Updated: January 14, 2020 by Oliver Sild
This blog post will explain how to bypass web application firewall so that you will understand what kind of payloads are used to get access to your site. See the payload examples below.
Web application firewall or WAF for short is becoming an essential part of your personal or client’s website.
It is important that your WAF is up-to-date with the latest cyber threats and methods as there are new methods and threats coming out on a daily basis.
Websites are prime targets in cyber attacks and because of one overlooked issue, the business and reputation can be ruined.
There are three WAF operation models that can be categorized in:
Throwing a bunch of malicious payloads and hoping that one of them will work. Most WAFs are preventing this by limiting the number of requests per time unit.
For this method, you can use different active scanning tools or develop your own. Some of the tools that can be useful in the mix with the active scanner:
Bypassing DNS based firewall can sometimes be very simple. Often there are subdomains that are not protected by the firewall due to DNS misconfiguration which can lead to server IP exposure, which is not protected by firewall due to the nature of DNS based firewalls.
By exploiting known browser bugs we can craft a special payload that will bypass the WAF and work in the affected web browser.
This is most suitable for client-side attacks such as cross-site scripting. An example of this would be bypassing Internet Explorer and Edge with double encoding.
This method is most accurate but requires a great deal of independent research and study on how the firewall works.
You will need to understand what operation model it is using, enumerating possible whitelisted URLs, enumerating special characters that are not blacklisted, etc.
You can try some of the payloads we found useful:
|<sCRipT>alert(1)</sCRiPt>||Check if the firewall is blocking only lowercase.||Make sure your firewall is blocking higher-case and lowercase.|
|Try to break firewall regex with new line (\r\n)||Make sure firewall rules are adjusted to check for newline.|
|<svg><script>alert`1`</p>||Try to bypass firewall using an ECMAScript6 variation.||Check forECMAScript6 XSS payloads.|
|<svg><script>alert`1`||Try to bypass firewall using an ECMAScript6 variation.||Check forECMAScript6 XSS payloads.|
|<scr<script>ipt>alert(1);</scr</script>ipt>||Testing for recursive filters, if firewall removes text in red, we will have clear payload.||Try to block request completely rather than removing what’s bad.|
|<a/href=”j	a	v	asc	ri	pt:alert(1)”>||Injecting anchor tag without whitespaces.||Do not allow anchor tag.|
– Attempting to bypass a web application firewall is an important part of a penetration test.
– A hacker may try to bypass your web application firewall (WAF) to try to access your website directly.
A web application firewall (WAF) is an application firewall for HTTP applications.
It applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection. While proxies generally protect clients, WAFs protect servers (source: OWASP.org).
– Endpoint web application firewall (Endpoint WAF) runs within the application itself.
– It’s aware of the software used inside the website and understands how it’s built.
– Endpoint firewall understands how the software used inside the website works and who are the visitors by their permissions and if they are authenticated or not.
Read more about endpoint firewall here.
Protect your websites from malicious traffic - set-up in under 3 minutes.
WebARX is compatible with the following platforms: