⛔WAF Bypass

A WAF or web application firewall helps protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet.

It typically protects web applications from attacks such as cross-site forgery, cross-site-scripting (XSS), file inclusion, and SQL injection, among others.

A WAF is a protocol layer 7 defense (in the OSI model), and is not designed to defend against all types of attacks. This method of attack mitigation is usually part of a suite of tools which together create a holistic defense against a range of attack vectors.

Combine upper and lower case characters for creating great payloads.

• Encode normal payloads with % encoding/URL encoding.

• You can use Burp. It has an encoder/decoder tool.

• ASCII characters in Unicode encoding give us great variants for bypassing WAF.

• Encode entire or part of the payload for obtaining results.

• WebApps encode special characters into HTML. Encoding and render them accordingly.

• Basic bypass cases with HTML encoding numeric and generic.

• Such rules often tend to filter out a specific type of encoding.

• Such filters can be bypassed by mixed encoding payloads.

• Newlines and tabs and further add to obfuscation.

• Comments obfuscate standard payload vectors.

• Different payloads have different ways of obfuscation.

• Web Application Firewall filters tend to encode characters to protect web app.

• Poorly developed filters (without recursion filters) can be bypassed with double encoding.

• Global patterns are used by various command-line utilities to work with multiple files.

• We can change them to run system commands.

• Simple payloads get filtered out easily by WAF.

• Adding some junk chars helps avoid detection (only specific cases ).

• This technique often helps in confusing regex-based firewalls.