A tool for testing if Web application firewalls (WAFs) are vulnerable to around 150 protocol-level evasion techniques was released at the Black Hat USA 2012 security conference on Wednesday.
The tool and the research that went into its creation are the work of Ivan Ristic, director of engineering at security vendor Qualys and the original author of the popular ModSecurity Web application firewall.
Web application firewalls are designed to protect Web applications from known attacks, such as SQL injection attacks, that are commonly used to compromise websites. They do this by intercepting requests sent by clients and enforcing strict rules about their formatting and payload.
However, there are various methods for sneaking malicious requests that violate these rules past WAFs by modifying certain parts of their headers or the paths of requested URLs. These are known as protocol-level evasion techniques, and WAFs are not properly equipped to deal with them at the moment because the techniques are not very well documented, Ristic said.
The researcher tested the evasion techniques he found primarily against ModSecurity, an open source Web application firewall, but it’s reasonable to assume that other WAFs are vulnerable to some of them as well.
In fact, Ristic said he shared a few of the techniques with others during the research stage and that they had tested them successfully against some commercial WAF products.
Erwin Huber Dohner, head of research and development at Switzerland-based WAF vendor Ergon Informatik, confirmed after seeing Ristic’s presentation that the evasion methods are a problem for the industry.
The question is will this public release of research kick-start a discussion as Mr. Ristic hopes?
- Vulnerabilities in open source WAF ModSecurity (net-security.org)
- Protocol-Level Evasion of Web Application Firewalls (community.qualys.com)
- Web Application Firewalls and the False Sense of Security They can Create (acunetix.com)
Have to worry about the Romanian hackers too.
Romanian hackers continue to have a field day with SQL injection flaws in major Website applications: A vulnerability in a U.S. Army Website that leaves the database wide open to an attacker has now been exposed.
“TinKode,” a Romanian hacker who previously found holes in NASA‘s Website, has posted a proof-of-concept on his findings on a SQL injection vulnerability in an Army Website that handles military housing, Army Housing OneStop. TinKode found a hole that leaves the site, which has since been taken offline, vulnerable to a SQL injection attack. “With this vulnerability I can see/extract all things from databases,” he blogged.
What’s with the weak security?
TinKode was able to gain access to more than 75 databases on the server, according to his research, including potentially confidential Army data. He also discovered that the housing site was storing weak passwords in plain text. One password was AHOS, like the site’s name.
“Four-character passwords that are the same name as the database table names are inexcusable,” says Robert “RSnake” Hansen, founder of SecTheory.
Hansen says the ease with which TinKode discovered the SQL injection flaw highlights the state of Web security. “[This is] a good example of how terrible our security posture is, and he didn’t even have to do anything tricky to find the exploit,” he says.
Considering SQL injection is a common vulnerability exploit this re-enforces the need to test systems regularly.
TinKode is among a group of hackers out of Romania who have been disclosing SQL injection flaws in high-profile Websites during the past few months. Most recently hacker “unu” demonstrated a major SQL injection hole in an Intel channel partner events Website that exposed personal passport information. Unu was able to hack into the front-end Web app and, like TinKode, found that the server administrators had their passwords stored in clear text.
SQL injection is a common Website vulnerability that is increasingly being used as a foot in the door to the back-end database.
“Every organization has these problems,” Hansen says. “They may not realize it, but they’re just waiting for a smart kid to come along and copy off every critical piece of information they have.” (Source: Dark Reading)
Of course common sense needs to be used when it comes to passwords as well. Storing in clear text?? Using four character passwords that are the name of the database?? Come on.
Related articles by Zemanta
- Web site scripting flaws are common and slow to be fixed (infoworld.com)
- Web application security is growing problem for enterprises (infoworld.com)
- RockYou Hack: From Bad To Worse (techcrunch.com)
- Useful SQL Injection Info (arnoldit.com)