OWASP CRS 3 AND COMODO WAF PATCH RULES

26 May 2017 . Umar Farook . / Waf

In this blog, we will see how to identify flaws in WAF and write our custom waf rules to block new attacks against our vulnerable application.

How to write Custom WAF rule to block new attacks on web application?

  1. At first, try to identify the security issue i.e payload or process which normally WAF failed to detect.
  2. Based on that develope regex pattern to match that payload.
  3. Follow the modsecurity syntax to write a new rule.
  4. Save the rule as .conf and include in the default rules directory.
  5. Restart the Apache server and start testing the WAF rules.

Security Issue Overview:

When i started testing normal injection technique on both OWASP CRS 3 & Comodo WAF Ruleset configured separately with vulnerable app i.e SQLI-LABS, WAF works well. But when I tried injection payloads with different encoding techniques i.e Base64,urlencoded (any other encoding method that support on application back-end), it failed to detect which lead to all possible injection attack.

Demo WAF Rule Writing

  1. Start testing the WAF rule i.e Comodo free WAF rules or OWASP CRS rules with vulnerable web application and identifying the security issue in their rules.

  2. While testing the OWASP CRS 3 & Comodo WAF rules, I have found some loop hole which allow user to bypass sql injection rules. i.e OWASP CRS & Comodo Rules failed to detect base64 encoded payload or anyother encoding method that works on the application back-end.

  3. These are the following payload which OWASP CRS 3 && comodo WAF rules failed to detected while testing.

    Normal Payload in base64 encoding:

     admin’) order by 3# :- YWRtaW4nKSBvcmRlciBieSAzIw==
 -admin’) union select 1,2,3# :- LWFkbWluJykgdW5pb24gc2VsZWN0IDEsMiwzIw==
 -admin’) union select 1,database(),3# :-
 LWFkbWluJykgdW5pb24gc2VsZWN0IDEsZGF0YWJhc2UoKSwzIwo=
 -admin’) union select 1,group_concat(username),group_concat(password) from users# :-
 LWFkbWluJykgdW5pb24gc2VsZWN0IDEsZ3JvdXBfY29uY2F0KHVzZXJuYW1lKSxncm91cF9jb25jYXQocGFzc3dvcmQpIGZyb20gdXNlcnMj

  4. Start writing regex to match the payload 6.Fixing the identified security issue bywriting custom WAF rule.

To have clear understading, check below demo video.

Demo Video: Testing OWASP CRS 3 & Comodo WAF rules


Demo Video :Writing custom rule to block above mentioned payloads using regex expression

Reference:

  1. Modsecurity
  2. Kali
  3. Debuggex
  4. OWASP Mutillidae Vulnerable App
  5. SQLi LABS

Tags: