Monthly Archives: August 2017

Request encoding to bypass web application firewalls

I “think” I have discovered a “new” technique in bypassing external web application firewalls using request encoding. The idea is very simple but I had not seen this before to be used to bypass any protection mechanisms. Details of this technique has been published via NCC Group’s blog:

https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/request-encoding-to-bypass-web-application-firewalls/

This technique was presented as one the methods to mutate the HTTP requests in:

There are loads of other anomalies that can be used to bypass WAFs using webservers behaviour in accepting HTTP requests; my plan is to complete this research and put all the results via the https://http.ninja/ website. Please feel free to contact me via my Twitter (@irsdl) if you have some ideas regarding this.

The unofficial PDF version of this blog post can be downloaded from here:
https://soroush.secproject.com/downloadable/request-encoding-to-bypass-web-application-firewalls.pdf

Almost all the cloud-based WAFs that I had tested could be bypassed using this technique at the time of discovery.

When a web application SSRF causes the cloud to rain credentials & more

The following blog post was written by me and Daniele Costa:

https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/when-a-web-application-ssrf-causes-the-cloud-to-rain-credentials-and-more/

In this blog post we have demonstrated an SSRF exploitation to steal AWS credentials to access Amazon S3. What made this attack special was the fact that http://169.254.169.254/latest/meta-data/iam/ was not accessible to our users during the exploitation. Therefore, we had to use the ‘userData’ attribute in EC2 describe-instance-attribute operation to extract the sensitive data.

The unofficial PDF version of this blog post can be downloaded from here:

https://soroush.secproject.com/downloadable/when-a-web-application-ssrf-causes-the-cloud-to-rain-credentials-and-more.pdf

CVE-2017-8592 – XMLHttpRequest in IE followed 307 redirections with additional or customised headers

If you are doing web application security assessments, you probably have seen many APIs that do not have any cross-site request forgery (CSRF) protections other than checking the Content-Type header.

Although this seems like a bad way of doing this, browsers do not normally allow you to use unusual Content-Type headers for another website (without CORS) and therefore the exploitation is quite impossible. However, a vulnerability was found in Internet Explorer and Edge that allowed users to set these arbitrary headers (anything that JavaScript can set). This issue was patched in July 2017. More details can be seen here:

https://www.nccgroup.trust/uk/our-research/technical-advisory-cve-2017-8592-xmlhttprequest-in-ie-followed-307-redirections-with-additional-or-customised-headers/

As mentioned in the above URL, bypassing security features using redirection is a common attack vector and it was interesting that this issue had not been reported to Microsoft previously. A similar issue in Adobe Flash had been patched a long time ago (see https://www.whitehatsec.com/blog/flash-307-redirect-game-over/).