libinjection icon indicating copy to clipboard operation
libinjection copied to clipboard
verified publisher icon client9

libinjection bypasses

Open attackercan opened this issue 9 years ago • 4 comments

Hello Nick,

I'm terribly sorry for not contacting you directly before my Blackhat talk came out.

I was introducing sql fuzzer, which (among others) allows to easily find libinjection bypasses. Please check out the BH slides and my github for more info:

https://www.blackhat.com/docs/us-16/materials/us-16-Ivanov-Web-Application-Firewalls-Analysis-Of-Detection-Logic.pdf

As a result, you may want to update fingerprints.txt with new tokens, or even change tokenizer mechanism a bit (symbols such as *, !, <, some others are parsed and treated wrong).

attackercan avatar Aug 18 '16 02:08 attackercan

Hello @attackercan

Oh no problem.. I heard there was a talk at BH. Too bad we didn't meet up.

A SQL Fuzzer? Fantastic! I've been waiting for someone to write one :-)

I'll take a look at your talks shortly,

regards,

n

client9 avatar Aug 18 '16 09:08 client9

Nice work @attackercan! By the way did you look at my new regexps in CRS 3? ;) (scared now) I did a complete rewrite of the PHP/RCE rules and always love more expert review.

I've coordinated that we'll try to do a new ModSecurity 2.9 release around the time that CRS 3.0 will be released (probably October) to update our bundled libinjection. So this is a good time to make a step forward on both fronts :)

lifeforms avatar Aug 18 '16 09:08 lifeforms

@client9 I was PoCing for BH, don't expect much from it (yet). I'm currently working on improvements @lifeforms will aim to do that next week. I've heard @csanders-git embeded my regexp-based poc into modsec's SDLC - though dont expect any new findings from me :)

attackercan avatar Aug 18 '16 12:08 attackercan

https://twitter.com/NGalbreath/status/766294673837006848

client9 avatar Aug 18 '16 15:08 client9