Bypassing a Web App firewall which has blocked Paros
There are clients who have internal security teams. Now these guys obviously know their stuff coz recently we came across a client who'd actually done his homework and blocked Paros off. Now the first question here is how can you block someone from using software installed on his/her local hard drive? The only way would be if this software sends out some kind of information about itself (unique) which the remote IPS/Web App Firewalls can identify. We broke our heads for quite sometime trying to figure out why Paros wouldnt work at all while all direct connections and connections through Burp, Achilles and the rest seemed to work fine. Very strangely the first request seemed to get sent okay but after that..nothing.This meant that Paros was sending out something in its first packet which the destination was catching. Suddenly Jaideep came up with the theory of User Agent blocking which made sense -- Paros as we confirmed attaches a string Paros/3.2.13 at the back of its request before sending So there's something at the client side which is pattern matching and checking if a request has "Paros/3.2.13". Since we were using Paros as our browser proxy all our requests were going through Paros , so all requests had Paros appended to the User-Agent string, so all requests were getting blocked at the destination.
So whats the solution to this..I somehow WANT to use Paros. We configured Paros on our machine so all our requests went through Paros.Now Paros is going to get blocked, so we used the Proxy Chaining feature and configured Paros to forward its requests to Burp on another machine.So now the flow of traffic is going to be Paros -- Burp -- DestinationServer. So when the final request goes to the server its going from Burp instead of from Paros. And Burp doesnt add anything at the back of the User Agent field.So we did manage to use Paros; tbf we might as well as have just used Burp but the challenge of a techie is trying to find new ways of doing old things so we're happy as of now.
NextStep: This seemed to work only when Burp and Paros were on different machines. If both were on the same machine the apckets didn't even leave the network card for some reason. It was the same in the initial case -- With just Paros all packets after the first never left the network card.Why?? Let you know when we find out....
Subscribe to:
Post Comments (Atom)
2 comments:
Arvind, did you try the filter option provided in Paros to remove User Agent field? It might work! You can change http request headers, body, user agents etc, using the filter option available under tools menu. Do let us know whether it works.
I haven't used the "Filter" option in this case but I did use it as part of another application security test and it worked so I'm pretty sure it will work here as well. Another update when I actually try it out and it works.
Post a Comment