exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Fortinet FortiWeb WAF Policy Bypass

Fortinet FortiWeb WAF Policy Bypass
Posted May 3, 2012
Authored by Geffrey Velasquez

Fortinet FortiWeb Web Application Firewall suffers from a policy bypass vulnerability.

tags | exploit, web, bypass
SHA-256 | 60186187c821f558019ba5b5ceedf1e0f5b2e5baf6fe5eec6c095e67cd012577

Fortinet FortiWeb WAF Policy Bypass

Change Mirror Download
BINAR10 Report on Fortinet Fortiweb Findings 02/05/2012
- Fortinet FortiWeb Web Application Firewall Policy Bypass -
============================================================

1) Affected Product

Fabricant: Fortinet

Product name: FortiWeb

Version: Latest update to Tue, 2 May 2012

Type: Web Application Firewall

Product URL:
http://www.fortinet.com/products/fortiweb/index.html

2) Description of the Findings

BINAR10 has found a policy bypass occurrence when large size data is sent in
POST (data) or GET request.

3) Technical Details

3.1. POST Request Example

When is appended to a POST request any padding data that surpasses 2399 bytes,
the WAF do not inspect the data sent and the request hits directly the
application. This should occur when the product is not configured to block
malformed requests, but this feature also check the POST size limit, blocking
the request if it surpass a fixed limit, therefore is likely that is being
disabled due to application requirements in medium size forms.
The response is also not verified by the WAF and information disclosure occurs
with details of the infrastructure.
This bypass could be used to inject different types of vectors, as is shown in
the example only is needed to append a new variable at the end of the POST
data filled with arbitrary data that exceeds 2399 bytes.

---POST example
POST /<path>/login-app.aspx HTTP/1.1
Host: <host>
User-Agent: <any valid user agent string>
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: <the content length must be at least 2399 bytes>

var1=datavar1&var2=datavar12&pad=<random data to complete at least 2399 bytes>

3.2. GET Requests

The same issue with POST Request but it could be done through the sending
arbitrary data at the end of the URL.

--GET example
http://<domain>/path?var1=vardata1&var2=vardata2&pad=<large arbitrary data>

4. Validation Required
It requires the validation of other researchers who have access to product.

5. Time Table
04/27/2012 - Vendor notified.
04/27/2012 - Vendor response, requiring some tests.
05/02/2012 - Vendor indicates that this is a configuration problem and not
a product vulnerability.

6. Credits
Geffrey Velasquez <geffrey at gmail.com> at BINAR10 S.A.C.
Login or Register to add favorites

File Archive:

June 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    19 Files
  • 2
    Jun 2nd
    16 Files
  • 3
    Jun 3rd
    28 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    19 Files
  • 7
    Jun 7th
    23 Files
  • 8
    Jun 8th
    11 Files
  • 9
    Jun 9th
    10 Files
  • 10
    Jun 10th
    4 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    27 Files
  • 20
    Jun 20th
    65 Files
  • 21
    Jun 21st
    10 Files
  • 22
    Jun 22nd
    8 Files
  • 23
    Jun 23rd
    6 Files
  • 24
    Jun 24th
    6 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    15 Files
  • 28
    Jun 28th
    14 Files
  • 29
    Jun 29th
    11 Files
  • 30
    Jun 30th
    7 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close