Our presentation at OWASP Europe in Krakow on Web Application Firewall shortcomings was featured on Darkreading, and Wendel was quoted in the article. Other sites and blogs (such as Heise) also mentioned the presentation. Imperva’s (which happens to be a WAF vendor) blog had some comments about the presentation as well, and in this post I hope to answer some of the claims.
“What Wendel (TrustWave) and Sandro (EnabledSecurity) basically showed is that they can figure out if a WAF is deployed to protect a web application and two techniques that can allegedly “bypass” WAFs.”
Unfortunately we had a couple of technical issues that meant that our presentation did not start on time and some of the live demos could not be shown. We had just 30 minutes to present which was not enough. We did perform the demos the next day anyway to a number of people who had some interesting feedback (more on that later). Either way, we mentioned more than two techniques that can lead to a bypass in some of the Web Application Firewalls.
“The two speakers described WAFs basically as a combination of black lists and white lists while missing the entire point in WAFs that learn the web application interfaces and usage patterns using dynamic profiling mechanisms and express complex security rules through advanced correlation engines. Actually, WAFs were developed to overcome the disadvantages in purely signature based products like IDSs.”
I do not currently have access to Imperva’s SecureSphere, but aren’t “dynamic profiling and express complex security rules” there to automatically create whitelists? That is what the SecureSphere datasheet and the specifications page implies. If not, can you explain how this works (and also explain express complex security rules)?
Most WAFs by default support blacklist approach and on large complex sites the positive model is not easy to setup or maintain. Making use of learning features of various WAF products is definitely going to help, but does not solve issues such as maintenance. A good question is “what sort of traffic do you use to train your WAF”? A large number of WAFs are configured to make use of the blacklist approach most of the times, even though the positive / whitelist model is supported by the WAF product.
“Presenting the ability to detect WAFs deployed in front of a web application as a major security risk is just biased”
Detection of the WAF is not a major security issue within itself, but is just another step in the reconnaissance stage of an attack.
As for the feedback that we received at OWASP, many of the participants who had first hand experience with Web Application Firewalls agreed that positive model Web Application Firewalls are a pain to maintain. Everyone came to the conclusion that you need dedicated personnel to maintain a large web application protected by a WAF. That is hardly something that the vendors want you to know.
Filed under: rant | Leave a Comment
Tags: appseceu09, imperva, owasp, sandro, securesphere, waf security, wendel
So the OWASP at Krakow (which was a great experience!) came to an end. The conference was a mixture of technical and non-technical presentations; I liked the w3af presentation and thought it was well delivered, and I heard that the “HTTP Parameter Pollution” was particularly interesting. It seems that the Web Applications Firewall talk that we gave steered the attention of various organizations, media (DarkReading) and people (Twitter). The presentation went a big bonkers and Murphey’s Law kicked in. However we got the chance to demonstrate the missed content after the conference for an audience that provided a lot of good feedback.
I’ll also be presenting a session on VoIP scanning on the internet at CONFidence tomorrow. Most other presentations and research seems to focus on VoIP (in)security + layer 2 issues, such as sniffing clear text VoIP. In contrast to this, my session will be more focused on what attackers coming Internet (can) do to your SIP PBX and endpoints. The focus is on demonstrating using both live demos and recorded videos and destribing some interesting (rather new) attacks that apply to VoIP on the Internet.
Filed under: Site news | Leave a Comment
Tags: confidence, darkreading, krakow, voip, waf, web application firewall
Back from Troopers09 in Munich after presenting our (Wendel Guglielmetti Henrique from Trustwave and yourstruly) research on Web Application Firewalls. Troopers was great and the organizers (Enno Rey and co) made a great job out of the conference. Kudos to them! During the presentation we demonstrated some tools that will help security analysts and penetration testers to identify WAFs and fingerprint their rules.We hope to release these tools soon.. meanwhile if you would like to beta test, please send me a note.
Last week Bryan Miller from Syrinx Technologies interviewed me on Web Application Security and WAFs. You may listen to this podcast here where I gave my views on web application security and an introduction to the presentation for Troopers. If you would like to keep updated with this podcast, you may subscribe using the RSS feed.
Filed under: Site news | Leave a Comment
Tags: interview, podcast, syrinx, troopers09, trustwave, web application firewall, web application security
Announcing the VOIPPACK April edition supporting IAX2 and can now scan Asterisk servers. Because the feedback for sipautohack was great, we included a similar tool for the Asterisk protocol called iax2autohack in the April edition of VOIPPACK. The following are the new tools avialable in this update:
- iax2enumerate which like sipenumerate, tries to guess extensions present on the Asterisk box, and will inform you if the extension has any password set or not
- iax2cracker which given a known extension on the Asterisk box, will attempt to recover the password through an online bruteforce attack
- iax2autohack which finds out any Asterisk servers on the network, enumerates the extensions and launches a password cracking attack on each extension
The following demo shows iax2autohack in action:
For more information about VOIPPACK and our other offerings check out the products page.
Additionally we confirmed a few phones that are vulnerable to the SIP Digest Leak vulnerability (tools included in VOIPPACK) for the Cisco 7940, Grandstream, Fritzbox and more, thanks to Sjur and another unnamed entity ;-) Will be working on further research and releasing a paper after Troopers09 where Wendel G Henrique and I will be presenting our Web Application Firewall research and releasing new tools.
Watch twitter if you’re interested in what’s happening ;-)
Filed under: Site news | Leave a Comment
Tags: asterisk security, canvas, iax2 security, iax2autohack, sipautohack, voip security, voippack
One of the projects that we’ve been busy with is VOIPSCANNER.com. I am now pleased to announce that it is (semi-)public beta. During beta stage the service will be free but we shall be approving each application individually. Apply for a beta code now.
What is VOIPSCANNER.com?
VOIPSCANNER.COM makes scanning your public facing IP PBX for security holes easier than ever. No need for desktop applications or any software installation, just enter the IP address of your IP PBX and you will receive a report of what attackers out there might find about your IP PBX.
Filed under: Site news | Leave a Comment
Tags: sipautohack, sipvicious, voipscanner
A paper is coming up on the subject because there’s been quite some buzz on this on Twitter and some VoIP security blogs. The VOIPSA post explains that this is available to CANVAS users. Check out the VOIPPACK page for more information. And Sjur’s blog attracted quite some attention with the title “Get the password from ANY SIP device?!?! It is fully possible!”.
Meanwhile, we’re having a tutorial rush over here – 2nd tutorial related to VoIP and VOIPPACK published here. By following the steps outlined in the document, you’ll be able to do the following:
- Understand how the SIP Digest Leak attack works
- Be able to get an IP Phone to ring
- Get the IP Phone to leak the challenge response
- Recover the password
Abstract:
The SIP Digest Leak is a vulnerability that affects a large number of SIP Phones, including both hardware and software IP Phones as well as phone adapters (VoIP to analogue). The vulnerability allows leakage of the Digest authentication response, which is computed from the password. An offline password attack is then possible and can recover most passwords based on the challenge response.
Oh and just in case you’re wondering .. nope this is not an April’s fool joke. This IETF document describes a similar issue. Hang on for the paper on the topic.
Filed under: Site news | Leave a Comment
Which means that if you are running OpenX, make sure to update to the latest version which was issued just now. The latest download can be found here.
We posted an advisory detailing some well hidden SQL injection vulnerabilities as well as XSS, the possibility of arbitrary file deletion and CRLF injection. Additionally, we made available a video (below) on your favorite video sharing site explaining how we were able to identify the flaws by making use of Acunetix Acusensor (not much skills involved there), analyze the flaws and eventually develop some code to exploit one of the blind SQL injection vulnerabilities. This exploit is not publicly available but interested organizations can contact info@enablesecurity.com for further details.
Filed under: Research, Site news | Leave a Comment
Tags: blind sql, openx, sql injection, sqli, web application security
Just published a tutorial called “How to set up a VoIP lab” which provides easy step-by-step instructions on how to get a VoIP lab up and running. Abstract:
Have you been wondering about what sort of security vulnerabilities apply to the VoIP network that’s coming up in your next assignment but have no equipment to test on yet?
Truth is that most of the times there is no need for a lot of expensive hardware to setup a basic lab for testing VoIP security.
Filed under: Site news | 2 Comments
Tags: asterisk, security lab, voip lab, voip security
Just released an update for VOIPPACK for which includes the “SIP Digest Leak” tool and “Ghostcall”.
What does the SIP Digest Leak tool do?
The SIP Digest Leak is a vulnerability that affects a number of IP Phones that make use of SIP. Many VoIP phones will respond to an authentication challenge even when the challenge is not coming from an authorized party. This causes these VoIP phones to leak out the digest authentication details which are used to access PBX servers. Attackers can then launch an offline password attack to recover the original password based on various details obtained through this attack. This tool automates the whole process.
What about Ghostcall?
When an attacker is able to contact the SIP phones directly, the attacker can often get the phones to ring. This means that someone can launch a denial of service where all phones in a network ring at the same time. Ghostcall demonstrates this issue by first determining which extensions the SIP phones ring on, and then getting them to ring simultaneously.
Other tools are Digest Cracker, SIP Get Ringers and SIP Phonecall. More information about these in the product page.
Filed under: Site news | Leave a Comment
Tags: ip phone, voippack
Last month we published a video demo called “Attacking Web Applications with Broken Authentication”. This shows a simple web application that relies on a cookie called “userid” for authentication. You might think that very few sites are vulnerable to this issue, but the truth is I came across this issue last year in a rather large European security conference. Some of the local ISPs also have this sort of security flaw.
What the video demonstrates is not just the flaw, but how to automate exploitation of such a flaw with a particular web application security tool. Check out the video below.
Also, (IN)SECURE Magazine was released yesterday so go grab it. Includes my personal views on security incidents and events of last year. Look out for “The year that Internet security failed”. Lots of articles look good but the following caught my eye:
- Improving network discovery mechanisms
- Scott Henderson on the Chinese Underground
- Playing with Authenticode and MD5 collisions
Oh .. and here’s the video:
Filed under: Site news | 2 Comments
Tags: acunetix wvs, fuzzer, insecure magazine, insecuremag, weak authentication, web application fuzzer
