How to hack and bypass a web application firewall WAF during penetrating testing
The term web application firewall (WAF) refers to a set of monitoring tools and filters designed to detect and block network attacks against a specific web application. According to pentesting experts at the International Institute of Cyber Security (IICS), these are security tools that, in real time, decide whether to allow or deny access to an online deployment.
Like any other security solution, a WAF is only a complementary solution for a comprehensive security environment, so it must be implemented along with other elements such as incident monitoring tools or anti-fraud systems.
A pentesting process against a WAF allows researchers to determine the real IP address of the target and, at later stages, try to evade this protection mechanism. The WAF compromise allows researchers (and also hackers) to know what’s behind these implementations.
Pentesting experts consider that nearly 50% of WAF implementations are vulnerable to one or more evasion methods, as hackers have made great strides in attack variants to these solutions, primarily by delivering malicious payloads disguised as legitimate software.
On this occasion, we will show you some techniques and tools to analyze a WAF and evade these security measures. As usual we remind you that this article was prepared for informational purposes only, so IICS is not responsible for the misuse that may be given to the information contained herein.
HOW TO DETECT A WAF?
There is a general process for finding the actual IP of a target website:
- Employ shodan.io or censys.io
- Search SPF records and TXT records
- SPF and TXT records can be the IP address of the entry point without CloudFlare
- You can also view securitytrails.com in historical data that can show the original IP in old records
To check if a WAF is configured correctly, pentesting experts recommend relying on the following indicators:
- A WAF uses standard ports 80, 443, 8000, 8008, 8080, and 8088
- A WAF sets its own cookies on requests
- A WAF is associated with individual headers
- A WAF responds with unique response codes to malicious requests
To verify the proper configuration of these devices, experts can:
- Send a standard GET request from the browser, intercept and write the response headers
- Send a request from the command line (such as cURL) and then verify the content and headers of the response
- Send GET requests to random open ports and search for banners that can reveal the WAF provider
- Try some SQL injection payloads like: “o1 =1 — to try to log in
- Use XSS payloads such as <script>confirm() </script>in some input fields
- Add .. /.. /.. /etc/passwd to the random parameter in the URL
- Add some payload like ‘OR SLEEP(5)OR’ to the end of URLs for any random parameters
- Send GET requests with legacy protocols such as HTTP/0.9 (HTTP/0.9 does not support POST requests)
- Check the server header to see the different types of interactions
- Send the raw generated FIN &RST packet to the server and define the response
WAF HACKING TOOLS
Most hackers use automated tools to speed up web application firewall evasion processes. Below is a small list of the most popular tools for these activities; its use is only the first step in verifying how much information an attacker will be able to access.
- w3af: A framework for auditing and attacking web applications
- wafw00f: Tool to find digital logging and WAF authentication
- BypassWAF: Used to evade these security mechanisms using DNS history. this tool will search for old dns records and check if the server is responding for this domain
- CloudFail: A tactical recognition tool that attempts to find the original IP address behind Cloudflare’s WAF
There are many other tools, but pentesting experts claim that these are the most popular.
Below we will review some of the best known WAF bypassing techniques.
Case switch technique
It consists of the combination of uppercase and lowercase characters.
Basic request payload:
SELECT * FROM * WHERE OWNER = 'NAME_OF_DB'
sELeCt *fRoM*wHerE OWNER='NAME_OF_DB'
Example in URL:
http://example.com/index.php?page_id=-1 UnIoN SeLeCT 1,2,3,4
URL encoding technique
Pentesting experts can also modify a normal payload with %encoding/ URL. For this technique you can use Burp Suite, which has a built-in coding and decoding tool.
Example in URL:
ASCII characters provide us with excellent solutions to evade a WAF. Encode the entire payload or just one fragment for satisfactory results.
/?redir=http://google。 com (Unicode)
According to pentesting experts, web applications encode special characters in HTML; encoding and rendering, respectively basic cross-sectional cases with numeric and general HTML encoding.
"><img src=x onerror=confirm()>
Mixed coding techniques
These rules tend to filter a particular type of encoding. These filters can be omitted using the combined encoding payload, using new lines and tabs and increased obfuscation.
Sometimes hackers often hide standard payload vectors in code comments, pentesting experts mention. Different payloads have different obfuscation methods.
Attackers can also insert comments in the middle of the lines of attack. For example, / *! SELECT * / can be ignored by the WAF implementation, but passed to the target application and processed by the MySQL database.
Example in URL:
index.php?page_id=-1 %55nION/**/%53ElecT 1,2,3,4'union%a0select pass from users#
Example in URL:
index.php?page_id=-1 /*! UNION*/ /*! SELECT*/ 1,2,3
Double encoding method
WAF filters typically encode characters to protect a web application. Poorly designed filters can be evaded with relative ease using double coding, say pentesting experts.
Several command-line utilities use templates to work with multiple files globally. We can change these templates to run system commands.
Dynamic loading technique
Programming languages have different templates and syntax for concatenation. According to pentesting experts, this allows you to create payloads that can evade various filters and rules.
Bash allows the concatenation of paths for execution.
Junk character technique
These are simple payloads easily filtered by WAF. In some cases, adding some unwanted characters helps avoid detection, allowing pentesting experts to obfuscat regular expression firewalls.
Line break technique
Much regular expression filtering WAF effectively blocks multiple attempts. The line break technique (CR and LF) can break the firewall’s regular expression to bypass security measures.
Invalid uninitialized variable technique
Regular expression filters can be omitted by using uninitialized bash variables. This value is zero and acts as empty strings. Bash and Perl allow such interpretations.
Tabs and line break
Tabs are often used to bypass firewalls, especially those based on regular expressions. Tabs can help break a WAF regular expression when the regular expression expects spaces instead of tabs.
http://test.com/test?id=1 union select 1,2,3
Token attacks are based on trying to break the logic of splitting a request into tokens using means of token protection, pentesting experts say. Token breakers are tokens that allow you to influence the correspondence between a string element and a specific token. Our request must remain valid when using token crackers.
?id='-sqlite_version() UNION SELECT passwords FROM users -
Example: unknown context for the pentester.
?id=12);D ROP TABLE users -
?id=133) INTO OUTFILE 'xxx' -
Obfuscation technique in other formats
Many web applications support different types of encoding and can interpret it. We will always need to obfuscat the payload in a non-WAF-compliant format, but the server can forward our payload.
IIS 6, 7.5, 8, and 10 can be interpreted as IBM037.
Send parameters encoded with:
POST /example.aspx?id7=sometext HTTP/1.1 HOST: target.org Content-Type: application/x-www-form-urlencoded; charset=utf-8 Content-Length: 27 id2='union all select * from users-POST /example.aspx?%89%84%F7=%A2%95%94%86%A3%88%89%95%87 HTTP/1.1 HOST: target.org Content-Type: application/x-www-form-urlencoded; charset=ibm037 Content-Length: 127 %89%84%F2=%7D%A4%95%89%97%95%40%81%93%94%40%A2%85%93%85%84%A3%40%5C%40%86%99
Finally, pentesting experts have a number of useful tips during these safety tests:
- Always try to address the problem as comprehensively as possible
- Try different coding techniques. Depending on the case, some might work better than after
- Take the time to verify your DNS records, as only then will you be able to find errors successfully
- Don’t forget that any protection on web resources can be bypassed and WAF is not a panacea for all the problems faced by an online application
- Hackers don’t rest and are always looking for new methods to take control of affected resources, so the cybersecurity community can’t rest either
For further reports on vulnerabilities, pentesting, exploits, malware variants, cybersecurity risks and information security courses fell free to visit the International Institute of Cyber Security (IICS) websites, as well as the official platforms of technology companies.
Originally published at https://www.securitynewspaper.com on September 16, 2021.