Models

Scenario

Let's examine the scenario in which we have to saved learned WAF models or two known WAF filters, and we want to either merge them or compare them for differences.

For instance, we may have a WAF ruleset from PHPIDS, and a similar WAF ruleset from MODSECURITY, and we may want to compare them in order to find which inputs does the one block and the other doesn't. Since this is not a blackbox pentest, and we do have the rulesets, we can compare them directly using automata operations.

Using the "modules" keyword in lightbulb we can see the "models_op" module that performs such operations.

(lightbulb) modules


Avaliable Modules:
+----------------------+-----------------------------------------------------------------------------------------+
| Name                 | Value                                                                                   |
+----------------------+-----------------------------------------------------------------------------------------+
| difftest_browser_waf | Generates a large number of mutations in an input string and tests browser and WAF      |
| distinguish_waf      | Identifies a WAF filter using a distinguish tree                                        |
| gen_waf_tree         | Generates a distinguish tree for a list of WAF filters                                  |
| models_op            | Perform automata operations on learned models or flex files                             |
| test_browser         | Learns a Browser parser using a file containing regular expressions or grammar as input |
| verify_waf_tree      | Verifies a distinguish tree for a list of WAF filters                                   |
+----------------------+-----------------------------------------------------------------------------------------+

First, enter in the module using the "use" command and list the available parameters using the "options" command

(lightbulb) use models_op as letsdiff
models_op letsdiff
Entering module models_op
(lightbulb) options
+-------------+--------+----------+-----------------------------------------------------------------+
| Name        | Value  | Required | Description                                                     |
+-------------+--------+----------+-----------------------------------------------------------------+
| FILE_A      | None   | True     | Model A                                                         |
| FILE_TYPE_A | FST    | True     | Possible values: FST, FLEX                                      |
| FILE_B      | None   | False    | Model B                                                         |
| FILE_TYPE_B | FST    | False    | Possible values: FST, FLEX                                      |
| OPERATION   | None   | False    | Possible values: INTERSECT, UNION, DIFFERENCE, COMPLEMENT, None |
| ALPHABET    | 10-126 | False    | File containing the alphabet                                    |
| RESULT      | None   | False    | Possible values: STRING, REGEX, or a file path to save model    |
+-------------+--------+----------+-----------------------------------------------------------------+

Now define the two input rulesets that you want to compare

define FILE_A {library}/regex/PHPIDS070/12.y

define FILE_B {library}/regex/SOMEOTHERWAF/test.y

Then define the operation

define OPERATION DIFFERENCE

Finally define the output file

define RESULT /tmp/lala.y

And start the execution

start letsdiff

Models

Scenario

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally