Forem: Michael Buckbee

One simple trick to stop bots

Michael Buckbee — Tue, 31 Oct 2023 13:08:32 +0000

What’s even more suspicious than detecting a bot user agent?

No user agent.

Vulnerability-scanning scripts will suppress passing the user agent to sneak past filters. Requiring a UA is an easy way to keep some malicious bots out of your system.

Poll Results

Michael Buckbee — Thu, 26 Oct 2023 13:13:50 +0000

“Devs should stop being lazy and taking security for granted” is a response I’ve seen a couple times to the poll we ran earlier (screenshot).

The problem is that those people don’t realize just how weirdly tricky it is to:

See what IPs are making requests and how many
Block obviously bad IPs and bot
Rate limit requests

Frameworks don’t ship with these tools, the organizations that do have them have cobbled them together by pumping logs into ElasticSearch and some handwritten reports, but they aren’t available to most of the team, etc.

All problems we’re trying to change with Wafris as we make it dead easy to put a WAF in every web app.

Botnets are equal opportunity attackers

Michael Buckbee — Mon, 23 Oct 2023 13:12:20 +0000

🤖 It’s an easy mistake to dismiss bots as “dumb” because they’re probing for some technology you don’t use and would never be on your site.

🛡 But they’re equal-opportunity attackers; here’s a bot we identified with Wafris that was probing for:

YII PHP Web Framework admin
VS Code FTP Credentials
Microsoft Exchange Backups
Git Credentials
Python Drupal Configs
Mac .DS_Store files
Laravel Telescope requests viewer

🕵‍♂️ Botnets are often rented out or repurposed for other attacks. Blocking their IPs or networks is a way to cut them off at the knees.

Are Apple App Association Files Risky?

Michael Buckbee — Fri, 20 Oct 2023 11:56:57 +0000

How do attackers choose which sites to hit?

They typically don’t. They use automated scanning tools to rip through a giant list of domains and do “subdomain enumeration” to find your servers and launch attacks against them.

One way they do this is to look for Apple App Association files, which are files. Hosted on your website that indicates where/how deep linking into iOS apps is allowed or should happen.

We found this in a Wafris report as the business operated only in the midwest but was repeatedly scanned by a 🇳🇱 Dutch server.

Can you tell what this bot is doing?

Michael Buckbee — Thu, 19 Oct 2023 13:08:37 +0000

Look at the timing, IPs, and paths in the above list of web requests to this site (domain changed for privacy).

Answer: it’s a bot using 🇨🇳 Chinese proxy servers, probing for compressed, manually backed-up copies of the site that are kept on the server.

Backups that might have API keys, ENV files, or other high-value targets.

We discovered this with Wafris, as the site doesn’t have an API, so the User-Agent was unusual.

Risky Click Text Editor Edition

Michael Buckbee — Tue, 17 Oct 2023 16:39:37 +0000

🔍 Is this risky? Most devs are great at knowing what parts of their apps are easier or harder to implement but don’t have a great sense of which are more or less of a security risk.

✏️ Embedded document editing is surprisingly risky. A good example is the UEditor JS, which was shipped with multiple Java and .NET CMS projects, had over 6k stars on GitHub, and had a vulnerability that allowed for unrestricted file uploads to the server.

🛡️Web Application Firewalls are great at helping with issues like this via “virtual patching.”

There’s no actual underlying code fix for this
There’s a clear exploit pattern
You add a firewall rule like “Block Path: /Ueditor”
You’re “virtually patched”