ModSecurity SVM Bypass Charity Challenge
I am happy to announce the ModSecurity SVM Bypass Charity Challenge. This is a SQL Injection, XSS and Path Traversal Filter Evasion Challenge. Similar to the Trustwave ModSecurity SQLi Challenge, I setup ModSecurity to proxy to the following four commercial vulnerability scanner demo sites:
As these are 3rd party web apps, please test your payloads below first to ensure that they bypass the filter before automating attacks against the vulnerable web apps.
Participant GoalsTo successful execute SQLi, XSS or Path Traversal against the scanning vendor demo websites.
SQLi Challenge. The demo used in the challenge relied on the OWASP Core Rule Set (CRS) to classify attacks. The CRS is basically a sophisticated regular expression which essentially returns a binary result. The attack payload either matches or does not match the regexes. While this approach can provide a base level of protection, the speed in which the SQLi Challange was solved highlighted the weakness in using this approach. Ryan Barnett proposed several solutions to this problem. One approach was to leverage Bayesian analysis to identify attacks that successfully bypass the CRS rules. While I was initially excited about the concept, the more I tested it, the more apparent it became that even with significant training the false negative rate was too high for production use.
After researching and heavily testing other machine learning algorithms, Support Vector Machines (SVM) appear to be a great fit for classifying web application attack payloads. Specifically, SVMs based on 2-gram models. SVMs take a given input and makes a prediction based on pre-calculated classification models. While some SVM tools support multi-class classification, I found that using a one-vs-one (as opposed to one-vs-all) approach provided the most accurate results (based on k-fold cross-validation where k = 10) when classifying HTTP attack payloads. Another lesson I learned was that the SVM classification code worked well on medium to long payloads, but failed miserably with short payloads. With this in hand, I used liblinear and the Lua API to add SVM support to ModSecurity while relying on the CRS to classify short attack payloads.
To successfully complete the challenge, participants must:
Challenge ResultsWhen a payload is identified as malicious, the following warning is prepended to the response (note that if the response is a 302 redirect, you will see the warning in a proxy but not in your browser)
Please submit any successful bypasses to: jzlatin at purehacking dot com. The first person to succesfully bypass the SVM filter will receive a free ticket to AppSecUSA, a $995 value (thanks Tom!). In addition, during the month of June, I will donate $100 from my personal funds for each of the first five bypasses received to charity.
AcknowledgementsA special thanks to Christian Bockermann for his constant support with my machine learning queries and Ryan Barnett for his invaluable feedback while developing the ModSecurity SVM module.