Sahil Saini

Bypassing Modern WAFs: Techniques for Penetration Testers

by

sahil
in

Web Application Firewalls (WAFs) are like bouncers at a club—they’re there to keep the riff-raff out. But just like a determined partygoer, a skilled attacker can find ways to slip past the velvet rope. Whether it’s through obfuscation, encoding, or sheer creativity, bypassing WAFs is a critical skill for any penetration tester.

As someone who’s spent [a decent number of] hours poking and prodding at WAFs, I can tell you that they’re not as impenetrable as they seem. In fact, with the right techniques, you can often waltz right past them like you own the place.

In this guide, we’ll dive into the art of WAF bypassing. We’ll cover everything from basic obfuscation techniques to advanced methods like timing attacks and protocol-level evasion in this no-fluff how-to. Whether you’re a WAF whisperer or a newbie looking to up your game, this article some knowledge to bypass even the most stubborn WAFs. (say CloudFlare? :D)

Bypassing WAF’s

Grab your favorite proxy tool, fire up your terminal, and let’s get started. By the end of this, you’ll be bypassing WAFs like a pro.

1. Obfuscation: Hiding in Plain Sight

What it is: Modifying payloads to evade detection by WAF rules.
Why it works: WAFs often rely on pattern matching, and obfuscation can make your payloads unrecognizable.

How to exploit it:

  • Use encoding: Encode payloads using Base64, URL encoding, or hexadecimal to evade detection.
  • Add junk characters: Insert random characters or comments into your payloads to break up recognizable patterns.
  • Change case: Mix uppercase and lowercase letters to bypass case-sensitive WAF rules.

Examples:

  1. Base64 Encoding: Encode a SQL injection payload in Base64 to evade detection.
  2. Adding Junk Characters: Insert random comments (/*random*/) into your payload to break up patterns.

Tools to use:

  • Burp Suite: For encoding and modifying payloads.
  • CyberChef: For quick encoding/decoding operations.

How to defend: Use behavioral analysis and machine learning to detect obfuscated payloads.

2. Encoding: The Art of Deception

What it is: Using encoding techniques to disguise malicious payloads.
Why it works: Encoding can make payloads look benign to WAFs while still being interpreted correctly by the server.

How to exploit it:

  • Double encoding: Encode payloads twice to bypass WAFs that decode input only once.
  • Unicode encoding: Use Unicode characters to represent parts of your payload.
  • HTML encoding: Encode payloads using HTML entities to evade detection.

Examples:

  1. Double Encoding: Encode a payload in URL encoding twice (%2520 instead of %20).
  2. Unicode Encoding: Use Unicode characters (%u2215 for /) to bypass WAF rules.

Tools to use:

  • Burp Suite: For encoding and testing payloads.
  • OWASP ZAP: For automated encoding and fuzzing.

How to defend: Implement multi-layer decoding and validation to detect encoded payloads.

3. Timing Attacks: Playing the Long Game

What it is: Using slow or delayed requests to evade WAF detection.
Why it works: WAFs often have timeouts or rate limits, and timing attacks can exploit these limitations.

How to exploit it:

  • Slowloris: Send partial HTTP requests to keep the connection open and exhaust server resources.
  • Time-based SQL injection: Use time delays in SQL queries to extract data without triggering WAF rules.
  • Rate limiting evasion: Send requests at a slow, steady pace to avoid triggering rate limits.

Examples:

  1. Slowloris Attack: Use Slowloris to keep connections open and exhaust server resources.
  2. Time-Based SQL Injection: Use SLEEP() or WAITFOR DELAY in SQL queries to extract data.

Tools to use:

  • Slowloris: For performing slow HTTP attacks.
  • sqlmap: For automating time-based SQL injection attacks.

How to defend: Implement connection timeouts and rate limiting to mitigate timing attacks.

4. Protocol-Level Evasion: Breaking the Rules

What it is: Exploiting inconsistencies in how WAFs and servers interpret HTTP requests.
Why it works: WAFs and servers may interpret requests differently, allowing attackers to bypass WAF rules.

How to exploit it:

  • HTTP Parameter Pollution (HPP): Send multiple parameters with the same name to confuse the WAF.
  • Chunked encoding: Use chunked transfer encoding to split payloads into smaller chunks.
  • Header manipulation: Modify HTTP headers to bypass WAF rules (e.g., changing Content-Type).

Examples:

  1. HTTP Parameter Pollution: Send ?id=1&id=2 to confuse the WAF and server.
  2. Chunked Encoding: Split a payload into smaller chunks to evade detection.

Tools to use:

  • Burp Suite: For manipulating HTTP requests and headers.
  • OWASP ZAP: For automated protocol-level testing.

How to defend: Normalize and validate all incoming requests to detect protocol-level anomalies.

5. Advanced Techniques: Thinking Outside the Box

What it is: Using creative and unconventional methods to bypass WAFs.
Why it works: WAFs are designed to detect known attack patterns, and advanced techniques can exploit blind spots.

How to exploit it:

  • Polyglot payloads: Create payloads that are valid in multiple contexts (e.g., SQL and JavaScript).
  • WAF fingerprinting: Identify the WAF in use and tailor your payloads to its specific weaknesses.
  • Edge case exploitation: Exploit edge cases in WAF rules, such as handling of null bytes or unusual characters.

Examples:

  1. Polyglot Payloads: Create a payload that works as both SQL and JavaScript (1' OR '1'='1'; alert('XSS')).
  2. WAF Fingerprinting: Use tools like WAFW00F to identify the WAF and tailor your payloads.

Tools to use:

  • WAFW00F: For identifying the WAF in use.
  • Burp Suite: For crafting and testing advanced payloads.

How to defend: Regularly update WAF rules and use behavioral analysis to detect advanced techniques.

Conclusion

Bypassing WAFs is equal parts art and science. By understanding how WAFs work and using creative techniques to evade detection, you can uncover vulnerabilities that might otherwise go unnoticed. Remember, the goal isn’t just to break in—it’s to help organizations strengthen their defenses.

TL;DR

  • Obfuscation: Hide payloads using encoding, junk characters, or case changes.
  • Encoding: Use Base64, Unicode, or double encoding to disguise payloads.
  • Timing Attacks: Exploit timeouts or rate limits with slow requests or time-based SQL injection.
  • Protocol-Level Evasion: Manipulate HTTP requests to confuse WAFs.
  • Advanced Techniques: Use polyglot payloads, WAF fingerprinting, or edge case exploitation.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *