warning icon QCon New York 2020 has been canceled. See our current virtual and in-person events.
You are viewing content from a past/completed QCon -

Presentation: Modern WAF Bypass Scripting Techniques for Autonomous Attacks

Track: Trust, Safety, & Security

Location: Soho Complex, 7th fl.

Duration: 2:55pm - 3:45pm

Day of week: Tuesday

Slides: Download Slides

This presentation is now available to view on InfoQ.com

Watch video with transcript

What You’ll Learn

  1. Listen what are some of the techniques people are using in automated attacks.
  2. Find out what are some of the ways people use to circumvent website protection.


#Scripting and automation are absolutely critical to many aspects of an attacker’s effectiveness, whether you're scraping data from a competitors website, or arbitraging March Madness bets. Modern WAFs and “bot detections” often add a small layer of intelligence to their monitoring, attempting to determine whether or not an attack is being automated, and shut the bot/botnet down. This presentation will be a mini-tutorial on how the various forms of “bot detection” out there work, and the philosophies behind how to modify/spoof the necessary client environments to bypass nearly all of them using anything from Python and Javascript to Selenium, Puppeteer and beyond.


Is this a workshop? A code walkthrough?


I do teach it as a workshop, but we don't have time for the full four to eight hours as it requires. This is a workshop distilled into a run through of all of the most effective techniques out there for bypassing not only the WAFs that exists but also automation detection is becoming a huge thing these days because WAFs for the most part operate on really archaic 1990s methodology of IP reputation and HTTP header inspection, all of which is easy to spoof, bypass, generate fake stuff. That's generated a need for new technologies to come forth to defend against these attacks that are coming in. That's become this automation detection field, automation that has become very large because when you're dealing with economies of scale of attacking you're never going to be able to stop an intelligent human attacker who's really dedicated, who really wants to get it. For the most part they're eventually going to find their way.

We all know how effective phishing is. That's the primary attack vector being used these days because it just works. Once we eliminate the individual human manually doing things, 99.9% of the attacks are still left and those are all being automated. We're not just talking about botnets here and completely autonomous nebulous things that exist on their own and operate on their own. We're talking about automation toolkits, we're talking about simple scripting.

Let's say I wanted to do an account takeover, attack where I have my word list of usernames and passwords that I want to try against your website. I'm not going to sit here and one by one enter these in. I could, and that could be extremely difficult to detect especially if I am able to rotate my IP address and my browser configuration with every request which I could also do manually. But that's going to take me such a long time to do that it's not worth my time regardless of the payoff. So I'm going to write a script that's going to automate that. That script is going to be able to do all much faster than any human could. It's still going to rotate your IP addresses, it's still going to change the HTTP headers, but because it's using an automated framework and that framework can literally just be JavaScript, just Python. We're able to detect that now with these automation detection systems that are out there, and determine if you are automating this login or not. So it's this Ockham's Razor scenario of we don't care what the type of attack is. I don't care if you're scraping my website, I don't care if you're doing an account take over, I don't care if you're testing credit card validity, is it automated? That's what I'm looking for. Is it automated? And because you're dealing with this just binary scenario, is it or is it not automated, and if it is automated I don't want it here as a website owner, get rid of it. It makes it a lot easier to fend off. Like I said it's 99.9% of these attacks.

What I'm discussing in this presentation is ways to bypass methods of automation detection most commonly used in these defensive mechanisms. Unfortunately, a lot of them still use arcane means of inspection and fingerprinting that are either easily spoofed or they're using means of implementing the system that are easily bypassed entirely so you can get around the detection process completely and still go about we're trying to do. And so that's what I'm discussing in this presentation here.


Is this talk solely be on the offensive or will you also talk and once you go through the offensive how to actually catch all?


This talk will solely be on the offensive. However, by the nature of how I'm presenting it, anybody who develops in-house defensive systems for what we're doing here, for the offensive attacks, is going to be able to see how the attacks work and go, oh, I should also be looking for this, I should also be looking for that. I should have a HTTP header rotation and my inspections should care about the case of the HTTP headers, and I should stop caring about IP reputation because new IP are easy to get. Things like that. So it's going to be very easily translatable to the defensive side.


Who are you targeting in this talk?


The target audience for this is interestingly diverse. The obvious first answer is your penetration testers, people who perform security testing to make sure that your defenses are in fact up to snuff. But there's a secondary audience here that I've discovered, which I colloquially refer to as corporate espionage. But there's a lot of legitimate uses for this. It's people who write scripts which are attempting to let's say scrape data from other sources, where there's a lot of companies out there that like to keep an eye on competitors pricing, and they task internal developers for writing scripts to be able to do that. Say, if you work for hotel chain A and you want to keep an eye on what hotel chain B and C are doing as far as pricing go, to have a human being go and check that every four hours when the prices change is ridiculous. So of course, you're going to script that. But hotel chain B and C are gonna be using automation defensive technologies to prevent you from doing that. So we're showing you ways of getting around that, so you can literally just do the job you were tasked with. That's just one example for this.


What do you want someone to leave the talk with?


I want to leave the talk with actionable information they can take to work on Monday when they get back and be able to pull open their code and start adding the things that I discussed right into their script because it's going to be very direct information. It's not going to be philosophies that they're going to have to go back and think about and look at their code and go, what would I do in this case? It's gonna be very concise direct actionable information that they can take to work and that's what I always try to do with my presentations.


What technologies do you want to use, Python, JavaScript, Puppet?


You just listed all three.

Speaker: Johnny Xmas

Blade Runner & Director of Field Engineering (NA / EU) @kasada_io

#Johnny Xmas is a predominant personality in the Information Security community, most well-known for his work on the TSA Master Key leaks between 2014 and 2018. Currently working with the Australian firm ‘Kasada’ to defend against the automated abuse of web infrastructure, he was previously the lead consultant on Uptake’s Industrial Cybersecurity Platform. Prior to this, he spent many years in the field as a penetration tester, focusing heavily on both IT and physical security of financial and medical facilities, Security Engineer for a global Fortune 500 retail corporation, and Mainframe auditor and Systems Engineer for several IT asset recovery firms.

Find Johnny Xmas at