web application firewall

Bypassing Modern Web Application Firewall

June 6, 2018 by Oliver Sild

Web application firewall or WAF for short is becoming an essential part of your personal or client’s website. It is important that your WAF is up-to-date with the latest cyber threats and methods as there are new methods and threats coming out on a daily basis.

Websites are prime targets in cyber attacks and because of one overlooked issue, the business and reputation can be ruined.

There are three WAF operation models that can be categorized in:

  • Whitelist (accepts known good)
  • Blacklist (reject known bad)
  • Hybrid (combination of whitelist and blacklist)

Brute forcing

Throwing a bunch of malicious payloads and hoping that one of them will work. Most WAFs are preventing this by limiting the number of request per time unit. For this method, you can use different active scanning tools or develop your own. Some of the tools that can be useful in the mix with the active scanner:

Another way around

Bypassing DNS based firewall can sometimes be very simple. Often there are subdomains that are not protected by the firewall due to DNS misconfiguration which can lead to server IP exposure, which is not protected by firewall due to the nature of DNS based firewalls.

Browser bugs

By exploiting known browser bugs we can craft a special payload that will bypass the WAF and work in the affected web browser – this is most suitable for client-side attacks such as cross-site scripting. An example of this would be bypassing Internet Explorer and Edge with double encoding.

Regular Expression reversing

This method is most accurate but requires a great deal of independent research and study on how the firewall works, what operation model it is using, enumerating possible whitelisted URL’s, enumerating special characters that are not blacklisted, etc. You can try some of the payloads we found useful:

Payload Goal Solution
<sCRipT>alert(1)</sCRiPt> Check if the firewall is blocking only lowercase. Make sure your firewall is blocking higher-case and lowercase.
Try to break firewall regex with new line (\r\n) Make sure firewall rules are adjusted to check for newline.
<svg><script>alert&DiacriticalGrave;1&DiacriticalGrave;</p> Try to bypass firewall using an ECMAScript6 variation. Check forECMAScript6 XSS payloads.
<svg><script>alert`1` Try to bypass firewall using an ECMAScript6 variation. Check forECMAScript6 XSS payloads.
<scr<script>ipt>alert(1);</scr</script>ipt> Testing for recursive filters, if firewall removes text in red, we will have clear payload. Try to block request completely rather than removing what’s bad.
<a/href=”j&Tab;a&Tab;v&Tab;asc&Tab;ri&Tab;pt:alert&lpar;1&rpar;”> Injecting anchor tag without whitespaces. Do not allow anchor tag.


web application firewall

Start your free 7-day trial now

Protect your websites from malicious traffic - set-up in under 3 minutes.

Try it now

WebARX is compatible with the following platforms: