From e56ee9a0c50a40311d5e6e7a0dd7346f40302e65 Mon Sep 17 00:00:00 2001 From: Adam Piper Date: Tue, 3 Jan 2017 16:05:44 +0900 Subject: [PATCH 1/7] Add BApp metadata files and Gradle build file. --- BappDescription.html | 36 ++++++++++++++++++++++++++++++++++++ BappManifest.bmf | 11 +++++++++++ build.gradle | 15 +++++++++++++++ 3 files changed, 62 insertions(+) create mode 100644 BappDescription.html create mode 100644 BappManifest.bmf create mode 100644 build.gradle diff --git a/BappDescription.html b/BappDescription.html new file mode 100644 index 0000000..cfb19c2 --- /dev/null +++ b/BappDescription.html @@ -0,0 +1,36 @@ +

This extension add headers to all Burp requests to bypass some WAF products. +The following headers are automatically added to all requests:

+ +
+X-Originating-IP: 127.0.0.1
+X-Forwarded-For: 127.0.0.1
+X-Remote-IP: 127.0.0.1
+X-Remote-Addr: 127.0.0.1
+
+ +

Usage

+ +
    +
  1. Install the BApp
    2. +
  2. Create a session handling rule in Burp that invokes this extension
    3. +
  3. Modify the scope to include applicable tools and URLs
    4. +
  4. Configure the bypass options on the "Bypass WAF" tab
    5. +
  5. Test away
    6. +
+ +

More information can be found at: https://www.codewatch.org/blog/?p=408

+ +

Bypass WAF contains the following features:

+ +
    +
  1. Users can modify the X-Originating-IP, X-Forwarded-For, X-Remote-IP, X-Remote-Addr headers sent in each request. This is probably the top bypass technique i the tool. It isn't unusual for a WAF to be configured to trust itself (127.0.0.1) or an upstream proxy device, which is what this bypass targets.
    2. +
  2. The "Content-Type" header can remain unchanged in each request, removed from all requests, or by modified to one of the many other options for each request. Some WAFs will only decode/evaluate requests based on known content types, this feature targets that weakness.
    3. +
  3. The "Host" header can also be modified. Poorly configured WAFs might be configured to only evaluate requests based on the correct FQDN of the host found in this header, which is what this bypass targets.
    4. +
  4. The request type option allows the Burp user to only use the remaining bypass techniques on the given request method of "GET" or "POST", or to apply them on all requests.
    5. +
  5. The path injection feature can leave a request unmodified, inject random path info information (/path/to/example.php/randomvalue?restofquery), or inject a random path parameter (/path/to/example.php;randomparam=randomvalue?resetofquery). This can be used to bypass poorly written rules that rely on path information.
    6. +
  6. The path obfuscation feature modifies the last forward slash in the path to a random value, or by default does nothing. The last slash can be modified to one of many values that in many cases results in a still valid request but can bypass poorly written WAF rules that rely on path information.
    7. +
  7. The parameter obfuscation feature is language specific. PHP will discard a + at the beginning of each parameter, but a poorly written WAF rule might be written for specific parameter names, thus ignoring parameters with a + at the beginning. Similarly, ASP discards a % at the beginning of each parameter.
    8. +
  8. The "Set Configuration" button activates all the settings that you have chosen.
    9. +
+ +

All of these features can be combined to provide multiple bypass options.

diff --git a/BappManifest.bmf b/BappManifest.bmf new file mode 100644 index 0000000..c27945a --- /dev/null +++ b/BappManifest.bmf @@ -0,0 +1,11 @@ +Uuid: ae2611da3bbc4687953a1f4ba6a4e04c +ExtensionType: 1 +Name: Bypass WAF +ScreenVersion: 0.2.1 +SerialVersion: 3 +MinPlatformVersion: 0 +ProOnly: False +Author: Josh Berry +ShortDescription: Adds headers useful for bypassing some WAF devices. +EntryPoint: build/libs/bypasswaf-all.jar +BuildCommand: gradle fatJar diff --git a/build.gradle b/build.gradle new file mode 100644 index 0000000..9ac6f42 --- /dev/null +++ b/build.gradle @@ -0,0 +1,15 @@ +apply plugin: 'java' + +sourceSets { + main { + java { + srcDir 'src' + } + } +} + +task fatJar(type: Jar) { + baseName = project.name + '-all' + from { configurations.compile.collect { it.isDirectory() ? it : zipTree(it) } } + with jar +} From ff9c03fca8464699aa29f89360da5bb1ed7ec059 Mon Sep 17 00:00:00 2001 From: Adam Piper Date: Wed, 18 Jan 2017 19:59:45 +0900 Subject: [PATCH 2/7] Avoid the directory name affecting the name of the resultant jar by explicitly naming the root project. --- BappManifest.bmf | 2 +- settings.gradle | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 settings.gradle diff --git a/BappManifest.bmf b/BappManifest.bmf index c27945a..809c505 100644 --- a/BappManifest.bmf +++ b/BappManifest.bmf @@ -7,5 +7,5 @@ MinPlatformVersion: 0 ProOnly: False Author: Josh Berry ShortDescription: Adds headers useful for bypassing some WAF devices. -EntryPoint: build/libs/bypasswaf-all.jar +EntryPoint: build/libs/bypass-waf-all.jar BuildCommand: gradle fatJar diff --git a/settings.gradle b/settings.gradle new file mode 100644 index 0000000..4f4ee55 --- /dev/null +++ b/settings.gradle @@ -0,0 +1 @@ +rootProject.name = 'bypass-waf' From b6c76e246d6ace5bb547c0964352afd2820c3fc8 Mon Sep 17 00:00:00 2001 From: Adam Piper Date: Sat, 21 Jan 2017 12:47:23 +0900 Subject: [PATCH 3/7] Boost screenVersion. --- BappManifest.bmf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/BappManifest.bmf b/BappManifest.bmf index 809c505..eb79689 100644 --- a/BappManifest.bmf +++ b/BappManifest.bmf @@ -1,7 +1,7 @@ Uuid: ae2611da3bbc4687953a1f4ba6a4e04c ExtensionType: 1 Name: Bypass WAF -ScreenVersion: 0.2.1 +ScreenVersion: 0.2.2 SerialVersion: 3 MinPlatformVersion: 0 ProOnly: False From 9ddf9d9222563d89d2d18d0632521fada85cc476 Mon Sep 17 00:00:00 2001 From: Mike Smith Date: Mon, 23 Jan 2017 14:31:08 +0000 Subject: [PATCH 4/7] Bump serial version after build --- BappManifest.bmf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/BappManifest.bmf b/BappManifest.bmf index eb79689..315ead3 100644 --- a/BappManifest.bmf +++ b/BappManifest.bmf @@ -2,7 +2,7 @@ Uuid: ae2611da3bbc4687953a1f4ba6a4e04c ExtensionType: 1 Name: Bypass WAF ScreenVersion: 0.2.2 -SerialVersion: 3 +SerialVersion: 4 MinPlatformVersion: 0 ProOnly: False Author: Josh Berry From 80952850acb347110fa0acc37b7a15440e14c09d Mon Sep 17 00:00:00 2001 From: Adam Piper Date: Mon, 13 Feb 2017 21:30:17 +0900 Subject: [PATCH 5/7] Add RepoName to BappManifest --- BappManifest.bmf | 1 + 1 file changed, 1 insertion(+) diff --git a/BappManifest.bmf b/BappManifest.bmf index 315ead3..a6992d6 100644 --- a/BappManifest.bmf +++ b/BappManifest.bmf @@ -1,6 +1,7 @@ Uuid: ae2611da3bbc4687953a1f4ba6a4e04c ExtensionType: 1 Name: Bypass WAF +RepoName: bypass-waf ScreenVersion: 0.2.2 SerialVersion: 4 MinPlatformVersion: 0 From 27f7b5d4b43cca6f9efb46dff3acf995ba1bd7ac Mon Sep 17 00:00:00 2001 From: Adam Piper Date: Mon, 27 Mar 2017 23:01:42 +0900 Subject: [PATCH 6/7] Bump version. --- BappManifest.bmf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/BappManifest.bmf b/BappManifest.bmf index a6992d6..4be84a7 100644 --- a/BappManifest.bmf +++ b/BappManifest.bmf @@ -2,7 +2,7 @@ Uuid: ae2611da3bbc4687953a1f4ba6a4e04c ExtensionType: 1 Name: Bypass WAF RepoName: bypass-waf -ScreenVersion: 0.2.2 +ScreenVersion: 0.2.3 SerialVersion: 4 MinPlatformVersion: 0 ProOnly: False From f3b3eab74b9476cdf90c54f4060e4512735dbc59 Mon Sep 17 00:00:00 2001 From: Mike Smith Date: Wed, 29 Mar 2017 08:33:02 +0100 Subject: [PATCH 7/7] Bump serial version after build --- BappManifest.bmf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/BappManifest.bmf b/BappManifest.bmf index 4be84a7..dc168d7 100644 --- a/BappManifest.bmf +++ b/BappManifest.bmf @@ -3,7 +3,7 @@ ExtensionType: 1 Name: Bypass WAF RepoName: bypass-waf ScreenVersion: 0.2.3 -SerialVersion: 4 +SerialVersion: 5 MinPlatformVersion: 0 ProOnly: False Author: Josh Berry