Hacking Book | Free Online Hacking Learning


third issue of weekly technology sharing

Posted by bassolino at 2020-02-25

On Wednesday, April 19, 2017, many schools in the South held their own sports meeting on this day. Today, for the people in our secwiki team, one of them, Xiaobian 504, is a dedicated and enthusiastic person for WAF. Today, we share some knowledge about deploying WAF and defense bypassing, which benefits us a lot, no matter the big bull or the small bull, or the new white.


Let's review the history of the era of Web 1.0, when there was no WAF, and with the increasing development of Web 2.0 technology, there are endless attacks. For example, SQL injection, XSS, file inclusion and other web vulnerabilities in the application layer. Because the traditional firewall is placed in the gateway, it can not defend this vulnerability well, so WAF came into being. WAF is deployed in the front end of the web server cluster to protect the web server.

So what is WAF

WAF is based on the two-way decoding analysis of HTTP / HTTPS traffic, to deal with various security threats in http / HTTPS applications, such as SQL injection, XSS, directory traversal, command execution, etc.

Classification of WAF

Some rules of WAF

Some rules are used to protect attacks based on vulnerability types, as shown in the figure below.

Configuration and analysis of WAF

Here we use modsecirity and nginx + Lua for analysis. ModSecurity is an open source web application security program (or web application firewall) that integrates intrusion detection and defense engine functions. It runs as a module of Apache Web server. The goal is to enhance the security of web applications and prevent web applications from being attacked by known or unknown attacks. Nginx is no stranger to you. It is a high-performance HTTP and reverse proxy server. The last Lua, which is a lightweight and small script language, is written in standard C language and open in the form of source code. Its design purpose is to embed in the application program, so as to provide flexible expansion and customization functions for the application program.

Steps and precautions

Here we use Ubuntu 14.04.3 to install ModSecurity

Update source before installing software

apt-get install update

Install apache2

apt-get install apache2

Install ModSecurity

apt-get install libxml2 libxml2-dev libxml2-utils libaprutil1 libaprutil1-dev libapache2-modsecurity

Use the following command to view the ModSecurity version

dpkg -s libapache2-modsecurity | grep Version

Reload profile

service apache2 reload

Configure ModSecurity and enable interception mode

~# cd /etc/modsecurity/

:/etc/modsecurity# mv modsecurity.conf-recommended modsecurity.conf

:/etc/modsecurity# vim modsecurity.conf 

Change secruleengine off to secruleengine on to set to intercept mode.

Using the ModSecurity core ruleset

The directory where the rule set is placed is ` / usr / share / ModSecurity CRS / activated_`

Select enable base rule set

You can see the rule set file in its directory

~# cd /usr/share/modsecurity-crs/activated_rules/

:/usr/share/modsecurity-crs/activated_rules# for f in $(ls ../base_rules/); do ln -s ../base_rules/$f; done

The multi rule file loads the ModSecurity CRS number by file name. As shown in the picture:

Modify Apache 2 module configuration and enable rule set (version 2.7)

VIM / etc / apache2 / mods-available / security2.conf add the corresponding configuration file, as shown in the figure:

Enable ModSecurity module

a2enmod headersa2enmod security2

service apache2 restart

Need attention

IP access issues

After configuration, through access IP discovery, 403 is displayed.

The reason is that in order to consider completeness, there is a rule that forbids IP access to websites.

We can see from the log (the interception log is in / var / log / apache2 / modsec_audit. Log)

vim /var/log/apache2/modsec_audit.log 

The access is blocked by 2960017 in the rule file / usr / share / ModSecurity CRS / activated \ rules / ModSecurity \ CRS \ 21 \ protocol \ anomalies.conf, as shown in the figure:


During the test, you only need to add the "ා" symbol in front of the corresponding rule secrule in the file to comment out the rule, and then you can use IP to access the website.

ModSecurity processing phase

ModSecurity 2. X allows rules to be placed in one of five phases:

Request? Headers

Request body

Response & headers

Response? Body


WAF defense

Phpcms v9.6.0 as an example

Fill in the following information on the website registration page

Burpseuite grabs packets and writes them to payload. According to echo, 403 intercepts can be seen.

Here we take a look at the interception log and see the rule ID of the defense, as well as the parameter and attack load.

Specific rules of defense. As can be seen from the figure below, the corresponding regular matching attack load.

Rule considerations are not all bypassed

Sometimes the scenarios considered by the rules of WAF are not comprehensive. In the face of specific program business, some regular matching problems may be bypassed.

By bypassing the WAF, we can construct the payloads that WAF can't match, but it can execute the successful attack load in the application.

For example, for the following problem, the business program itself has filtered the "=" sign, but the WAF rule may only match the < script >. So when you enter < s = = RI = = Pt > on this business website, WAF cannot be matched. But after WAF, the hardware or software that processes application layer data behind it has "=" filtered and executed for < script >.

The above is only a specific business situation to bypass. To find out the characteristics of the hardware / software that processes the application layer packets behind the WAF device, use these characteristics to construct the WAF miss, but the application can execute the successful load, bypass the WAF. These features need to be studied by all major security enthusiasts.

Rule compilation

Format: rule variables operator [actions]

Variables: mainly matching variables, args, args get, args post, matched VaR, request cookies, etc.

Operator: mainly some operations, such as regular, or starting with those variables.

Actions: describes what to do when an operation successfully matches a variable. Specify what action to perform if variable is in accordance with the operator, such as the simplest one is to give interception or warning.

A small example. According to s2-045, the analysis of the loopholes. It's easy to write rules like this.

SecRule REQUEST_HEADERS:Content-Type "%\{.+\}?|\$\{.+\}?"  "id:123456,block"

Ubuntu 16.04 lts configure nginx + Lua WAF

Because of the high performance of nginx, many Internet companies will use nginx + Lua to research WAF, and then mainly deploy nginx + Lua WAF.

Download the required installation package

Download nginx, PCRE, luajit, NGX devel kit, Lua nginx module in directory / usr / local / SRC

Subsequent commands:

/usr/local/src# wget http://nginx.org/download/nginx-1.9.4.tar.gz

/usr/local/src#wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.39.tar.gz

/usr/local/src# wget 


/usr/local/src# wget  https://github.com/simpl/ngx_devel_kit/archive/v0.2.19.tar.gz

 /usr/local/src# wget https://github.com/openresty/lua-nginx-module/archive/v0.9.16.tar.gz

Create a normal user running nginx

[email protected]:/usr/local/src# useradd -s /sbin/nologin -M www

Unzip NDK and Lua nginx module

[email protected]:/usr/local/src# tar zxvf v0.2.19.tar.gz

[email protected]:/usr/local/src# tar zxvf v0.9.16.tar.gz

Installing luajit luajit is the Lua instant compiler

[email protected]:/usr/local/src# tar zxvf LuaJIT-2.0.4.tar.gz

[email protected]:/usr/local/src# cd LuaJIT-2.0.4

[email protected]:/usr/local/src/LuaJIT-2.0.4# make && make install

Install PCRE

[email protected]:/usr/local/src# tar zxvf pcre-8.39.tar.gz

[email protected]:/usr/local/src# cd pcre-8.39

[email protected]:/usr/local/src/pcre-8.39# ./configure

[email protected]:/usr/local/src/pcre-8.39# make && make install

Install libssl dev

[email protected]:/usr/local/src# apt-get install libssl-dev

Compile nginx

[email protected]:/usr/local/src# tar zxvf nginx-1.9.4.tar.gz

[email protected]:/usr/local/src# cd nginx-1.9.4

[email protected]:/usr/local/src/nginx-1.9.4# export LUAJIT_LIB=/usr/local/lib

[email protected]:/usr/local/src/nginx-1.9.4#export LUAJIT_INC=/usr/local/include/luajit-2.0

[email protected]:/usr/local/src/nginx-1.9.4# ./configure --prefix=/usr/local/nginx --user=www --group=www --with-http_ssl_module --with-http_stub_status_module --with-file-aio --with-http_dav_module --add-module=/usr/local/src/ngx_devel_kit-0.2.19/ --add-module=/usr/local/src/lua-nginx-module-0.9.16/ --with-pcre=/usr/local/src/pcre-8.39

[email protected]:/usr/local/src/nginx-1.9.4# make -j2 && make install

[email protected]:/usr/local/src/nginx-1.9.4#  ln -s /usr/local/lib/libluajit-5.1.so.2 /lib64/libluajit-5.1.so.2

Start server:

[email protected]:~#  /usr/local/nginx/sbin/nginx -t

[email protected]:~#  /usr/local/nginx/sbin/nginx 

After installation and startup, the first configuration:

In the configuration file, write the following information to test

[email protected]:~# vim /usr/local/nginx/conf/nginx.conf 

Let's visit now and see that the nginx + Lua environment has been configured.

Configure WAF

Download the WAF to nginx installation path written by loveshell from GitHub / usr / local / nginx / conf /:

 [email protected]:/usr/local/nginx/conf# git clone https://github.com/loveshell/ngx_lua_waf.git

And name the download file WAF

[email protected]:/usr/local/nginx/conf# mv ngx_lua_waf/ waf/

Add in HTTP section of nginx.conf

lua_package_path "/usr/local/nginx/conf/waf/?.lua";

lua_shared_dict limit 10m;

init_by_lua_file  /usr/local/nginx/conf/waf/init.lua;

access_by_lua_file /usr/local/nginx/conf/waf/waf.lua;

Configure WAF rule files

configuration file

[email protected]:/usr/local/nginx/conf/waf/config.lua 

Here we need to create a log storage directory, and we need the writable permission of nginx user.

[email protected]:/usr/local/nginx/conf/waf# chown www.www /usr/local/nginx/logs/hack/

[email protected]:/usr/local/nginx/conf/waf# /usr/local/nginx/sbin/nginx -s reload

Test defense

The interception is shown in the figure:

view log file

[email protected]:/usr/local/nginx/logs/hack# ls


Create rules

Under wafconf, the filter rules can be adjusted according to the needs. Each rule needs to be wrapped or separated with |.

The rule get parameter in args is filtered.

URLs are rules that filter only the URLs of get requests.

Post is a rule that filters only in post requests.

Whitelist is a white list. The URLs in it are not filtered if they match.

User agent is the filter rule of user agent.


This sharing is mainly based on the open source WAF to explain its simple deployment and defense, to analyze the defense of WAF against web vulnerabilities. But WAF has many shortcomings, most of which are based on regular WAF. In order to protect the normal operation of business without false positives, and with the extremely flexible language syntax, sometimes it is easy to bypass. In addition, WAF lacks defense against 0day vulnerabilities and basic business defense capabilities. For example, the last week's logical vulnerabilities in technology sharing, WAF is in short supply of defense. For the application of semantic analysis and machine learning in WAF new technology, we will wait and see.

Reference resources