BishopFox/Imperva_gzip_WAF_Bypass BishopFox/Imperva_gzip_WAF_Bypass

  • Stars
    star
    154
  • Rank 240,589 (Top 5 %)
  • Language
    Python
  • Created over 2 years ago
  • Updated over 2 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
BishopFox/Imperva_gzip_WAF_Bypass
github

BishopFox

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Imperva Web Application Firewall (WAF) POST Request Bypass

Imperva Cloud WAF was vulnerable to a bypass that allows attackers to evade WAF rules when sending malicious HTTP POST payloads, such as log4j exploits, SQL injection, command execution, directory traversal, XXE, etc.

Remediation

The Imperva team took this very seriously from the minute it was reported to them, and they turned around a global fix in just a few days. Kudos. All customers of Cloud WAF are automatically patched as of December 22, 2021. Imperva were great to work with and clearly have a mature, skilled, and capable security team.

To Exploit It

Add the header Content-Encoding: gzip to HTTP POST requests. Leave POST data as-is. Don't encode it. So long as the first four bytes of the Content-Encoding header are gzip, no WAF rules will be applied to POST requests.

You can do this in Burp by using the proxy's Match & Replace feature:

Add a new header like this:

That's it; you're good to go.

Running the Test Script

Run imperva_gzip.py against a URL that supports POST requests like this:

Syntax: ./imperva_gzip.py [[-t] | [-r]] URL

Guess the WAF type for a given URL:

$ ./imperva_gzip.py -t https://www.vulnerable.com/search
Imperva Incapsula
$ ./imperva_gzip.py -t https://www.wordpress-user.com/login
WordFence
$ ./imperva_gzip.py -t https://www.cloudflare-customer.com
Cloudflare

Check to see if the WAF is vulnerable to the gzip bypass:

$ ./imperva_gzip.py https://www.vulnerable.com/search
[+] Can we make POST requests to https://www.vulnerable.com/search?
[+] Checking for Imperva WAF...
[+] Attempting gzip bypass for UNIX trigger...
[+] Vulnerable! HTTP response code: 200
[+] Attempting gzip bypass for Windows trigger...
[+] Vulnerable! HTTP response code: 200

If you get this error:

$ ./imperva_gzip.py https://www.vulnerable.com/search
[+] Can we make POST requests to https://www.vulnerable.com/search?
[!] Can't POST to https://www.vulnerable.com/search. Try -r if 30x redirects are allowed. HTTP response code: 302

then try passing -r on the command line to enable relaxed mode. Relaxed mode is off by default, which means a POST request is expected to elicit an HTTP 200 response from the server. -r expands the acceptable responses to HTTP 2xx, 3xx.

Scripting

The exit codes for imperva_gzip.py are as follows:

0: Returned after getting WAF type.
1: Command-line was invalid.
2: There was an error connecting. Could be DNS error, timeout, etc.
3: No WAF was detected; malicious UNIX/Windows payloads weren't blocked.
4: A WAF was detected, but it wasn't Imperva.
5: The server responded to a test POST request with something other than HTTP 200.
128: There is an Imperva WAF, but it is not vulnerable to the gzip bypass.
129: The bypass was effective for the UNIX payload, but not the Windows one.
130: The bypass was effective for the Windows payload, but not the UNIX one.
131: The bypass was effective against both Windows and UNIX payloads.

Process to Manually Test for Vulnerability

Send three POST requests:

  1. Establish a baseline POST request/response with a valid but harmless POST request
  2. Trigger the Imperva WAF using the same POST request, but with extra β€œmalicious” data such as &test=../../../../../../../etc/shadow in the body to verify that Imperva blocks it
  3. Add the header Content-Encoding: gzip to the same malicious request and verify that Imperva doesn't block it

Other Encodings

According to https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Encoding, there are four valid values for the Content-Encoding header:

  • compress
  • deflate
  • gzip
  • br

In testing, only gzip worked as a bypass.

Affected Versions

Imperva Cloud WAF

Cloud WAF is managed by Imperva. As as result, updates to Cloud WAF affect almost all customers at almost the same time. It is patched for all customers as of December 22, 2021.

SecureSphere

The gzip bypass bug has been remediated in a separate Imperva product called SecureSphere. The release notes for v12.6 of SecureSphere contain this paragraph:

SPHR-58185: When SecureSphere failed to decompress POST body in requests with "Content-Encoding: gzip/deflate" header, it issued no alert and let the request through.

I'm pretty sure this is the same bug, perhaps with the same code heritage as Cloud WAF... it's a pretty specific bug to be in two products. The issue was resolved for SecureSphere in February 2021, but we don't know when it was introduced. It's possible that the vulnerability has been there for years!

Contact

Bishop Fox

Imperva

Imperva Customer Support: https://www.imperva.com/support/technical-support/

References

More Repositories

1

sliver

Adversary Emulation Framework
Go
8,155
star
2

unredacter

Never ever ever use pixelation as a redaction technique
TypeScript
7,687
star
3

cloudfox

Automating situational awareness for cloud penetration tests.
Go
1,867
star
4

GitGot

Semi-automated, feedback-driven tool to rapidly search through troves of public data on GitHub for sensitive secrets.
Python
1,412
star
5

jsluice

Extract URLs, paths, secrets, and other interesting bits from JavaScript
Go
1,311
star
6

eyeballer

Convolutional neural network for analyzing pentest screenshots
Python
1,017
star
7

spoofcheck

Simple script that checks a domain for email protections
Python
776
star
8

h2csmuggler

HTTP Request Smuggling over HTTP/2 Cleartext (h2c)
Python
632
star
9

bfinject

Dylib injection for iOS 11.0 - 11.1.2 with LiberiOS and Electra jailbreaks
Objective-C++
619
star
10

GadgetProbe

Probe endpoints consuming Java serialized objects to identify classes, libraries, and library versions on remote Java classpaths.
Java
578
star
11

badPods

A collection of manifests that will create pods with elevated privileges.
Shell
574
star
12

iam-vulnerable

Use Terraform to create your own vulnerable by design AWS IAM privilege escalation playground.
HCL
457
star
13

bfdecrypt

Utility to decrypt App Store apps on jailbroken iOS 11.x
C
439
star
14

iSpy

A reverse engineering framework for iOS
Logos
438
star
15

rmiscout

RMIScout uses wordlist and bruteforce strategies to enumerate Java RMI functions and exploit RMI parameter unmarshalling vulnerabilities
Java
422
star
16

sj

A tool for auditing endpoints defined in exposed (Swagger/OpenAPI) definition files.
Go
354
star
17

smogcloud

Find cloud assets that no one wants exposed πŸ”Ž ☁️
Go
329
star
18

cloudfoxable

Create your own vulnerable by design AWS penetration testing playground
Python
311
star
19

sliver-gui

A Sliver GUI Client
TypeScript
288
star
20

dufflebag

Search exposed EBS volumes for secrets
Go
274
star
21

zigdiggity

A ZigBee hacking toolkit by Bishop Fox
Python
258
star
22

deephack

PoC code from DEF CON 25 presentation
Python
240
star
23

rickmote

The Rickmote Controller: Hijack TVs using Google Chromecast
Python
220
star
24

CVE-2023-3519

RCE exploit for CVE-2023-3519
Python
216
star
25

json-interop-vuln-labs

Companion labs to "An Exploration of JSON Interoperability Vulnerabilities"
Python
193
star
26

pwn-pulse

Exploit for Pulse Connect Secure SSL VPN arbitrary file read vulnerability (CVE-2019-11510)
Shell
136
star
27

firecat

Firecat is a penetration testing tool that allows you to punch reverse TCP tunnels out of a compromised network.
C
126
star
28

CVE-2023-27997-check

Safely detect whether a FortiGate SSL VPN instance is vulnerable to CVE-2023-27997 based on response timing
Python
124
star
29

asminject

Heavily-modified fork of David Buchanan's dlinject project. Injects arbitrary assembly (or precompiled binary) payloads directly into x86-64, x86, and ARM32 Linux processes without the use of ptrace by accessing /proc/<pid>/mem. Useful for certain post-exploitation scenarios, recovering content from process memory, etc..
Python
112
star
30

cve-2024-21762-check

Safely detect whether a FortiGate SSL VPN is vulnerable to CVE-2024-21762
Python
93
star
31

anti-anti-automation

Anti-Anti-Automation Framework
Python
92
star
32

mellon

OSDP attack tool (and the Elvish word for friend)
HTML
87
star
33

forticrack

Decrypt encrypted Fortienet FortiOS firmware images
Python
83
star
34

cyberdic

An auxiliary spellcheck dictionary that corresponds with the Bishop Fox Cybersecurity Style Guide
83
star
35

llm-testing-findings

LLM Testing Findings Templates
HTML
65
star
36

bigip-scanner

Determine the running software version of a remote F5 BIG-IP management interface.
Python
61
star
37

IDontSpeakSSL-deprecated

Simple tool based on sslyze to scan large scope and provide SSL/TLS vulnerabilities
Python
51
star
38

spfmap

A program to map out SPF and DKIM records for a large number of domains
Go
37
star
39

CVE-2021-35211

Python
36
star
40

SpoofcheckSelfTest

Web application that lets you test if your domain is vulnerable to email spoofing
Python
33
star
41

ca-clone

Scripts to clone CA certificates for use in HTTPS client attacks.
Shell
33
star
42

ProxyListReliabilityCheck

Perl script to test the reliability of a list of open web proxies.
Perl
27
star
43

ispy-shell

C
24
star
44

coldfusion-10-11-xss

Proof of Concept code for CVE-2015-0345 (APSB15-07)
22
star
45

CVE-2022-22274_CVE-2023-0656

Python
18
star
46

awsservicemap

Go module that returns supported regions for a service or supported services for a region
Go
14
star
47

wordlist-sanitizer

Remove Offensive and Profane Words from Wordlists
Go
12
star
48

sliver-overlord

Go
9
star
49

burpcage

Kotlin
7
star
50

guardian-ci

Shell
4
star
51

You-re-Doing-IoT-RNG

Results and device code from the DEF CON 29 presentation "You're Doing IoT RNG"
C
4
star
52

VulnerableGWTApp

An intentionally-vulnerable GWT-based web application to test tooling and techniques
Java
3
star
53

.github

Bishop Fox Engineering
2
star
54

knownawsaccountslookup

Go module that provides two lookup functions for the data in https://github.com/fwdcloudsec/known_aws_accounts
Go
1
star