 127.0.0.1
User-Agent: Mozilla/5.0(Windows NT 10.0; WOW64; rv:65.0) Gecko/20100101
Firefox/65.0
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer:http://127.0.0.1/sqlinject.php?id=1
Content-Type: multipart/form-data;boundary=69
Content-Length: 69
Connection: close
Upgrade-Insecure-Requests: 1

--69
Content-Disposition: form-data; name="id"

1 and 1=1
--69--

(不可绕过安全狗)


POST /sqlinject.php HTTP/1.0
Host: 127.0.0.1
User-Agent: Mozilla/5.0(Windows NT 10.0; WOW64; rv:65.0) Gecko/20100101
Firefox/65.0
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer:http://127.0.0.1/sqlinject.php?id=1
Content-Type: multipart/form-data;boundary=69
Content-Length: 70
Connection: close
Upgrade-Insecure-Requests: 1

--69
Content-Disposition: form-data; name="id"

1.and 1=1
--69--
View Code

绕过技巧 - HTTP协议层 - 分块编码和协议未覆盖组合绕过

绕过技巧 - HTTP协议层 - 利用数据溢出绕过

绕过技巧 - HTTP协议层 - Content-Encoding绕过

绕过技巧 - HTTP协议层 - Content-Type绕过

绕过技巧 - HTTP协议层 - Charset绕过

转载于:https://www.cnblogs.com/AtesetEnginner/p/10997768.html

  • 0
    点赞
  • 0
    评论
  • 0
    收藏
  • 一键三连
    一键三连
  • 扫一扫,分享海报

表情包
插入表情
评论将由博主筛选后显示,对所有人可见 | 还能输入1000个字符
©️2020 CSDN 皮肤主题: 编程工作室 设计师:CSDN官方博客 返回首页
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、C币套餐、付费专栏及课程。

余额充值