{"id":20976,"date":"2021-04-11T16:21:18","date_gmt":"2021-04-11T10:51:18","guid":{"rendered":"https:\/\/valeurbit.com\/blog\/?p=20976"},"modified":"2021-04-11T16:21:20","modified_gmt":"2021-04-11T10:51:20","slug":"how-to-bypass-bitrix-waf-web-application-firewall","status":"publish","type":"post","link":"https:\/\/valeurbit.com\/blog\/how-to-bypass-bitrix-waf-web-application-firewall\/","title":{"rendered":"How to bypass Bitrix WAF (Web Application Firewall)"},"content":{"rendered":"\n

It happens that when performing XSS of the reflected type, the parameters go directly to the body of the script tag. This usually means that the exploitation is trivial: encoding parentheses will not interfere, many firewalls will not interfere, including the now defunct Chrome XSS Auditor. But CMS Bitrix for this case has its own built-in proactive filter (WAF), the principle of which, when protecting against XSS, is similar to the XSS Auditor.<\/p>\n\n\n\n

WAF bypass<\/strong><\/h2>\n\n\n\n

When fuzzing the Mail.ru service as part of the Bug Bounty, I encountered an entry point where the GET parameter fell into the body of the <script> … <\/script> tag<\/em> . But it was not possible to make a simple PoC, since the application was built using Bitrix, and the WAF module was activated.<\/p>\n\n\n\n

Any attempts to insert some interesting code ended in replacing the entire script with a stub <! – deleted by Bitrix WAF -><\/em> .<\/p>\n\n\n\n

It turned out that to neutralize this protection, it is enough to pass null byte<\/em> (% 00) in the vulnerable parameter .<\/p>\n\n\n\n

For demonstration, we will deploy a test application on CMS Bitrix with the WAF module activated and add the following code to one of the pages (\/waf-bypass.php):<\/p>\n\n\n\n

If you pass a quote (closing string) and call alert<\/em> (like any other function) to the vulnerable page<\/em> parameter , then WAF cuts out the entire script:<\/em><\/p>\n\n\n\n

During fuzzing, it turned out that it is very easy to bypass the protection – before the closing quotation mark, enter null byte (\u00a0% 00<\/em>\u00a0) and WAF is already skipping the code.<\/p>\n\n\n\n

In total, we get a full-fledged vector of exploitation:<\/p>\n\n\n\n

1<\/td>\/waf-bypass.php?page=BYPASS%00″)});alert(1);$(document).ready(function%20(){%2f%2f<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Cause<\/strong><\/h2>\n\n\n\n

The error lies in the post-filtering module for XSS protection. The module works similarly to XSS Auditor and tries to find script tags in the body of the page with active content that was passed in user parameters.<\/p>\n\n\n\n

At the same time, for some reason, a zero byte is cut out from the parameter values, so in our case, when comparing the body of the page with the parameters, no occurrences will be detected (after all, there is \\ x00 in the body, but not in the parameters).<\/p>\n\n\n\n

Vulnerable line in .\/bitrix\/modules\/security\/classes\/general.post_filter.php \/<\/strong> post_filter.php<\/em> , where chr (0)<\/em> null byte is stripped<\/em> in the addVariable<\/em> method :<\/em><\/p>\n\n\n\n

The search for user data in the script body itself occurs in the isDangerBody<\/em> function , and here the untouched $ body value and an array of parameters are passed to the findInArray<\/em> function , from which a zero byte is stripped:<\/p>\n\n\n\n

Remember that WAFs are almost always workable and may have bugs in them.\u00a0You should not rely on firewalls, you need to build\u00a0a secure development process\u00a0and regularly conduct\u00a0application penetration tests\u00a0.<\/p>\n\n\n\n

In this particular case, to fix an error in the WAF itself, you can remove the str_replace call from the addVariable function. At the same time, just in case, it is worth adding a check for the presence of a zero byte in the content (it is not for nothing that Bitrix developers once added this call to str_replace).<\/p>\n","protected":false},"excerpt":{"rendered":"

It happens that when performing XSS of the reflected type, the parameters go directly to the body of the script tag. This usually means that the exploitation is trivial: encoding parentheses will not interfere, many firewalls will not interfere, including the now defunct Chrome XSS Auditor. But CMS Bitrix for this case has its own built-in proactive…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"yoast_head":"\nHow to bypass Bitrix WAF (Web Application Firewall) | ValeurBit Infosec<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/valeurbit.com\/blog\/how-to-bypass-bitrix-waf-web-application-firewall\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How to bypass Bitrix WAF (Web Application Firewall) | ValeurBit Infosec\" \/>\n<meta property=\"og:description\" content=\"It happens that when performing XSS of the reflected type, the parameters go directly to the body of the script tag. This usually means that the exploitation is trivial: encoding parentheses will not interfere, many firewalls will not interfere, including the now defunct Chrome XSS Auditor. But CMS Bitrix for this case has its own built-in proactive...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/valeurbit.com\/blog\/how-to-bypass-bitrix-waf-web-application-firewall\/\" \/>\n<meta property=\"og:site_name\" content=\"ValeurBit Infosec\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/valeurbitinfo\/\" \/>\n<meta property=\"article:published_time\" content=\"2021-04-11T10:51:18+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-04-11T10:51:20+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@valeurbit\" \/>\n<meta name=\"twitter:site\" content=\"@valeurbit\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Organization\",\"@id\":\"https:\/\/valeurbit.com\/blog\/#organization\",\"name\":\"Valeurbit Infosec\",\"url\":\"https:\/\/valeurbit.com\/blog\/\",\"sameAs\":[\"https:\/\/www.facebook.com\/valeurbitinfo\/\",\"https:\/\/www.instagram.com\/valeurbit\",\"https:\/\/www.linkedin.com\/company\/valeurbit-infosec\/\",\"https:\/\/twitter.com\/valeurbit\"],\"logo\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/valeurbit.com\/blog\/#logo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/valeurbit.com\/blog\/wp-content\/uploads\/2021\/02\/Valeurbit-new-logo-center.png\",\"contentUrl\":\"https:\/\/valeurbit.com\/blog\/wp-content\/uploads\/2021\/02\/Valeurbit-new-logo-center.png\",\"width\":1080,\"height\":512,\"caption\":\"Valeurbit Infosec\"},\"image\":{\"@id\":\"https:\/\/valeurbit.com\/blog\/#logo\"}},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/valeurbit.com\/blog\/#website\",\"url\":\"https:\/\/valeurbit.com\/blog\/\",\"name\":\"ValeurBit Infosec\",\"description\":\"Cyber Security Company\",\"publisher\":{\"@id\":\"https:\/\/valeurbit.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":\"https:\/\/valeurbit.com\/blog\/?s={search_term_string}\",\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/valeurbit.com\/blog\/how-to-bypass-bitrix-waf-web-application-firewall\/#webpage\",\"url\":\"https:\/\/valeurbit.com\/blog\/how-to-bypass-bitrix-waf-web-application-firewall\/\",\"name\":\"How to bypass Bitrix WAF (Web Application Firewall) | ValeurBit Infosec\",\"isPartOf\":{\"@id\":\"https:\/\/valeurbit.com\/blog\/#website\"},\"datePublished\":\"2021-04-11T10:51:18+00:00\",\"dateModified\":\"2021-04-11T10:51:20+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/valeurbit.com\/blog\/how-to-bypass-bitrix-waf-web-application-firewall\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/valeurbit.com\/blog\/how-to-bypass-bitrix-waf-web-application-firewall\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/valeurbit.com\/blog\/how-to-bypass-bitrix-waf-web-application-firewall\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/valeurbit.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"How to bypass Bitrix WAF (Web Application Firewall)\"}]},{\"@type\":\"Article\",\"@id\":\"https:\/\/valeurbit.com\/blog\/how-to-bypass-bitrix-waf-web-application-firewall\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/valeurbit.com\/blog\/how-to-bypass-bitrix-waf-web-application-firewall\/#webpage\"},\"author\":{\"@id\":\"https:\/\/valeurbit.com\/blog\/#\/schema\/person\/df20c1cd317765fa8677a3056caeccfa\"},\"headline\":\"How to bypass Bitrix WAF (Web Application Firewall)\",\"datePublished\":\"2021-04-11T10:51:18+00:00\",\"dateModified\":\"2021-04-11T10:51:20+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/valeurbit.com\/blog\/how-to-bypass-bitrix-waf-web-application-firewall\/#webpage\"},\"wordCount\":570,\"publisher\":{\"@id\":\"https:\/\/valeurbit.com\/blog\/#organization\"},\"articleSection\":[\"Valeurbit\"],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/valeurbit.com\/blog\/#\/schema\/person\/df20c1cd317765fa8677a3056caeccfa\",\"name\":\"ValeurBit\",\"sameAs\":[\"https:\/\/valeurbit.com\/blog\"],\"url\":\"https:\/\/valeurbit.com\/blog\/author\/valeurbit\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","_links":{"self":[{"href":"https:\/\/valeurbit.com\/blog\/wp-json\/wp\/v2\/posts\/20976"}],"collection":[{"href":"https:\/\/valeurbit.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/valeurbit.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/valeurbit.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/valeurbit.com\/blog\/wp-json\/wp\/v2\/comments?post=20976"}],"version-history":[{"count":0,"href":"https:\/\/valeurbit.com\/blog\/wp-json\/wp\/v2\/posts\/20976\/revisions"}],"wp:attachment":[{"href":"https:\/\/valeurbit.com\/blog\/wp-json\/wp\/v2\/media?parent=20976"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/valeurbit.com\/blog\/wp-json\/wp\/v2\/categories?post=20976"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/valeurbit.com\/blog\/wp-json\/wp\/v2\/tags?post=20976"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}