How the hacking community cracked Imperva's anti-bot solution

On the modern web, it's no surprise that your app can be the target of many different types of visitors, and of course, not all of them are humans. There are many automated types out there: from good search engine bots, to fancy armed ones, to tooth bots, scrapers, scanners, etc. To protect applications from all the malicious bots, anti-bot solutions come into play and one of the most popular ones is the Imperva Incapsula Advanced Bot Protection solution. Imperva offers some methods, like the cookie challenge or its modification, the JavaScript cookie challenge, to protect applications from bots that don't use JavaScript or can't process cookies.

What is the Incapsula Crackers Project?

But it's always a big and popular question: how to avoid this? Bot creators and anyone trying to use any bot are always playing cat and mouse with antibot solutions. To answer this question in general, there are several projects, one of the oldest is an Incapsula cracker (https://github.com/ziplokk1/incapsula-cracker-py3).

At the moment incapsula-cracker is deprecated and can't cover all solution changes, but the idea behind it and the way to work around it is really interesting and still the same, and we're waiting for that. In short, incapsula-cracker attempts to re-implement some of the javascript logic provided by Incapsula's anti-bot solution on the client side, but using Python instead of the browser device. For example, incapsula-cracker spoofs all browser checks by redeploying the JavaScript function on the Python cracker page; Basically, the Incapsula cracker sends all browser flags (like "navigator. webdriver" which works like a bot). flag or special browser-related flags like "chrome", "opera", "yandex", etc.) manually, making it impossible for Incapsula to detect whether it was sent from a browser or some other method. So it's easy for a cracker to bypass the browser check, even if it looks really complicated. Also, the cracker collects all the necessary parameters and JavaScript variables from the provided scripts just to calculate them and process them like browser flags.

 

Basically the cracker can use a regular expression for it and then calculate it on the python side as well.So here we have a complete re-implementation of the logic that can be handled on the client side without a browser or JavaScript engine. What's more interesting is that the community around them is really passionate about how to solve the problems, their discussions and thoughts on "how to solve it better" can be seen in the problems with many technical details: https://github. com/ziplokk1/incapsula-cracker-py3/issues/4 https://github.com/ziplokk1/incapsula-cracker-py3/issues/23

It's worth noting that besides the fact that all the provided JavaScript scripts are obfuscated or packaged, it's no big deal to unpack and unobfuscate them; it's just a matter of time (and sometimes the size of the community and the number of people interested). ), so obfuscation is by no means a silver bullet in terms of logic protection, but it can be an "extra step to the solution" for the bot creator.

The other incapsula-bypass community project 

Another bypass example provided by the incapsula-bypass project (https://github.com/Imbuedhush/Incapsula-Bypass) that uses some kind of additional local JavaScript server to use parts of the provided scripts more naturally. But the idea is still the same here, we collect some scripts and values ​​from incapsula's response, send them to our evaluation donor to solve and create the required cookie, and after that we're all set up and ready to start the original request. . Impeva shunt How many times has the Imperva defense been overlooked in 2020-21? Botmakers bypassed Imperva a total of 30 times in 2020-21.

Regular expressions, cross-side scripting (XSS) i.E. Javascript injection, SQLi injection, and remote code execution were the most common methods used in these attacks. Shuntimpeva 30 Let's look at some examples of successful attacks that could bypass Imperva's defenses.

In March 2021, 0xInfection used an XSS payload to bypass Imperva's defenses, which worked very well to bypass its security.

Dawood Iklaq found a way to bypass Imperva's security measures and use the "sleep" keyword (otherwise the app will block it). SQLi injection of the following string helped it succeed: sle%p('0x12'+1) => sleep('ox12' + 1) Spyerror, another cybersecurity enthusiast and full-stack developer, launched an XSS attack to bypass Imperva with the following code: A web application security researcher, username BoOoM, tested Incapsula WAF's SQLinj bypass by downloading a web shell and was able to bypass the security implementation.

The code used during this workaround is: ' IN OUTFILE '/var/www/html/x.php ' FIELDS ENDING WITH ' Imperva 21 attack types What drives the community? What's more interesting here is the general motivation and community interest in breaking this - it's not about Imperva at all, it's about the process. Many discussions about a re-implementation can be seen in the issues, many regressive improvements or solutions have been suggested by the community - and now, even if some solutions no longer work or are not updated, you can still see that the interest has not waned . But for now, unfortunately, it's becoming more commercial and not as open source as before - now solutions with improvements and fixes can be seen on marketplaces (e.g. https://bhf.im/threads/609788/) .

Basically, some of them are modified versions of the original GitHub open source solutions, but with some new features and additions.

Conclusion

In conclusion, it must be said that this type of solution is present in most bot solutions, the only difference is the answer to the question: "How complicated and difficult would it be to override it?