WAF Exploitation
Techniques to exploit WAF
Encoding
URL Encoding:
/ ⇒ %2fHex-Encoding:
_ ⇒ \x5f, 0x5fUnicode-Encoding:
% ⇒ \u0025
For example: if we have a payload for LFI and want to test a payload as follows
The above will get flagged by the WAF but to bypass it we can use encoding as follows.
Mixed Case formats
Can be used for different payloads especially SQLi and XSS because they are not case-sensitive.
Obfuscation using White space and delimiters
WAF often checks incoming requests for known attack patterns and signatures but we can evade the WAF by using white-spaces and delimiters as shown below:
Exploiting SSTI Vulnerability
Consider we have the following payload for command execution on a website that used the Jinja2 template engine
But it gets flagged by the WAF as malicious. Next, we can use the following modified payload.
Here we modified the payload into a dictionary-style payload but it still got flagged. Maybe it's because the WAF is blocking the payload based on certain keywords used.
But to evade that, we can use encoding as shown below
Here we have hex-encoded the payload.
HTML Entity Encoding
In the above payload we have encoded the a character in alert(1).
We can do the same with Unicode escape sequences.
Mixed Encoding
Using multiple encoding formats in a payload.
Above we have used both unicode escape sequences and HTML Entity encoding.
Using alternative commands for command injection
WAFs have blocklists containing a set of keywords that will be blocked in an incoming request. Often, there are instances where there are alternative commands that provide the same functionality but are not blocked by the WAF. Some examples are shown below:
Consider the target is running Linux and you have to perform command injection. You want to read the contents of a file hence you use the cat command as follows.
But cat is a keyword blocked by WAF hence you can't use that command. But, you can still read files using alternative commands such as:
Now the last payload is a little interesting. Here, the ? is a wildcard and the command is executed as soon as the wildcard matches a valid character. Hence cat will be executed.
Content Truncation Bypass
WAFs sometimes only check the first 50 or any number of characters of a request in order to improve performance. This gives us another method to execute malicious payloads by putting our payload out of the range.
For example, consider a WAF that only checks the first 50 characters.
Here we have put our malicious content after the 50 characters which will be undetected by the WAF.
The same can be done for path-traversal and SQLi payloads.
HTTP Method filtering
Sometimes WAF might have differences in checking POST and GET requests. The engine might be extremely strict in going through POST requests but might be very lenient in checking GET requests for malicious content. Hence we can accordingly change HTTP methods to send malicious payloads.
Here is a POST request that gets flagged by the WAF.
But if we send the same content via GET.
Then it won't be detected as malicious.
Rate limit bypass
WAF rate-limits an IP address when it detects multiple consecutive requests from it. This can lead to the IP getting temporarily or permanently banned. Hence to avoid that we can use spoofing.
In the above payload we are using a basic for loop to spoof 20 different IP addresses and send requests from each of them in the X-Forwarded-For header in order to avoid getting flagged by the WAF. This technique is useful to carry out brute-force attacks.
Common Alternative Methods
HEAD: Returns only headers (like GET but without body)
OPTIONS: Returns allowed methods and CORS configuration
PUT: Often used by REST APIs to update resources
PATCH: Similar to PUT, for partial updates
DELETE: Used to delete resources
TRACE: Echoes back the request (often disabled)
Last updated