WAF on SYM01 https://sym01.com/tags/waf/ Recent content in WAF on SYM01 Hugo -- 0.145.0 zh-CN Mon, 02 Aug 2021 02:28:33 +0800 利用 multipart boundary 绕过 WAF https://sym01.com/posts/2021/bypass-waf-via-boundary-confusion/ Mon, 02 Aug 2021 02:28:33 +0800 https://sym01.com/posts/2021/bypass-waf-via-boundary-confusion/ <h2 id="0x00-前言">0x00 前言</h2> <p>WAF(Web Application Firewall)是很常见的 Web 安全基础设施,许多云厂商、大厂、乙方安全公司均有相应的产品。然而,不得不承认,WAF 只能<strong>有限</strong>提升安全防护能力,不能拦截一些稍微复杂的攻击。正常业务不应当过度依赖 WAF,况且 WAF 还存在误拦截正常业务流量的可能。</p> <p>目前已知的一些绕过 WAF 的手段包括但不限于:</p> <ul> <li>Chunked encoding 绕过</li> <li>IBM037 等罕见编码绕过</li> </ul> <blockquote> <p>多嘴一句:最早提出 IBM037 编码绕过 WAF 的应该是 Soroush Dalili 在 <a href="https://www.slideshare.net/SoroushDalili/a-forgotten-http-invisibility-cloak">SteelCon 2017 上的议题</a>,然而国内众多相关文章,基本没有标记出处,很奇怪。</p></blockquote> <p>笔者最近在分析 Go 语言的 HTTP 协议解析实现的时候,发现了一种能够利用 multipart boundary 绕过 WAF 的方法,在 Python 的一些 Web 框架上也适用,因而将其分享出来。</p> <h2 id="0x01-绕过">0x01 绕过</h2> <p><code>multipart/form-data</code> 是一种非常常见的 HTML 表单编码方式,绝大部分的 Web 服务器、框架实现,均支持此编码。其编码后的请求大致如下所示,表单数据通过<code>boundary</code>分割。</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-http" data-lang="http"><span style="display:flex;"><span><span style="color:#a6e22e">POST</span> /test <span style="color:#66d9ef">HTTP</span><span style="color:#f92672">/</span><span style="color:#ae81ff">1.1</span> </span></span><span style="display:flex;"><span>Host<span style="color:#f92672">:</span> <span style="color:#ae81ff">example.com</span> </span></span><span style="display:flex;"><span>Content-Type<span style="color:#f92672">:</span> <span style="color:#ae81ff">multipart/form-data; boundary=“boundary”</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>—boundary </span></span><span style="display:flex;"><span>Content-Disposition: form-data; name=“field1” </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>value1 </span></span><span style="display:flex;"><span>—boundary </span></span><span style="display:flex;"><span>Content-Disposition: form-data; name=“field2”; filename=“example.txt” </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>value2 </span></span><span style="display:flex;"><span>—boundary— </span></span></code></pre></div><p>那么只要满足上述协议要求,服务端就可以正常获取到字段内容了,如下图所示。 <picture> <source srcset="https://sym01.com/posts/2021/bypass-waf-via-boundary-confusion/980F2804-97C8-43C8-A106-1238BA2EF1DE_hu_797e72a1f53eb970.webp" type="image/webp" /> <img src="./980F2804-97C8-43C8-A106-1238BA2EF1DE.png" loading="lazy" decoding="async" /> </picture></p>