βWAF Bypass
Last updated
Last updated
A WAF or web application firewall helps protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet.
It typically protects web applications from attacks such as cross-site forgery, cross-site-scripting (XSS), file inclusion, and SQL injection, among others.
A WAF is a protocol layer 7 defense (in the OSI model), and is not designed to defend against all types of attacks. This method of attack mitigation is usually part of a suite of tools which together create a holistic defense against a range of attack vectors.
WAFs use standard ports : 80, 443, 8000, 8008, 8080, and 8088.
Combine upper and lower case characters for creating great payloads.
Encode normal payloads with % encoding/URL encoding.
You can use Burp. It has an encoder/decoder tool.
ASCII characters in Unicode encoding give us great variants for bypassing WAF.
Encode entire or part of the payload for obtaining results.
WebApps encode special characters into HTML. Encoding and render them accordingly.
Basic bypass cases with HTML encoding numeric and generic.
Such rules often tend to filter out a specific type of encoding.
Such filters can be bypassed by mixed encoding payloads.
Newlines and tabs and further add to obfuscation.
Comments obfuscate standard payload vectors.
Different payloads have different ways of obfuscation.
Web Application Firewall filters tend to encode characters to protect web app.
Poorly developed filters (without recursion filters) can be bypassed with double encoding.
Global patterns are used by various command-line utilities to work with multiple files.
We can change them to run system commands.
Simple payloads get filtered out easily by WAF.
Adding some junk chars helps avoid detection (only specific cases ).
This technique often helps in confusing regex-based firewalls.
