Book Title: Web Application Obfuscation
Subtitle: ‘-/WAFs..Evasion..Filters//alert(/Obfuscation/)-‘
Authors: Mario Heiderich, Eduardo Alberto Vela Nava, Gareth Heyes, David Lindsay
Publisher: Syngress
Date of Publishing: Dec 2010
ISBN(13): 9781597496049
Price (UK&US price – full price, not discounted price): £30.99, $49.95
URL of Publisher Site: Syngress
URL of Amazon UK web page: Web Application Obfuscation: ‘-/WAFs..Evasion..Filters//alert(/Obfuscation/)-‘
URL of Amazon US web page: Amazon.com
When I started to review this book I really didn’t have a clue as to its subject matter. As with many others in the InfoSec profession I understand code obfuscation, but I asked myself, what has obfuscation to do with web applications? Within the first few pages it was made clear, and in fact, I was reasonably familiar with the subject (at least the basics of it). Many years ago I had a client in the UK whose website kept crashing, basically because our single sign-on IIS plugin kept memory faulting. After a lot of investigation we established that an attacker from China was sending malformed URL requests into the client’s website. Our plugin couldn’t quite handle these strange requests. The solution was to install a relativity new Microsoft tool at that time, called urlscan. This dropped unusual HTTP requests before they went into the core IIS engine – problem solved! That is the basis of this book. It describes how an attacker can obfuscate code or markup languages to do nasty things to browsers or web servers. To obfuscate code such that security filters, web application firewalls (WAFS) and network or host-based IDS systems do not detect or prevent the attack. This is a very frightening book!Web Application Obfuscation is 275 pages long and consists of 10 chapters. Chapter one introduces the subject and provides a good introduction to regular expressions. This is necessary because most filters use regular expressions to detect “bad stuff”. Chapter two goes on to provide an overview and history of HTML and then describes how to obfuscate markup languages. Chapter three delves into JavaScript and VBScript, providing a number of ways to obfuscate code and show how cross-site scripting attacks could be launched by bypassing a WAF or IDS. Chapter four looks at non-alphanumeric JavaScript; how to write the most obscure and obfuscated JavaScript possible. This chapter really blew my mind. If your WAF works just on searching for text strings then JavaScript written in this way will go straight through the filter. Chapter five goes on to examine CSS (cascading style sheets). You may ask what attack vectors are possible using CSS… but it is entirely possible and this chapter explain exactly how it’s done. Chapter six examines PHP and describes how to perform string obfuscation. Chapter seven goes on to look at SQL and demonstrates obfuscation techniques and how they could be used in database injection attacks. Chapter eight discusses WAFS and client-side filters (or rather, how they can be bypassed) as well as looking at IE8 XSS filters and how they can be bypassed. Finally, in chapter 9 the authors describe how some of the attacks can be protected against (note the use of the word ‘some’). Worryingly, this is quite a small chapter. Chapter 10 concludes this amazing book by analyzing future developments and discusses HTML5 and a number of browser plugins.
This is a deep technical read and anyone buying it should have a solid understanding of web technologies and some experience of web programming. I would say it is targeted at penetration testers and security architects, but to the security generalist it also opens up new frontiers when it comes to designing for security.
This is a very frightening book and I would advise any security architect to purchase a copy. It’s aimed at the bleeding edge of the technical security market, however, it really does hammer home how difficult security can become when faced with complex applications and protocols. The techniques used in the book are not trivial, but they do show us that the age of the firewall and the IDS may well be over, and the age of security by design has only just begun.
Marks: 5 out of 5
*****
You don`t have permission to comment here!