Fingerprinting WAF Rules with Timing Based Side Channel Attacks

Side Channel Attacks?

Web Application Firewalls

Why Fingerprint ’em Rules?

Understanding The Setup

Conventional Methods of WAF Fingerprinting

Some examples of WAF block-pages
Secure Entry WAF cloaking the server’s stack traces

The Main Drawback

Why Timing Attacks?

Idea of the Attack

Principle

The Approach

Attack Approach Analysis of our Methodology

Performing the Experiment

The Setup

The Learning Phase

Examples of blocked and passed requests

The Attack Phase

Comparison how normal and polymorphic payloads look like
Results Visualized for Attack Phase on Reverse Proxy Topology
Results Visualized for Attack Phase on Server Resident Topology
Final Results in a Nutshell

Downsides of the Method

Dealing with It

Amplifying the Attack

1. Choosing a Longer URL Path

2. Denial of Service Attacks

3. Cross Site Rule Fingerprinting

<html>
<body>
<img id="test" style="display: none">
<script>
var test = document.getElementById(’test’);
var start = new Date();
test.onerror = function() {
var end = new Date();
alert("Total time: " + (end - start));
}
test.src = "http://sitename.tld/path?" + parameter + "=" + payload;
</script>
</body>
</html>

Conclusion

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store