Imunify360 evasion techniques

[fmiller86]

I’ve been hired by a company to pentest one of their websites. They are doing this for compliance reasons and not really because they want their website to be as secure as possible... Thing is, I don’t actually have that much experience when it comes to firewall evasion. They preferred not whitelisting my IP even though we recommended the opposite to get a clearer picture of the websites' vulnerabilites (and not the efficiency of the WAF). So I was wondering if anyone could help when it comes to evading imunify360. I’ve already thought about flipping my IP with TOR but it will really slow down the pentest considerably and I only have 3 days to complete it.

I'm pretty new to pentesting so any help would be really appreciated :)

PS: I've already tried to upload files larger than 10MB to bypass the default "max_cloudscan_size_to_scan" but the website already limits files to max 4MB.

[digininja]

If they don't really care then just throw a bunch of automated stuff at it, do whatever manual stuff you can, but then make sure you stress in the report that the WAF was in place for all the test so you can't guarantee the results.

If a client can't be bothered then I'm not going to put any more effort in than I need to and I'll make sure I cover my arse in the report.

[fmiller86]

Yeah, I get it, that’s fair, and honestly I pretty much felt the same way when I realized what the point of this pentest was. But the truth is that I've only started pentesting recently and I thought I could at least use this as a learning experience. Might be a bit overextending myself, but I'll never go beyond junior pentesting if I don't challenge myself.

So I get it if you don’t feel like giving your time to companies that care more about checking boxes than being secure, but if you can help a new guy out, it’d be really appreciated. Even if its just pointing me to ressources you’ve used in the past that helped you up your skills or links you think would be relevant to what im facing right now 😊

[digininja]

I don't know anything about that specific WAF so can't tell you anything definite, but what I would do would be to find a page that has some inputs and that blocks your attacks. You then play with different encodings to work out what is triggering it and what is allowed through. Once you've worked that out, you then have to try to use what you've found to get useful strings through.

To be honest though, if you are a beginner and they are an established WAF, I don't give you much chance of finding anything. All the low hanging bypasses will leave been picked off a long time ago. The things that are likely to be left are things like cve-2023-3824 which was used against Lockbit. I know that isn't WAF bypass, but it uses the same techniques, encoding things in odd ways so one system sees them one way and the other system a different way.

There is a really good write up for that vulnerability but I can't find it at the moment, if I find it I'll try to remember to post it.

[digininja]

This isn't the best write-up but explains a joomla vulnerability that is similar to the type of thing you'd be looking for.

https://www.sonarsource.com/blog/joomla-multiple-xss-vulnerabilities/

[digininja]

What you'd be better looking for is business logic flaws. Things like missing authentication or authorisation checks and direct object reference issues. A WAF can't spot those so won't be able to block them.

On any modern site they also tend to be much more common than traditional SQLi or XSS issues because the frameworks help protect the developer against those.

[fmiller86]

Thank you so much!

I will absolutely look all this over tomorrow so that I can feel ready to continue the pentest Monday. I'll keep your advice in mind and try to tackle this from a different angle.

God bless!