Web Application Firewalls: Analysis of Detection Logic

by Vladimir Ivanov

The presentation will highlight the core of Web Application Firewall (WAF): detection logic, with an accent on regular expressions detection mechanism. The security of 6 trending opensource WAFs (OWASP CRS 2,3 - ModSecurity, Comodo WAF, PHPIDS, QuickDefense, Libinjection) will be called into question.

Static Application Security Testing (SAST) tool for Regular Expressions analysis will be released, which aims to finds security flaws in the cunning syntax of regular expressions. Using the proposed "regex security cheatsheet", rules from popular WAFs will be examined. Logical flaws in regular expressions will be demonstrated by applying author's bughunting experience and best practices. Unexpected by regexp's primary logic vectors will be discovered for Cross-Site Scripting and SQL-Injection attacks (MySQL, MSSQL, Oracle) using advanced fuzz testing techniques. Obtained from fuzz testing framework attack vectors will be clustered and represented via look-up tables. Such tables can be used by both attackers and defenders in order to understand the purpose of characters in various parts of attack vector, which are allowed by appropriate browsers or databases.

More than 15 new bypass vectors will be described, with an indication of over 300 potential weakness in regular expression detection logic of WAFs.