Why is it still necessary for application security testing in the WAF age

I'm sorry. Um can can everyone hear my voice? Yes. Okay, very nice. Um because my boss is also here. Um so today I would like to use Yeah, this session will be conducted in English. Um but yeah, if you guys have any questions, just feel free to let me know or yeah just feel free to reach out. Okay. Okay. Thank you. So um today um because um because um recently we also hear a lot of voice and keep asking why is still with still necessary to have a W in sorry why we still have to conduct a security assessment even though there's a W in place. So um I would like to talk a bit

more in this topic and then I would like to also introduce a bit um different tricks and tactics that we can use uh during the times that we doing some of the assessment or or uh penetration test against the wild applications. So um let me quickly intro um so before we start oops sorry I can move yes here you go. So before we start, let me quickly introduce myself. So I'm Kevin not, but I know um that's a mistake that was made in a in a website. That's fine. So right now I'm I'm actually a cyber security emphasis. So sometimes I will also do my own research during my free times and then currently I'm working in a virtual banks but pi

but piet um I also work in different companies um from government sectors to consultancy firm and I also work in different different spectrum in cyber securityities from blue teaming side to red teaming sides and yeah um I think my certificate also prove a little bit of that because yes I I actually different certificate from different areas like OCP and OCP from offensive security side and GCFA for for boot teaming side and also certificate for some like the security management side and yeah some and yeah in the past I also do my own research um in my university and there's a paper has been submitted so um if you guys also interested in blockching areas just you can also feel free to reach out

to me although for now I might not very um familiar with this with this topic but yeah that's pretty much

Okay, wait a minute. So, so um let's back back to our topic. So nowadays um some of you may keep if you're actually working in something like the internal security teams sometimes maybe there's some some teams member who keep asking so we already have a pace then why we have to why is this our IP then why we have to white this red team IP address or the SS IP address to just to simply let them do their own things or because while sometimes very powerful then why we still need to do something like the penetration test or application test because um with just simple W in place there's no no one can break through the

wall right but yeah okay I guess some of you if you already work in this industry you may already have a model answer uh because we have to get a multiple layer of defense we have to have it we have to have a defense in depth approach so uh we can't simply rely on one control we also have to ensure that every control has been in place and also have been configured properly but sometime but yeah um and that's another potential answer would be because penetration tests itself is more focused on your vulnerability instead of really trying to bypass the B and so that's a reason that sometimes um we we we just keep using this reason to explain to the to

the kind of like another teammate but um besides on that I think there's one more point that maybe we can work to focus on is actually the buff itself sometimes it's not very reliable. Um although in most cases it's definitely do their jobs. They it do help us to say guard our web applications but doesn't means that it's undefeated. So um but yeah sometimes we keep talking about the block if they bypass but there's no one to really mentions why why there's this chance that um someone can actually bypass bypass the bypass the buff. So um in the next sessions um I would like to briefly talk about uh why it could goes wrong and and yeah and what we could

what we could have been done better in order to safeguard our our web application and web and web servers. So um before we really jump to our next topic um so um to give you guys let me give you guys some background about how the WS work. So W is kind of like a tool or a solutions and tend to protecting your web applications and yeah usually W focus on injection kinds of attack on preventing injection kinds of attack such as S injections process scripting and sometime SSTI and XXE as well but yeah usually there are two kinds of there are two kinds of the main method to deploy your W one is the physical method you

buy you buy appliance from someone else and and deploy it in the data center and there's another way you can do is you can also leverage leveraging some sort of cloud service. So they will also so you can also build a reverse proxy and to connect your web server with with the W. So every request that come through that trying to reach out your web server will be first reach out to the bot and then the bot will help you to pass to pass it to the to your web server with with their own inspection technique. So um but how does it work? Um but yeah I this thing I'll also um discuss a bit

a bit more faster. So usually what will work in several ways um despite there's so many fancy method like AI and machine learning and usually the W focused on detecting things by regular expressions. So um it's kind of like a most common method or kind of like the foundation method that evolve is being used for so many years and even for now. So um that's basically the so that's basically the all the foundations that we need to know or the background of the W. Um so next up I would like to talk a bit more about our testing environment in order to better shows um how we can actually defeat the W or what is the

potential way that the W could goes wrong. I build a very simple instruction structures. So in here uh uh I have our own web server and it also has been establish a reverse proxy connection with a W. Then the W itself has been deployed a M securities and and it also leveraging some reverse proxy technique. So that's why every request that came from the internet internet will eventually come to the W. Then the W would do their own inspections and then pass it to to the actual web server. So So as you can see here's the pro testing website. Um if you guys if you guys have learned something like um how we how we can attack the web

applications or how we can actually do how we can actually um do some sort of secret injections and you want to find a vulnerable site to test. Usually DB.A it would be the famous one that you guys may have reached out before. Um, so so that's kind of like just a very buggy apps and with all kinds of potential vulnerabilities, but actually I didn't and actually I didn't set up any sort of ex um additional defense. I and I even didn't change the difficulties of exploiting this issues because you know this website can also allow you to switch to different difficulties to to making some attack become slightly harder and it requires some tricks but right now even

though I didn't set up any sort of the any sort of the defense difficulties um if you really trying to attack the system um it will be eventually blocked by a lot and yeah that's a that's a beautiful homepage So like that's a beautiful blocking page I have made because I run out of idea. So um this is what it is. So yeah basically that's all the setup for our for the test scenario. Let's jump to our main topic. So um we have discussed um how the typical valve has been set up and how how does it work but um after knowing that after knowing that um why it looks quite promising but how could it be goes

wrong gone wrong in some in several areas. So um firstly let's talk about something that's really hard to be addressed by everyone. Um yes I mean some of you may actually that's kind of like a look and this and hardly be addressed and and if you guys have seen the web is mainly use regular fashions to prevent any sort of incoming web attack that means there that will always going to be two ways to attack the W. One is the offication attack which is you can craft your own payload to bypass some sort of to evade some sort of the regular special detections and another way not very familiar but this actually is applicable in our W in our W solutions which is the

red dos the red dos attack um it's kind of like using the regular expressions components but before we but yeah before we start um because these two attacks are very rely eye on regular expressions. So let us have a crash course on have a crash lessons on how regular expression work. So that's a regular expressions usually looks like. Um it comes with a a expressions with a specific rules. So by leveraging this technologies it will be much easier to address or capture some verdings within a certain file or document any request. And actually that is that is also one of the core technique that has been used by rock for so many years and and even for

now. And here's one of the example um on how it works. So in here I use a I use very simple expressions um a to z from upper case to lower case and with five characters. U by using this regular expression it will be much easier to capture my name Kevin because there are five characters um A to Z from upper to lower and which which matching all the which match all the criteria in my expressions and that's how the actual R looks like. It looks a little bit clumsy because yes that's a real world and we actually trying to capture some malicious or or risky attack. So sorry. And so if I really try to do something

like a secret injection attack to again this to against this uh web web um to against this rules uh what it does is it would it were trying to inspect my URL and actually in in reality it's going to be the whole packet and it will trying to see whenever there's a malicious device being placed or is that any things that may potentially match the criteria and if it match that means we successfully do have a catch. And so um by using this method and that's how the real world looks like. Um so when I insert the malicious malicious payload into my into my buck website um it yes it's definitely going to be blocked but the story behind the scenes

is it will also generate an alert showing that which rules has been used to defense my to block or defense my malicious requests. And so that's basic that's pretty much um the basics on how the w how the buffs work and how the models even though the models laugh as well but um for using but knowing that why when we knowing that um is when we use the many lacking regular expressions to do their own tricks then what could it goes wrong so here's one of the example so actually um because that's very rely on regular sessions so That being said with a slight change it could potentially bypass the whole the W defense mechanism. So like here um in SE in SQL

grow we know or case can also equivalent to something like double uh double things like that. Um but yeah for just sometime for just the little tricks we can potentially bypass bypass a simple a single expressions. But yeah although um I can potentially bypass this expression it doesn't means that you can also bypass all expression since all since the w can also have so many expressions but it doesn't means that he's a delete undefeated. So that's one of the example that how other people's actually trying to bypass a lot with certain with different criterias and different methods. In here you can see that there's no or case here and there's no something like the very famous famous um

SQL wordings except the slack and sometime union but yeah uh usually because the W has been matched so match complex criteria or multiple criteria in order to in order to trigger an alert and block your and block your request. So sometimes um even though even though that uh different rule set looks promising but it doesn't means that it's actually undefeated and just for informations that query also has been raised to GitHub as and and yeah in the future is actually a fix for this kind of the interesting ru or or that's a fix for this kind of the interesting payload and yeah um but it for us I know it looks scary and not much to do for from

our end and but actually um there are some for different weather they do have their own um they do have their own rule set and each of them may contain so many regular expressions like cal potentially contain like 500 and a sw maybe potentially contain around 1,000 or maybe ranging around 2,000 and yeah even though for f5 and alchemize um the range the numbers was just very high. So yeah and and the example that I shows in here is just one of the it's just one of the regular expressions that has been used in different rough solutions and actually there's so many there's so many expression in place but again um even though that that would be quite hard to

to defeat but it doesn't means that it's immortal sometimes still by some simple tricks it could potentially mess up the logic and break through the And the next thing I would like to talk more is about red dos attack. Red dos attack. I'm sorry. So in here uh what we can what accurate what regular expression does is it will trying to use it trying to do some sort of the um kind of like kind of like query within the strings. So actually um for every regular expression we can change it to be something like a stage diagram but because I don't want to make it too clumsy so maybe I just break through it step by step so you guys would know what

was going on if your if your expression is mono so let's say we have two expressions so let's say we have expressions like bracket a plus and close bracket plus b with a weird input like a a so what it does is um because you'll see this string has been matched by their first terms. So because that will be a plus and there's a bracket here means that they will have they they have to form a group with that. So um so um when when this expression received this received the input uh it will trying to break through it into several parts and like a to 4 A's 2 A 3 A's and and and

for each combination they will check whenever there's a B in place. So if there's a B then it will stop it then it will stop. But what if there's no B in the strings? In that case, it would try to compare different answer or compare different groups again and again. And that's why um for just simply five input, I can I can trigger I can trigger this regular expression to execute so many times like two to power something and and actually um that is how the velocities look like looks like. um if I can just simply keep going to if I can keep the length become longer and longer. Um other yeah in the beginning

it doesn't seem scary because it's still it's it just kind of like zero second and it was and it will be turning things but if we just slightly increase a little bit for the payload like 20 something or 30 something it already it would be sky it would be reaching skyh high for the in terms of the performance per computational time. So um that's why it would be much easier to break to break the W. But some of you may ask um so if the W has been has been has been shut down or or kind of like or kind of like attacked by this kind of method what it could be. So usually in M there are two kinds of

setup. So um either it'll be focused um to design any tropics correctly um and in order to keep the in order to keep the confidentiality and integrity because sometimes the attack will be quite deadly. You can remove it can wipe off your database. Sometime you can also retrieve some confidential informations but yeah the drawback is there's no there will be no one no one can access your web applications by if your W is not is going down and yeah there's another approach is you keep your web applications still going to be accessible but yeah kind it will be sacrificing your confidentialities and integrities but yeah um sometimes very open maybe a little bit better because

um even though the W even though the W is what's going down um If your application has been set up correctly or has a power defense, um it still means that it was still not going to be impossible to be break through by secret injection or any kind of the um crazy attack. But again, neither because neither one of the ending will be a good end. So sometimes that's also one of the things that we need to care about. And so yeah that's that's the end for something that we can we could we couldn't do much about but next up I would be talk a bit more about misconfigurations and usually that would be kind of like a

common way that we can actually puzzle off because even though you're from the attacker perspective sometimes it's quite hard for you to really try to really create something like the fancy very fancy regular expressions or very fancy payload to bypass this tons of the regular expression checking. Sometimes it's not very realistic within a very short period of time but uh if there's a misconfiguration on your W um sometimes by will be the bypass will be much more easiest. So um actually there are fields method we can use um I will I will go through it one by one. So the first thing is um I think uh yes I'm sorry I didn't remove this this word but it's

fine. Um actually no need to modify but um it's one of the very classic example. So usually um every time when we go to the W it would still require to to to go through our W application first in order to be in order to be inspected and then pass it to the web app. But what if your IP address can be directly accessed from the public? So um that's so yeah I think you may already show the answer directly and yeah don't worry I think I just I just set it down but yeah sometime you're going to have to try um because technically this this vulnerability can only work on my computers but yeah um on the left hand side we can

see if we can directly if it can directly access to the W then yeah definitely he can do a decent job to prevent our to prevent our website under But um if I can directly access to your web applications um sometimes that would be quite deadly like I can just I can directly do my stuff without any issues and in fact there are several ways that we can actually look for the original IP address um you um by o technique we can also use census and show them and both to sometime it it might quite hard to work out but most of the time but for most of the time if you actually if you

actually has been has been a develop has been an attacker or has been a pen tester sometime you may know this tool is quite useful especially when you're trying to search some hidden IP address in your company sometime you can also search for you can also search some of the DNS history as well and for DNS misconfigurations because some conf some configurations in the wild would be more like um in the production server or in the load balancer they will use the dubdubdub.abc.com but at the end in the web applications they will kind of like use prop one prop 2.abc.com abc.com and the question is what can we actually directly access this back end domain domain name and the

answer is yes that's yes it just going to be fall into it just going to be fall into the same case like this because yeah I know this time I actually include my weird port numbers as well but if we if I just simply change it to be an IP address so I change it to be something like another domain it's still going to be work it's still going to works out And lastly, sometimes TLS would also include some original IP information. So that's why we have to stay stay secure and we have to aware whenever we put whenever we have put some of the unexpected informations into our TLS into our TLS certificate and but yeah it was just um the things

that I talk about just kind of like a common method that some that people already know. And the next thing I want to talk a bit more is about the by size text seat. I'm sorry. I'm sorry. So actually in one especially when you're using the cloud vendor um most of them are actually having some sort of limitations about the size about how many sides they can inspect. So even though in as other different companies, oh sorry okay in CER and other companies and they do have their own limitations. So um from the attacker perspective um if you can insert the bite um which exce that means you can actually that means you can actually

um bypass a lot without any issues. So um um wait a minute. Ah yes here's a here's some here's some of the example on what is the actual maximum request for each for each pass sorry for each um majority cloud vendors. So you can see in advance the 8 kiloby and yeah in archite it could be reaching around 8 kilobytes to 128 kilobyt and yeah and yeah for but you can see at least from different lender perspective they do have their own limitations. So um but yeah to just simply demonstrate this kind of attack um I use my own web I use my own instead because I don't want to kind of like challenge every render. So uh in this

example you can see um I just simply use I just simply set up my bite control to true 2,000 kilobyt sorry 2,000 bytes. So u for normal situations if I insert a payload like that it's not going to work. It's just not going to work because it will be blocked by my W. But if I just simply adding a bit more about my payload uh that is that just going to be possible and actually it it actually could work in other vendor. So sometimes that's also one of the reason we have to care about and at the end and that's what that's how I can break through the walls like do the like perform the SQL

like perform the C scripting on my buggy website but yeah um just for your informations actually um for most of the vendor um if your if actually there's a request that we exceed the W inspection limit what they would do is two is just kind of like two engines one is they would uh drop the package directly and say it exists a limit. And the second one would be uh we still allow we still allow the request directly can send out to the back end web server but there will be a detection in place. So um that's why um from configuration perspective sometimes you make you may differentiate what kinds of requests or what kinds of what kinds of um the

endpoint that may potentially not that dangerous to let it pull like the upload features because they us it usually contains so many bytes. So yeah, that's also one of the P points that worth to concern and lastly um there's another way we can do which is the M bypass via share TLS and some other people would say um you can actually use the you can actually use the same service to bypass the same service. So um the problems in here is because some W cloud vendors would just express would just um blindly trust um the things that in their own territories. Um so so sometimes as an attacker you can just simply registrate a service in that for this cloud render

and then you can leveraging this technique to bypass the control and access the things that you want to go. So so let's take cloud free as an example. So by default um when you're actually subscribing the free tier in cloudare what it does it will it will spin out instant for you. So actually it's not spin out instant it would it usually would be um sharing a trust certificate. So what the attacker could do is he can as he is he can registrate a custom domain on hardware and then and then uh point it to a vector IP address then it can turn off all the all the security features. So by using this by

leveraging this method uh when you when you actually trying to send requests to your c to your registrated customer domain um it will directly go through the go through the CDN which is the cloudare and cloudare was using the internal routine to pass it to to pass it to the victim server leading the needing this kind of attack is directly passed through the cere detection system. So that's why sometimes it's not a very good idea to blindly trust the W IP address. And even though we have something like the TLS configurations, we still have to be sure that we're not really we not explicitly we are not existing ex the kind of like trust relationship. So we can ensure that

every so we can ensure that all the attacks or all the requests has been come from the kind of like the trustworthy locations. And lastly um after we talk a bit more after we gone through some attacks you know spec specifically focus on the W I already talk about few more things that usually w is quite uh even for now it's quite hard to help. So um first is the IP rotations. I mean yeah I know some in some company um internal internal procedures when they receive some continuous attack by a same IP by the same IP address what they would do is they will put it in the blacklist to block it. But sometimes um

because yeah in the past it used to be a very decent method to do the job to get the job done but right now because we can leverage a different sort of the cloud vendor so that would be much more easier for us to leverageing another service. Um well um the things I would like to talk about maybe a bit more mess up a well-known cloud weather. So um today so later on I would like to show some techniques on how we can bypass the w by by some random tool. Okay so um that is the tools that I would like to talk about and yeah sorry to say that so and what it does in a

nutshell is it will try to leverage an ad a gateway mechanism. So what API gateway does behind the scenes is every time when you set up a gateway like that it will try to spin up another connections from all around the world. So by by using this mechanism uh it will allows you to keep changing keep to keep changing IP address to accessing the same website. So as a result you can do something like this. Oh sorry didn't work it didn't work out. Um so here's uh one IP address. So in the left hand side that's the IP IP address. No worry this has this has been changed so it's not a big problem but after I turn on the features

um actually you can see I can keep changing my IP address randomly but yeah all these are related to AWS IP so it's fine. So um okay and here's the how it works out in the real world. So as you can see here's the back end lock that I've seen in my in my um you might know in my web server if I really trying to do something like brute force what it does is it would trying to keep it keep constantly changing the IP address and also keep sending different payload. So by using this method I can I can do something like the brute force attack and and API abuse attack and there will be much ease and even though

you have set up the threshold about limit and like just like if there's a certain IP address that exists that exists a number of time to connecting our certain payload sorry certain endpoint is still not going to rest up because yeah my just keep changing so sometime that's that's one of the reason that we can just simply rely on IP address this information itself. Sometime they also sometimes beyond the IP address there may be several numbers or several things that we can take care of but yeah that's kind of like a mouse and cache game so it's kind of endless and lastly um because the W itself is mainly developed or mainly aims to aim

to protect something like the injection or dodgy request like if you talk like if you see something attack some attacks in secret for the scripting or yeah different kind of things they usually have a very very clear signature showing that it's very dodgy and you should definitely not avoid it but um for some attacks that related to logical fault um like I go attack which is I can I can change my ID to accessing another resources or if I access a certain endpoint without any sort of authentications sometimes um actually um by using for this kind of W can't do much because um just like in a human eyes when we see that kind of request

it's kind of like similar similar as other normal requests but what it does it just kind of like mess up the logic so uh even though so I doubt that you know in the future um like there's some other crazy method like machine learning or other stuff can it really able to could it really able to detect the scout attack and and as you can see here's actually the the latest trends about um different attacks. So yeah, thanks maybe thanks for the love um getting more and more popular and actually our developer is getting more and more aware aware on some sort of the dodgy attack. So injections is kind of like has been slowed down a little bit in the trend

but um there's another things that's coming in broken access control cryptography failure and insecurity size we're also going to be a concern. Yeah. And please knowing that in security size is now part of the important things or part of the important or critical things that should be considered in the company perspective. So at last um just want to give you some takeaways um after this presentations although this kind of like a common sense but still worth to mentions. So um first for some um issue that is hardly been to solve by the w um that's actually not much we can do unless you're very skillful to review all this regular expressions but what we could do

what we could do as a internal security guy um is we can still keep our rout up to date and yeah sometimes if you're really skillful uh or if you want to do a bit more you can also rely you can also use different tool to help you review whatever your w is actually in a good standard or in or it may still require some enhancement or uplifting. And there two there are two there two um tool that you can think of. One of the go test help you to evaluate your W and score it and the second one would be the Wii school which is a tool to detect one of a possible that's a possible regular

special in place. So there's possible regular expression that may potentially fall into red attack. Um so but yeah just keep in mind um the things work out today it doesn't means that it can also work out tomorrow. So that's why uh one of them should also be under monitoring in most cases and here and actually um I do use one of the tool to measure my B sadly because it's not very good but at least it's worked out right no worry I think if you guys have really want to have a try I can also share the domain to you so maybe I will host a bit host maybe one or two days see you whatever you guys

can actually bypass my bath okay And second thing is um for those related to configuration related issues and just keep in mind we have to ensure that our IP address uh for the original IP address don't allow everyone directly access your web server by by simply use the IP address and for byte size um just keep in mind don't directly don't blindly trust the default settings sometime you have to review and see what is possible it could be lavish to bypass to bypass the lock and break through applications And last um not a very good idea to blindly trust the W in TLS um because I know some companies actually um directly trust the W locations but sometimes still worth a

review because sometimes it could also be a lookup but at the end um for some things that will not actually really hard to be addressed by a lot um just have to I think we have to keep the things more secure. secures and yes adopt some and we also have to adopt some common common good sec some good security practice during the development stage like info validation like ensure the info validations authentications and some other security design has been in place during the development stage and yeah um I mean that's a sometime o is kind of like a buzz word in the industry but if you have adopted it would be much more easier for for the

developer to resolve if there's an issue [Music] sometimes mitigation is just kind of like lower the opportunity that your web service and attack but sometimes it's still going to be it's still going to be possible and that's why um at the end if you already have a good applications control or if you already adopt some good practice during development stage that's would already doing a great that's that's already doing a great jobs to prevent this kind of attack but of course um animal would be more will be adding additional layer to safeguard your application so that's why I want to bring this up and at the end um if you guys if you guys may heard some other

people keep asking why is this making sense to why this assess IP address and why it is still necessary to have a pentest or application test after a while and maybe that would be an answer. So that's it for today and thank you guys.