December 10, 2024

Bypassing Web Application Firewalls (WAFs): A Beginner’s Guide

Web Application Firewalls (WAFs) are essential security mechanisms designed to protect web applications from various online threats. They filter, monitor, and block incoming traffic to prevent attacks such as SQL injections, cross-site scripting (XSS), and file inclusion exploits. However, while WAFs provide a layer of defense, they are not foolproof. For ethical hackers and bug bounty hunters, learning how to bypass these defenses and exploit complex bugs is crucial for finding vulnerabilities.

In this blog, we will break down the concept of WAF bypass and the process of exploiting complex vulnerabilities in an easy-to-understand manner, suitable for beginners.


Understanding Web Application Firewalls (WAFs)

Before diving into bypassing WAFs, let’s first understand how they work. A WAF sits between a web server and the user, analyzing HTTP/HTTPS traffic. It scans incoming requests for patterns that resemble known attack types (e.g., SQL injection or XSS). If it detects suspicious patterns, it blocks the request, preventing the attack from reaching the web application.

WAFs use different techniques to protect applications:

  1. Signature-based detection: This method compares incoming requests with a list of known attack signatures.
  2. Behavioral-based detection: This method looks for abnormal traffic patterns, such as unusual request rates or suspicious payloads.
  3. Anomaly-based detection: This detects deviations from a baseline of normal traffic patterns.

While effective in many cases, WAFs can be bypassed using various techniques. This is where the knowledge of exploiting complex bugs comes in.


How to Bypass WAFs: Techniques and Methods

1. Encoding Payloads

WAFs often rely on pattern matching to identify malicious inputs. One way to evade detection is by encoding or obfuscating your payloads. Encoding transforms the payload into a format that looks different to the WAF but can still be interpreted by the web application.

  • URL Encoding: Special characters like ?, =, and & can be encoded into percent-encoded representations (e.g., %3D for =).
  • Double URL Encoding: Some WAFs might decode an encoded payload once, but not twice. By encoding the payload twice, you might bypass this decoding mechanism.

Example:
If a payload like test=1' OR '1'='1 is blocked, encoding it as test=1%27%20OR%20%271%27%3D%271 might help you bypass the WAF.

2. Using HTTP Methods Other Than GET

WAFs typically focus on filtering common HTTP methods like GET and POST, which are the most used for attacks. However, WAFs might not properly inspect other HTTP methods such as PUT, DELETE, or OPTIONS.

For example:

  • OPTIONS Method: You can use the OPTIONS method to probe the server for allowed HTTP methods, potentially discovering endpoints that are not protected by the WAF.

By sending an OPTIONS request, you can see which HTTP methods are supported and may bypass WAF restrictions by using less common methods.

3. Case Manipulation

Some WAFs are case-sensitive when matching attack patterns. By changing the case of characters in the payload, you can evade detection.

For instance:

  • Instead of sending OR 1=1, you can try Or 1=1 or or 1=1. This simple case manipulation may be enough to bypass certain WAF filters.

4. SQL Injection with WAF Evasion

SQL injection (SQLi) is one of the most common web vulnerabilities. WAFs are usually equipped with filters to block SQLi patterns, but there are methods to evade these filters:

  • Using Comments: SQLi payloads often include -- for comments, but WAFs may block this. Instead, use other comment styles like /* or #.
  • Union-based SQLi: You can attempt union-based SQL injection to retrieve data from other tables or perform other malicious actions, sometimes bypassing WAF detection by altering the query structure.

Example: ' UNION SELECT null, username, password FROM users --


Exploiting Complex Bugs in Web Applications

Now that we understand how to bypass WAFs, let’s explore how complex bugs, such as Prototype Pollution or Server-Side Request Forgery (SSRF), can be exploited in web applications.

1. Prototype Pollution

Prototype Pollution occurs when an attacker is able to manipulate an object’s prototype in JavaScript, leading to unexpected behavior in the application. This vulnerability can lead to denial of service (DoS) or other malicious actions, depending on the application’s use of the polluted objects.

To exploit this vulnerability:

  • Target vulnerable libraries: Many JavaScript libraries are vulnerable to prototype pollution. Identify the version of the libraries the application uses and look for known prototype pollution vulnerabilities in them.
  • Manipulate JSON objects: In a web app, JSON data is often used to store user input. If an attacker can modify the prototype of the object, it can lead to catastrophic consequences for the app.

Example:

{
"__proto__": {
"isUserAdmin": "true"
}
}

In this example, the attacker tries to set the isUserAdmin field by manipulating the prototype, which could lead to unauthorized access.

2. Server-Side Request Forgery (SSRF)

SSRF allows attackers to make requests to internal resources from the server, often leading to the exposure of sensitive information. Web applications that accept URLs as user input are particularly vulnerable to SSRF.

To exploit SSRF:

  • Identify endpoint vulnerabilities: Look for forms or endpoints that accept URLs (e.g., image URL upload, URL validation) and test them by inputting internal resources like localhost or 127.0.0.1.
  • Test internal services: Once you identify a vulnerable endpoint, try accessing internal services such as metadata APIs on cloud services (e.g., AWS or Google Cloud) that can reveal sensitive server information.

Example:

http://localhost:9200/_cat/indices?v

In this case, the attacker could gain access to the Elasticsearch service running internally on the server.


Best Practices for Bypassing WAFs and Exploiting Bugs Responsibly

While learning how to bypass WAFs and exploit complex bugs is essential for bug bounty hunters and penetration testers, it’s crucial to approach these activities ethically and responsibly:

  1. Get Permission: Only test websites and applications with explicit permission from the owner, such as through bug bounty programs or penetration testing contracts.
  2. Respect Legal Boundaries: Ensure your actions comply with local laws and regulations. Unauthorized access or damage to web applications is illegal.
  3. Report Vulnerabilities: When you discover vulnerabilities, report them responsibly to the affected parties. Avoid exploiting them for malicious purposes.

Conclusion

Bypassing WAFs and exploiting complex bugs like SSRF and Prototype Pollution are advanced techniques used by ethical hackers to discover vulnerabilities in web applications. For beginners, understanding these concepts is an essential part of the learning journey in cybersecurity and bug bounty hunting.

As you progress in your bug bounty career, it’s important to build a deep understanding of how web security works and the tools available to identify and exploit vulnerabilities. Start small, practice responsibly, and continue learning as you tackle more complex challenges in the field of cybersecurity.

Stay curious, stay ethical, and always prioritize security!

Comments from Facebook
Share