BSides Berlin 2024
Slides of my presentation
https://nzt-48.org/slides/undetectable-sql-injections.pdf
This edition of BSides was very international, all the talks where given in english despite the fact that the conference took place in Germany.
I had the honor of meeting Dr. Mario Heiderich, whose research I've been following since 2009. He gave a great presentation about mutation XSS vectors. Mutation vectors are extremely powerful, they have been used to leverage XSS attacks against websites such as Google, Facebook, Gmail, Twitter, Github, Reddit, Dropbox, Yahoo mail, other email clients and, in summary, all applications that accept certain HTML from the user.
These sort of applications allow user input to contain HTML code, the code is parsed so that dangerous tags and dangerous attributes are removed. These type of filters are called HTML Sanitizers.
A mutation vector is markup code that syntactically looks safe upon inspection, but when the web browser renders it, the markup changes; it mutates to be adjusted to the specifications, as a result the safe markup mutates into dangerous code.
More of these in the following links:
Dr. Heiderich - The innerHTML apocalypse
https://www.slideshare.net/slideshow/the-innerhtml-apocalypse/19935120
MXSS Explained by @S1r1u5_
https://x.com/S1r1u5_/status/1840755301378916612
https://x.com/S1r1u5_/status/1843615093512384666
Kévin Mizu (@kevin_mizu) research on mutation XSS, presented at GreHack 2024
https://x.com/kevin_mizu/status/1857462763653640224
Sonar research on mXSS
https://x.com/XssPayloads/status/1796027253068837022
Dr. Mario Heiderich, being an eminent expert on the field, created DOMPurify: an extremely well-designed HTML sanitizer. In his presentation he showed mutation XSS vectors (found by other researchers) that succeeded in bypassing DOMPurify. He didn't publish the slides of his presentation.
I had the chance to present my research about breaking web application firewalls (WAFs). Nowadays it is very common to find websites that are protected by a web application firewall. WAFs are used by about half the internet, they have become a very popular and trusted security solution. When there is a WAF protecting the application, vulnerability scanners don't work, automated exploitation tools also become useless. It becomes very difficult to test the site for vulnerabilities.
I tested 17 of the most used WAFs in the internet and I bypassed all of them, except for just one brand. In this presentation I explained the process of how I broke the SQL injection rules of the biggest brands in the market:
- OWASP ModSecurity Core Rule Set
- Microsoft Azure
- Amazon AWS Cloudfront
- Oracle
- Cisco
- Cloudflare
- F5 Big-IP
- Akamai
- Fortiweb
- Fortiguard
- Radware
- Imperva Incapsula
- Barracuda
- Indusface AppTrana
- Wordfence
- Symantec (Broadcom)
As a bonus, I also included some cross-site scripting vectors.
The slides of the presentation have been published here:
https://nzt-48.org/slides/undetectable-sql-injections.pdf
There is also a blog post that thoroughly explains the bypasses exposed in the presentation:
https://nzt-48.org/breaking-the-most-popular-wafs
Overall the conference was very enjoyable and I am very grateful to have assisted.
Published @ 2024-11-25 04:54