Waf Bypass Techniques

Null Character Injection

Inject  in parameter before malicious input. WAFs will commonly ignore everything after the null but pass the entire string to web server where it is processed.

Mixed Case

Change case of malicious input triggering WAF protections. <script> may become <sCRiPt> If the WAF is using a case sensitive blacklist, changing case may bypass that filter.

Inline Comments

Insert comments in middle of attack strings. For instance, /*!SELECT*/ might be overlooked by the WAF but passed on to the target application and processed by a mysql database.

Chunked Requests

Use chunked encoding in HTTP request to split up malicious requests over multiple HTTP requests

Ephemeral Mode SSL (DHE/EDH)

Abuse perfect forward secrecy. Since the WAF cannot subvert the key exchange, it can't decrypt the traffic if a DHE/EDH based session is negotiated between client and server. Testing of the top 50 or so sites on Alexa showed roughly 50% of sites support these modes. If SSL is terminated on the WAF however, or in the case of an embedded WAF, traffic is decrypted for WAF inspection.

Buffer Overflow

WAF's are, afterall, applications and vulnerable to the same software flaws as any other application. If a buffer overflow condition can create a crash, even if it does not result in code execution, this may result in a WAF failing open. In other words, a bypass.

HTTP Parameter Pollution

Supply multiple parameter= value sets of the same name to confuse the WAF. Given the example http://example.com?id=1&?id=' or '1'='1' -- ' in some circumstances such as with Apache/PHP, the application will only parse the last (second) instance of id= while the WAF only parses the first. It appears to be a legitimate request but the application still receives and process malicious input. Most WAF's today are not vulnerable to HTTP Parameter Pollution (HPP) but it is still worth a try when building bypasses.

URL encoding (hex)

Use the hex equivalent for certain characters such as %27 for ' or %3c for <. This alone may not be sufficient for many modern WAF's but frequently works for application black-list filters as they may not be canonicalized before evaluation. Like many other techniques here, when combined with other methods is more effective.

Keyword Splitting

(Insert special characters that will be removed by WAF) - SELECT may become SEL<ECT which would be passed on as SELECT once the offending character is removed

Replaced Keywords

Similar to Keyword Splitting by wrapping a keyword around itself. For instance SELSELECTECT becomes SELECT once the inner SELECT is removed.

Ignoring Cookies

Ignore tracking cookies WAF sets to flag you as a "Bad User". This can easily be configured using a regex match in Burp to ignore those cookies.

WAF Auto-Learning

Many WAF have a threshold whereby if they see n number of violations from different IP addresses within a specified window, it "un-learns" that rule and effectively disables it.

Using Data URIs

Offending strings can be encoded as data URIs which are interpreted by the browser but may not be properly normalized by the WAF. This is very useful for client side attacks like XSS

IPv6

Most IP based reputation filters do not include IPv6 addresses. Using IPv6 may provide significant advantage in evading those kinds of filters.

You may also be able to initiate a connection with IPv4 and send malicious strings using an already established session over IPv6 and the WAF may either not be able to associate the 2 IP addresses as the same client or it may ignore the IPv6 payload altogether