Bypass Web Application Firewalls


Bypass Web Application Firewalls

Web application firewalls are designed to protect web applications from known attacks, such as SQL injection attacks, that are commonly used to compromise websites. They do this by intercepting requests sent by clients and enforcing strict rules about their formatting and payload. Today we demonstrate some tricks to bypass Web application firewall (WAF).

Sqli union all select 1,2,3,4,5— –

By passed Sqli /*!UNION*/ +/*!ALL*/+/*!SELECT*/+1,2,3,4,5— –

By Function Capitalization:-
Some Web Application Firewalls will filter only lowercase alphabets, So we can easily bypass by case changing.

Actual query UNION SELECT 1,2,3,4,5—

Query to bypass the WAF uniOn SeLeCt 1,2,3,4,5—

By Replaced Keywords:-

Some WAF’s will escape certain keywords such as UNION, SELECT, ORDER BY, etc. This can be used to our advantage by duplicating the detected word within another like below script.

Actual query UNION SELECT 1,2,3,4,5—

Query to bypass the WAF UNIunionON SEselectLECT 1,2,3,4,5– –

Now we can detecting the Web Application Firewall (WAF) using NMAP

Detecting WAF using NMAP
nmap -p80 –script http-waf-detect <host>

Fingerprinting WAF using NMAP
nmap -p80 –script http-waf-fingerprint <host>

Bypass Web Application Firewalls and XSS Filters

A series of python scripts for generating weird character combinations and lists for Burp-suite Pro for bypassing web application firewalls (WAF) and XSS filters. These python scripts have been created to fuzz weird combinations:

  • URL Escape Characters
  • HTML Escape Characters
  • Binary Characters

Also Read – Cross Site Scripting Payloads

These scripts were created during an assessment, while trying to bypass a Web Application Firewall (WAF) in order to exploit a XSS vulnerability. Different webservers and browsers interpret URL and strange characters differently which could lead to the bypassing of security controls. When I tried to send a > or < character the WAF would block the request.

The following URL escapes I have noticed are traslated to < > ‘ by Apache2 based web servers:

%(N%(n%)S%)U%)^%)s%)u%*C%*E%*c%*e%,.%.#%1N%1n%2S%2U%2^%2s%2u%3C%3E%3c%3e%5.%7#%:C%:E %:c%:e%HN%Hn%IS%IU%I^%Is%Iu%JC%JE%Jc%Je%L.%N#%XN%Xn%YS%YU%Y^%Ys%Yu%ZC%ZE%Zc%Ze%.%^# %hN%hn%iS%iU%i^%is%iu%jC%jE%jc%je%l.%n#%xN%xn%yS%yU%y^%ys%yu%zC%zE%zc%ze%|.

Download Scripts

Join Our Club

Enter your Email address to receive notifications | Join over Million Followers