Imperva Cyber Community

Dear all,

Recently we find from our web server access log indicating that the attached directory traversal attempts had not been blocked by the WAF.

Our WAF gateway is deployed in bridge mode and we see "Connections using unsupported ciphers" error in the Setup > Gateways screen. However, we are not able to find SSL Untraceable Connection alert(s) at the time stamps when the directory traversal requests were sending to the web server. So, I'm not sure if the attempts beeing not blocked is really due to the unsupported cipher issue. Any advice or suggestion?

Thank you.
#On-PremisesWAF(formerlySecuresphere)

------------------------------
Ken Chau
IT Manager
------------------------------

Hello Ken,

Thank you for your post, hope the service group is in active mode for blocking and second in some cases Directory Traversal attacks are not blocked.



If this HTTP GET request is sent from a non-browser application, and the URL string is not altered, then the WAF triggers an Alert.
Similar attacks which are blocked
When the attacker sends a URI encoded directory traversal such as http://my.website.com/..%2f , the browser doesn't convert it and the Web server receives the attack. In this case, the WAF decodes the request and triggers the URL Traversal policies. This specific example triggers the alert: URL is Above Root Directory.

------------------------------
Syed Noor Fazal
Product Support Engineer
------------------------------

Original Message:
Sent: 10-18-2022 02:59
From: Ken Chau
Subject: Directory traversal attempts not blocked

Dear all,

Recently we find from our web server access log indicating that the attached directory traversal attempts had not been blocked by the WAF.

Our WAF gateway is deployed in bridge mode and we see "Connections using unsupported ciphers" error in the Setup > Gateways screen. However, we are not able to find SSL Untraceable Connection alert(s) at the time stamps when the directory traversal requests were sending to the web server. So, I'm not sure if the attempts beeing not blocked is really due to the unsupported cipher issue. Any advice or suggestion?

Thank you.
#On-PremisesWAF(formerlySecuresphere)

------------------------------
Ken Chau
IT Manager
------------------------------

Hi Syed,

Thanks for your reply.

Our sever group is in active mode and it is blocking other malicious traffic. We find out the attack string in the URI from the web server access log, so they should not be altered by the browser. Specifically for the previously attached request traffic, the attacker was using an OpenVAS Scanner 9 user agent to send out the request. Just wonder why these are not blocked. 




------------------------------
Ken Chau
IT Manager
------------------------------

Original Message:
Sent: 10-18-2022 05:38
From: Syed Noor Fazal
Subject: Directory traversal attempts not blocked

Hello Ken,

Thank you for your post, hope the service group is in active mode for blocking and second in some cases Directory Traversal attacks are not blocked.



If this HTTP GET request is sent from a non-browser application, and the URL string is not altered, then the WAF triggers an Alert.
Similar attacks which are blocked
When the attacker sends a URI encoded directory traversal such as http://my.website.com/..%2f , the browser doesn't convert it and the Web server receives the attack. In this case, the WAF decodes the request and triggers the URL Traversal policies. This specific example triggers the alert: URL is Above Root Directory.

------------------------------
Syed Noor Fazal
Product Support Engineer

Original Message:
Sent: 10-18-2022 02:59
From: Ken Chau
Subject: Directory traversal attempts not blocked

Dear all,

Recently we find from our web server access log indicating that the attached directory traversal attempts had not been blocked by the WAF.

Our WAF gateway is deployed in bridge mode and we see "Connections using unsupported ciphers" error in the Setup > Gateways screen. However, we are not able to find SSL Untraceable Connection alert(s) at the time stamps when the directory traversal requests were sending to the web server. So, I'm not sure if the attempts beeing not blocked is really due to the unsupported cipher issue. Any advice or suggestion?

Thank you.
#On-PremisesWAF(formerlySecuresphere)

------------------------------
Ken Chau
IT Manager
------------------------------

Hello Ken,

Thank you for the details, if the request is not getting modified by the browser then it should block, i quickly tested in my lab, by sending the same request and its getting blocked by WAF,



Better to take a pcap(trace) on the WAF while performing the test on the incoming interface and check the http request, that will be more clear.

------------------------------
Syed Noor Fazal
Product Support Engineer
------------------------------

Original Message:
Sent: 10-18-2022 06:06
From: Ken Chau
Subject: Directory traversal attempts not blocked

Hi Syed,

Thanks for your reply.

Our sever group is in active mode and it is blocking other malicious traffic. We find out the attack string in the URI from the web server access log, so they should not be altered by the browser. Specifically for the previously attached request traffic, the attacker was using an OpenVAS Scanner 9 user agent to send out the request. Just wonder why these are not blocked. 




------------------------------
Ken Chau
IT Manager

Original Message:
Sent: 10-18-2022 05:38
From: Syed Noor Fazal
Subject: Directory traversal attempts not blocked

Hello Ken,

Thank you for your post, hope the service group is in active mode for blocking and second in some cases Directory Traversal attacks are not blocked.



If this HTTP GET request is sent from a non-browser application, and the URL string is not altered, then the WAF triggers an Alert.
Similar attacks which are blocked
When the attacker sends a URI encoded directory traversal such as http://my.website.com/..%2f , the browser doesn't convert it and the Web server receives the attack. In this case, the WAF decodes the request and triggers the URL Traversal policies. This specific example triggers the alert: URL is Above Root Directory.

------------------------------
Syed Noor Fazal
Product Support Engineer

Original Message:
Sent: 10-18-2022 02:59
From: Ken Chau
Subject: Directory traversal attempts not blocked

Dear all,

Recently we find from our web server access log indicating that the attached directory traversal attempts had not been blocked by the WAF.

Our WAF gateway is deployed in bridge mode and we see "Connections using unsupported ciphers" error in the Setup > Gateways screen. However, we are not able to find SSL Untraceable Connection alert(s) at the time stamps when the directory traversal requests were sending to the web server. So, I'm not sure if the attempts beeing not blocked is really due to the unsupported cipher issue. Any advice or suggestion?

Thank you.
#On-PremisesWAF(formerlySecuresphere)

------------------------------
Ken Chau
IT Manager
------------------------------

Few additional things to check:

1. The protected IP is in the server group
2. The source IP is not part of the ignore IP groups.

Make sure that the path to the web server is only though the WAF and not taking another route.

------------------------------
Sarvesh Lad
Tech Lead @ On-Prem Managed Services (WAF, DAM, DRA & Sonar)
------------------------------

Original Message:
Sent: 10-18-2022 06:06
From: Ken Chau
Subject: Directory traversal attempts not blocked

Hi Syed,

Thanks for your reply.

Our sever group is in active mode and it is blocking other malicious traffic. We find out the attack string in the URI from the web server access log, so they should not be altered by the browser. Specifically for the previously attached request traffic, the attacker was using an OpenVAS Scanner 9 user agent to send out the request. Just wonder why these are not blocked. 




------------------------------
Ken Chau
IT Manager

Original Message:
Sent: 10-18-2022 05:38
From: Syed Noor Fazal
Subject: Directory traversal attempts not blocked

Hello Ken,

Thank you for your post, hope the service group is in active mode for blocking and second in some cases Directory Traversal attacks are not blocked.



If this HTTP GET request is sent from a non-browser application, and the URL string is not altered, then the WAF triggers an Alert.
Similar attacks which are blocked
When the attacker sends a URI encoded directory traversal such as http://my.website.com/..%2f , the browser doesn't convert it and the Web server receives the attack. In this case, the WAF decodes the request and triggers the URL Traversal policies. This specific example triggers the alert: URL is Above Root Directory.

------------------------------
Syed Noor Fazal
Product Support Engineer

Original Message:
Sent: 10-18-2022 02:59
From: Ken Chau
Subject: Directory traversal attempts not blocked

Dear all,

Recently we find from our web server access log indicating that the attached directory traversal attempts had not been blocked by the WAF.

Our WAF gateway is deployed in bridge mode and we see "Connections using unsupported ciphers" error in the Setup > Gateways screen. However, we are not able to find SSL Untraceable Connection alert(s) at the time stamps when the directory traversal requests were sending to the web server. So, I'm not sure if the attempts beeing not blocked is really due to the unsupported cipher issue. Any advice or suggestion?

Thank you.
#On-PremisesWAF(formerlySecuresphere)

------------------------------
Ken Chau
IT Manager
------------------------------

Hello Sarvesh,

Both conditions mentioned are met and traffic is going through the WAF to web server and not taking another route. By the way, may I know what is the signature to block the / and then 3 dots?

Thank you.

------------------------------
Ken Chau
IT Manager
------------------------------

Original Message:
Sent: 10-18-2022 17:02
From: Sarvesh Lad
Subject: Directory traversal attempts not blocked

Few additional things to check:

1. The protected IP is in the server group
2. The source IP is not part of the ignore IP groups.

Make sure that the path to the web server is only though the WAF and not taking another route.

------------------------------
Sarvesh Lad
Tech Lead @ On-Prem Managed Services (WAF, DAM, DRA & Sonar)

Original Message:
Sent: 10-18-2022 06:06
From: Ken Chau
Subject: Directory traversal attempts not blocked

Hi Syed,

Thanks for your reply.

Our sever group is in active mode and it is blocking other malicious traffic. We find out the attack string in the URI from the web server access log, so they should not be altered by the browser. Specifically for the previously attached request traffic, the attacker was using an OpenVAS Scanner 9 user agent to send out the request. Just wonder why these are not blocked. 




------------------------------
Ken Chau
IT Manager

Original Message:
Sent: 10-18-2022 05:38
From: Syed Noor Fazal
Subject: Directory traversal attempts not blocked

Hello Ken,

Thank you for your post, hope the service group is in active mode for blocking and second in some cases Directory Traversal attacks are not blocked.



If this HTTP GET request is sent from a non-browser application, and the URL string is not altered, then the WAF triggers an Alert.
Similar attacks which are blocked
When the attacker sends a URI encoded directory traversal such as http://my.website.com/..%2f , the browser doesn't convert it and the Web server receives the attack. In this case, the WAF decodes the request and triggers the URL Traversal policies. This specific example triggers the alert: URL is Above Root Directory.

------------------------------
Syed Noor Fazal
Product Support Engineer

Original Message:
Sent: 10-18-2022 02:59
From: Ken Chau
Subject: Directory traversal attempts not blocked

Dear all,

Recently we find from our web server access log indicating that the attached directory traversal attempts had not been blocked by the WAF.

Our WAF gateway is deployed in bridge mode and we see "Connections using unsupported ciphers" error in the Setup > Gateways screen. However, we are not able to find SSL Untraceable Connection alert(s) at the time stamps when the directory traversal requests were sending to the web server. So, I'm not sure if the attempts beeing not blocked is really due to the unsupported cipher issue. Any advice or suggestion?

Thank you.
#On-PremisesWAF(formerlySecuresphere)

------------------------------
Ken Chau
IT Manager
------------------------------

Hello Ken,

We have multiple signatures matching this pattern, as shown in the below screen shot,



------------------------------
Syed Noor Fazal
Product Support Engineer
------------------------------

Original Message:
Sent: 10-24-2022 21:36
From: Ken Chau
Subject: Directory traversal attempts not blocked

Hello Sarvesh,

Both conditions mentioned are met and traffic is going through the WAF to web server and not taking another route. By the way, may I know what is the signature to block the / and then 3 dots?

Thank you.

------------------------------
Ken Chau
IT Manager

Original Message:
Sent: 10-18-2022 17:02
From: Sarvesh Lad
Subject: Directory traversal attempts not blocked

Few additional things to check:

1. The protected IP is in the server group
2. The source IP is not part of the ignore IP groups.

Make sure that the path to the web server is only though the WAF and not taking another route.

------------------------------
Sarvesh Lad
Tech Lead @ On-Prem Managed Services (WAF, DAM, DRA & Sonar)

Original Message:
Sent: 10-18-2022 06:06
From: Ken Chau
Subject: Directory traversal attempts not blocked

Hi Syed,

Thanks for your reply.

Our sever group is in active mode and it is blocking other malicious traffic. We find out the attack string in the URI from the web server access log, so they should not be altered by the browser. Specifically for the previously attached request traffic, the attacker was using an OpenVAS Scanner 9 user agent to send out the request. Just wonder why these are not blocked. 




------------------------------
Ken Chau
IT Manager

Original Message:
Sent: 10-18-2022 05:38
From: Syed Noor Fazal
Subject: Directory traversal attempts not blocked

Hello Ken,

Thank you for your post, hope the service group is in active mode for blocking and second in some cases Directory Traversal attacks are not blocked.



If this HTTP GET request is sent from a non-browser application, and the URL string is not altered, then the WAF triggers an Alert.
Similar attacks which are blocked
When the attacker sends a URI encoded directory traversal such as http://my.website.com/..%2f , the browser doesn't convert it and the Web server receives the attack. In this case, the WAF decodes the request and triggers the URL Traversal policies. This specific example triggers the alert: URL is Above Root Directory.

------------------------------
Syed Noor Fazal
Product Support Engineer

Original Message:
Sent: 10-18-2022 02:59
From: Ken Chau
Subject: Directory traversal attempts not blocked

Dear all,

Recently we find from our web server access log indicating that the attached directory traversal attempts had not been blocked by the WAF.

Our WAF gateway is deployed in bridge mode and we see "Connections using unsupported ciphers" error in the Setup > Gateways screen. However, we are not able to find SSL Untraceable Connection alert(s) at the time stamps when the directory traversal requests were sending to the web server. So, I'm not sure if the attempts beeing not blocked is really due to the unsupported cipher issue. Any advice or suggestion?

Thank you.
#On-PremisesWAF(formerlySecuresphere)

------------------------------
Ken Chau
IT Manager
------------------------------