Another Brick Off the Wall: Deconstructing Web Application Firewalls Using Automata Learning

Presented at Black Hat Europe 2016, Nov. 3, 2016, 2:30 p.m. (60 minutes).

Web Applications Firewalls (WAFs) are fundamental building blocks of modern application security. For example, the PCI standard for organizations handling credit card transactions dictates that any application facing the internet should be either protected by a WAF or successfully pass a code review process. Nevertheless, despite their popularity and importance, auditing web application firewalls remains a challenging and complex task. Finding attacks that bypass the firewall usually requires expert domain knowledge for a specific vulnerability class. Thus, penetration testers not armed with this knowledge are left with publicly available lists of attack strings, like the XSS Cheat Sheet, which are usually insufficient for thoroughly evaluating the security of a WAF product.

In this presentation we introduce a novel, efficient, approach for bypassing WAFs using automata learning algorithms. We show that automata learning algorithms can be used to obtain useful models of WAFs. Given such a model, we show how to construct, either manually or automatically, a grammar describing the set of possible attacks which are then tested against the obtained model for the firewall. Moreover, if our system fails to find an attack, a regular expression model of the firewall is generated for further analysis. Using this technique we found over 10 previously unknown vulnerabilities in popular WAFs such as Mod-Security, PHPIDS and Expose allowing us to mount SQL Injection and XSS attacks bypassing the firewalls. Finally, we present LightBulb, an open source python framework for auditing web applications firewalls using the techniques described above. In the release we include the set of grammars used to find the vulnerabilities presented.


Presenters:

  • George Argyros - Security Researcher, Columbia University
    George Argyros is a security researcher currently pursuing a PhD at Columbia university in NYC. His research revolves around the development of machine learning algorithms for analyzing complex software, debugging tools for machine learning models and making symbolic execution practical for interpreted languages. In the past, George worked in the area of location privacy, where he developed a number of new attacks for precisely pinpointing the location of users in popular social services such as Facebook Nearby Friends and Foursquare. Moreover, George worked in the area of applied cryptography where he developed a suite of tools for exploiting weak randomness vulnerabilities in web applications and uncovered a large number of vulnerabilities in popular software packages such as MediaWiki, Joomla and several others. Beyond research, George also worked as a security consultant in various organizations, where he was responsible for code auditing, cryptographic protocol auditing and penetration testing.
  • Ioannis Stais - Security Researcher, Census S.A.
    Ioannis Stais is an IT security researcher at CENSUS S.A., a company that builds on strong research foundations to offer specialized IT security services to customers worldwide. Ioannis has participated in more than 50 security assessment projects, including the assessment of communication protocols, web and mobile banking services, NFC payment systems, ATMs/POS, critical medical appliances and MDM solutions. He holds a Master's degree in Computer Systems Technology from the University of Athens. His research currently focuses on the development of machine learning algorithms for improving vulnerability research, the enhancement of fuzzing frameworks and exploration of the current threats in mobile and web applications.

Links:

Similar Presentations: