web application firewall

How To Bypass Web Application Firewall?

Updated: January 14, 2020 by Oliver Sild

This blog post will explain how to bypass web application firewall so that you will understand what kind of payloads are used to get access to your site. See the payload examples below.

Web application firewall or WAF for short is becoming an essential part of your personal or client’s website.

It is important that your WAF is up-to-date with the latest cyber threats and methods as there are new methods and threats coming out on a daily basis.

Websites are prime targets in cyber attacks and because of one overlooked issue, the business and reputation can be ruined.

There are three WAF operation models that can be categorized in:

  • Whitelist (accepts known good)
  • Blacklist (reject known bad)
  • Hybrid (a combination of whitelist and blacklist)

Brute forcing to bypass web application firewall

Throwing a bunch of malicious payloads and hoping that one of them will work. Most WAFs are preventing this by limiting the number of requests per time unit.

For this method, you can use different active scanning tools or develop your own. Some of the tools that can be useful in the mix with the active scanner:

Another way around

Bypassing DNS based firewall can sometimes be very simple. Often there are subdomains that are not protected by the firewall due to DNS misconfiguration which can lead to server IP exposure, which is not protected by firewall due to the nature of DNS based firewalls.

Browser bugs to bypass web application firewall

By exploiting known browser bugs we can craft a special payload that will bypass the WAF and work in the affected web browser.

This is most suitable for client-side attacks such as cross-site scripting. An example of this would be bypassing Internet Explorer and Edge with double encoding.

Regular Expression reversing

This method is most accurate but requires a great deal of independent research and study on how the firewall works.

You will need to understand what operation model it is using, enumerating possible whitelisted URLs, enumerating special characters that are not blacklisted, etc.

You can try some of the payloads we found useful:

<sCRipT>alert(1)</sCRiPt>Check if the firewall is blocking only lowercase.Make sure your firewall is blocking higher-case and lowercase.
Try to break firewall regex with new line (\r\n)Make sure firewall rules are adjusted to check for newline.
<svg><script>alert&DiacriticalGrave;1&DiacriticalGrave;</p>Try to bypass firewall using an ECMAScript6 variation.Check forECMAScript6 XSS payloads.
<svg><script>alert`1`Try to bypass firewall using an ECMAScript6 variation.Check forECMAScript6 XSS payloads.
<scr<script>ipt>alert(1);</scr</script>ipt>Testing for recursive filters, if firewall removes text in red, we will have clear payload.Try to block request completely rather than removing what’s bad.
<a/href=”j&Tab;a&Tab;v&Tab;asc&Tab;ri&Tab;pt:alert&lpar;1&rpar;”>Injecting anchor tag without whitespaces.Do not allow anchor tag.

Frequently Asked Questions About Bypassing a Web Application Firewall

Why would anyone want to bypass a firewall?

– Attempting to bypass a web application firewall is an important part of a penetration test.
– A hacker may try to bypass your web application firewall (WAF) to try to access your website directly.

What is a web application firewall (WAF)?

web application firewall (WAF) is an application firewall for HTTP applications.

It applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection. While proxies generally protect clients, WAFs protect servers (source: OWASP.org).

What is an endpoint web application firewall (endpoint WAF)?

– Endpoint web application firewall (Endpoint WAF) runs within the application itself.
– It’s aware of the software used inside the website and understands how it’s built.
– Endpoint firewall understands how the software used inside the website works and who are the visitors by their permissions and if they are authenticated or not.

Read more about endpoint firewall here.

web application firewall

Start your free 7-day trial now

Protect your websites from malicious traffic - set-up in under 3 minutes.

Try it now

WebARX is compatible with the following platforms: