WAFFle: Fingerprinting Filter Rules of Web Application Firewalls

Open access to the papers is sponsored by USENIX.

Web Application Firewalls (WAFs) are used to detect and block attacks against vulnerable web applications. They distinguish benign requests from rogue requests using a set of filter rules. We present a new timing side channel attack that an attacker can use to remotely distinguish passed requests from requests that the WAF blocked. The attack works also for transparent WAFs that do not leave any trace in responses. The attacker can either conduct our attack directly or indirectly by using Cross Site Request Forgeries (CSRF). The latter allows the attacker to get the results of the attack while hiding his identity and to circumvent any practical brute-force prevention mechanism in the WAF. By learning which requests the WAF blocks and which it passes to the application, the attacker can craft targeted attacks that use any existing loopholes in the WAF’s filter rule set. We implemented this attack in the WAFFle tool and ran tests over the Internet against ModSecurity and PHPIDS. The results show that WAFFle correctly distinguished passed requests from blocked requests in more than 95 % of all requests just by measuring a single request.

Authors: 

 Isabell Schmitt and Sebastian Schinzel, University of Erlangen-Nuremberg

Open Access Content

Papers are restricted to registered attendees until the event begins. Once the event begins, the content becomes free and open to everyone. Journal articles are open to everyone upon publication. If available, video, audio, and/or slides of this presentation will be posted here after the event.

Schmitt.pdf
View the slides
BibTeX
Text of BibTeX entry: 
@inproceedings {179507, title = {WAFFle: Fingerprinting Filter Rules of Web Application Firewalls}, booktitle = {Presented as part of the 6th USENIX Workshop on Offensive Technologies}, year = {2012}, location = {Bellevue, WA}, url = {https://www.usenix.org/conference/woot12/workshop-program/presentation/Schmitt}, publisher = {USENIX}, address = {Berkeley, CA} } <br><a href="/biblio/export/bibtex/179507">Download</a>
Abstract: 

Web Application Firewalls (WAFs) are used to detect and block attacks against vulnerable web applications. They distinguish benign requests from rogue requests using a set of filter rules. We present a new timing side channel attack that an attacker can use to remotely distinguish passed requests from requests that the WAF blocked. The attack works also for transparent WAFs that do not leave any trace in responses. The attacker can either conduct our attack directly or indirectly by using Cross Site Request Forgeries (CSRF). The latter allows the attacker to get the results of the attack while hiding his identity and to circumvent any practical brute-force prevention mechanism in the WAF. By learning which requests the WAF blocks and which it passes to the application, the attacker can craft targeted attacks that use any existing loopholes in the WAF’s filter rule set. We implemented this attack in the WAFFle tool and ran tests over the Internet against ModSecurity and PHPIDS. The results show that WAFFle correctly distinguished passed requests from blocked requests in more than 95 % of all requests just by measuring a single request.

presentation video

Download Video

presentation audio