How to bypass WAF

A WAF, or Web Application Firewall, is a security solution designed to protect web applications from a variety of attacks. It sits between the client and the web server and monitors, filters, and blocks data packets as they travel to and from the web application.

Specifically, it can help mitigate attacks such as SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), and other types of attacks aimed at web applications. WAFs can be configured to allow, block, or monitor web traffic based on various rules and security policies.

They can operate in two modes: a detect mode, where it only observes and logs potential malicious activity, and a block mode, where it actively blocks potentially malicious traffic. Some advanced WAFs even use machine learning and AI to detect and block sophisticated attacks.

Bypassing a Web Application Firewall (WAF) can be challenging, as they are designed to block certain types of malicious HTTP requests. However, there are tools and techniques that can help you in this process:

1. Bypass Tools: Some tools are specifically designed to help you bypass WAFs. These include SQLMap, XSStrike, and WFuzz, among others. They provide methods to evade and exploit common WAF rules.
2. WAF Identification: There are tools to help you identify the type of WAF in use, such as WAFW00F. This can give you insights into the WAF’s rule set and help you craft your bypass techniques accordingly.
3. Find Collaborators via Web Sockets: If the WAF is not configured to block web socket messaging, you can use this to find collaborators without the need for encoding.
4. Use Multiple Cookies: If the WAF rules are based on cookie values, you can try sending the request with multiple cookies.
5. Use Custom Headers: Some WAFs may not inspect all custom headers. By including your malicious payload in a custom header, you can bypass the WAF.

Automation

1. Running an Nmap Scan

The Nmap Scripting Engine (NSE) includes scripts for detecting and fingerprinting firewalls.

2. WafW00f

Wafw00f is a command line utility that sends commonly-flagged payloads to the given domain name and assess the web server’s response to detect and identify the firewall when possible.

3. WhatWaf

In addition to detecting a firewall, WhatWaf can attempt to discover a bypass by utilizing tamper scripts and assessing the web server’s response to the various payloads.

More Reading

• https://hacken.io/discover/how-to-bypass-waf-hackenproof-cheat-sheet/
• https://jlajara.gitlab.io/Bypass_WAF_Unicode
• https://blog.yeswehack.com/yeswerhackers/web-application-firewall-bypass/
• https://www.sisainfosec.com/blogs/identifying-web-application-firewall-in-a-network/
• https://owasp.org/www-pdf-archive/OWASP_Stammtisch_Frankfurt_WAF_Profiling_and_Evasion.pdf