From: Erin Carroll (amoeba@amoebazone.com)
Date: Fri Aug 11 2006 - 00:18:49 EDT
Tim,
Some comments inline below:
> One mistake in the network design appears to be the placement
> of the IPS. Wouldn't we normally want that positioned
Actually this type of network design is very common for larger networks with
multiple webserver farms or netblocks within a DMZ. Placing the IPS behind
the FW in the DMZ and ahead of the load balancers allows for multiple
webserver clusters on different networks in the DMZ to all be "protected" by
a single[1] device.
> between the load balancers and the webserver? Presumably the
> load balancers could terminate SSL connections and allow the
> IPS a full view of upper-layer attacks. So, attacking the
> web application over SSL is my first choice.
While some IPS/IDS do have the ability to do teardown/rebuild to analyze
encrypted protocols provided they have the keys/certs, it's usually not done
due to the resource overhead and cost (I don't know offhand of an IPS vendor
that uses ettercap-like MITM captures of key/cert exchanges to sniff the
traffic in the clear).
Attacking the web app over SSL is in most cases one of the most likely
successful attack vectors I've seen due to IPS/IDS's not doing
decrypt/analyze/re-encrypt of packets. Even in cases where it is set up, it
won't stop "legit" traffic over 80/443 as there is no way to reliably create
or implement signatures which would know that a HTTP POST with your example
of inject myFunc('Nancy\\'); alert('xss'); ('s', 'hamster') is a bad thing.
> However, if you're still wanting to hit the lower layers,
> then I would try find a way to differentiate between requests
> that are blocked at the firewall, and ones that are blocked
> by the IPS. This would then allow me to probe the policy on
> the firewall alone, possibly using idle scans to conduct
> spoofed scans from more trusted 3rd party servers.
What about fragmentation to bypass IPS and FW rules to get firewalk or
similar tools to enumerate attack vectors? I love me some nmap -f or --mtu
action. The hard part is getting the right offset to balance speed vs
stealth. In a lot of cases a 16-byte fragment setting will get through and
reduce the # of fragments you have to send as opposed to the default 8-byte.
> Oh, finally, if the load balancers operate more as reverse
> HTTP proxies than lower-layer TCP/SSL accelerators, then I'd
> look into HTTP request smuggling as well.
I'll have to confess that my question was based on a real-life scenario I
dealt with recently. The network infrastructure was as I described. The hard
part was that of the 12 webservers in the WebLogic cluster, only 1 had a
vulnerable weblogic install. Trying to get the fragmentation and evasion to
work *and* hit the right box to inject the remote exploit was a royal pain
in the ass. I was hoping someone might be able to illustrate another way to
accomplish it.
[1] Where single=active-active HA installs to keep up with traffic demands
of course :)
-- Erin Carroll Moderator SecurityFocus pen-test list "Do Not Taunt Happy-Fun Ball" -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.405 / Virus Database: 268.10.8/415 - Release Date: 8/9/2006 ------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request@cenzic.com for details. ------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:40 EDT