In this blog, we will unravel all the concepts related to the security of WAF (Web Application Firewall). We will also know about how to bypass firewalls so that you can be prepared for most malicious threats and vulnerabilities.
WAF bypass is one of the most talked about concepts as the advanced threats are targeting web applications to gain a lot of data nowadays.
Let us get to know everything about Web application firewalls right here.
A Web Application Firewall (WAF) is a security tool that provides protection for web applications against a variety of attacks, such as SQL injection, cross-site scripting, and other common vulnerabilities.
WAFs are deployed in front of web servers or applications, analyzing all incoming HTTP/HTTPS traffic and blocking any requests that match predefined security rules.
They can be configured to allow only specific types of traffic to reach the web application, based on various criteria such as IP address, user agent, and other request attributes.
WAFs use a variety of techniques to detect and prevent attacks, such as signature-based detection, anomaly detection, and behavioral analysis.
They can also provide additional security features, such as encryption and authentication. WAFs are an important tool for protecting web applications, but they are not a complete solution and should be used in conjunction with other security measures such as secure coding practices, regular vulnerability scanning, and penetration testing.
Web Application Firewalls (WAFs) work by inspecting incoming web traffic to a web application, analyzing the requests, and blocking any malicious or suspicious requests according to a set of predefined security rules. The following are the basic steps of how WAF works:
In addition to these basic steps, WAFs can use various advanced techniques such as machine learning and behavioral analysis to detect and prevent zero-day attacks and other emerging threats.
Overall, WAFs provide an essential layer of security for web applications and can help organizations protect against a wide range of attacks.
There are three configurable types of firewall models based on the kind of security operation you require.
While each has its own set of advantages and disadvantages, it is a piece of good advice to understand each type before deciding which one is perfect for your requirement.
This approach blocks access to resources based on a predefined list of known malicious actors, IP addresses, or domain names. This approach can be effective against known threats but may not protect against new or unknown threats.
This approach only allows access to resources for a predefined list of approved users, IP addresses, or domain names. This approach can be more secure as it only allows access to approved entities but can be more difficult to manage as it requires frequent updates to the list.
This approach combines both the blocklist and allowlist approaches to provide a comprehensive approach to access control. By using both approaches, organizations can prevent known malicious actors from accessing resources while allowing access to approved entities.
Overall, the choice of approach depends on the specific needs and security requirements of the organization.
In combination with WAFs, blocklist, allowlist, and hybrid approaches can be used to enhance security by providing additional layers of protection against web application threats.
Your WAF implementation must suit your organizational needs to keep you protected. We have broken down the three types of WAF implementation strategies for you to gauge the ideal solution for your needs better.
This deployment option involves installing the WAF software directly on the web server. The WAF operates as a module within the operating system or as an extension to the web server software.
Host-based WAFs are typically software-based WAFs and can provide granular control over web traffic to the server, but may have limited scalability and require more resources to maintain.
This deployment option involves deploying the WAF (Web Application Firewall) as a service in the cloud. Cloud-based WAFs are typically offered by third-party providers, such as Amazon Web Services (AWS) or Microsoft Azure.
Cloud-based WAFs can provide high scalability, flexibility, and reduced maintenance, but may have higher costs and require more trust in the third-party provider.
This deployment option involves placing the WAF between the client and the server and monitoring all traffic between them.
Network-based WAFs can be hardware-based or software-based and can provide comprehensive protection against web application threats. However, they may have higher latency and require more complex network infrastructure.
Overall, the choice of WAF deployment option depends on the organization’s specific needs and security requirements, as well as factors such as budget, existing infrastructure, and staff resources.
Here are some techniques you can follow to bypass WAF for ethical reasons to ensure that you have a plan of action when the threat uncovers.
A few Web application firewalls are inadequate and only filter certain scenarios. To optimize the creation of payloads, it’s possible to use a combination of both uppercase and lowercase characters.
Standard: <script>alert()</script>
Bypassed: <ScRipT>alert()</sCRipT
To transform regular payloads, you can use encoding methods such as % encoding or URL encoding. Online tools are available for this purpose. Burp comes equipped with an encoder/decoder built-in feature.
Blocked: <svG/x=”>”/oNloaD=confirm()//
Bypassed: %3CsvG%2Fx%3D%22%3E%22%2FoNloaD%3Dconfirm%28%29%2F%2F
This technique can be used on the majority of modern web applications, which typically use UTF-8 encoding and are therefore susceptible.
Unicode-encoded ASCII characters can provide useful alternatives for bypassing security measures. You can encode either the complete or partial payload to achieve the desired outcome.
Standard: prompt()
Obfuscated: \u0070r\u06f\u006dpt()
Frequently, web applications transform special characters into HTML-encoded formats and display them appropriately.
This can result in fundamental bypass scenarios involving HTML encoding, either through generic or numeric methods.
Standard: “><img src=x onerror=confirm()>
Encoded: "><img src=x onerror=confirm()> (General form)
Encoded: "><img src=x onerror=confirm()>(Numeric reference)
Web Application Firewall (WAF) rules frequently target a particular type of encoding. However, this type of filter can be evaded by utilizing mixed encoding payloads, which combine multiple encoding techniques. Additionally, using tabs and newlines can contribute to the obfuscation of the payload.
Obfuscated:
<A HREF=”h
tt p://6 6.000146.0×7.147/”>XSS</A>
Comments can conceal standard payload vectors, and distinct types of payloads may require different approaches to obfuscation.
Blocked: <script>alert()</script>
Bypassed: <!–><script>alert/**/()/**/</script>
Double encoding is a technique used to bypass Web Application Firewalls (WAFs) by encoding characters twice. For instance, if a WAF is designed to block the % character, which is used in URL encoding, then an attacker could double encode the character as %25 to bypass the WAF.
Wildcard obfuscation is a technique used to bypass Web Application Firewalls (WAFs) by using wildcard characters.
The technique involves encoding the payload in a way that the WAF cannot recognize it. Here is a code snippet that demonstrates how wildcard obfuscation can be used:
Input:
SELECT * FROM users WHERE username = ‘admin’ AND password = ‘password’
Encoded Payload:
SELEC%2A%2AFROM%2A%2Ausers%2A%2AWHERE%2A%2Ausername%2A%2A%3D%2A%2A’admin’%2A%2AAND%2A%2Apassword%2A%2A%3D%2A%2A’password’
Decoded Payload:
SELECT**FROM**users**WHERE**username**=**’admin’**AND**password**=**’password’
In this example, the asterisk (*) is used as a wildcard character to replace spaces in the original SQL query.
The WAF will not recognize the encoded payload as a SQL query and will allow it to pass through.
By using this technique, attackers can evade WAFs that are designed to block certain characters or keywords.
The junk character technique is a method used to bypass Web Application Firewalls (WAFs) by inserting random or meaningless characters into the payload. Here is a code snippet that demonstrates how junk characters can be used to evade WAFs:
Basic Request: <script>confirm()</script>
Obfuscate Payload: <script>+-+-1-+-+confirm()</script>
The line break technique is a method used to bypass Web Application Firewalls (WAFs) by inserting line breaks into the payload.
The technique involves breaking up the payload into multiple lines and inserting line breaks (newlines) to conceal the malicious code. Here is an example of the line break technique:
Basic Request: <iframe src=javascript:confirm(hacker)”>
Obfuscate Payload: <iframe src=”%0Aj%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At%0A%3Aconfirm(hacker)”>
SecureLayer7 is a comprehensive cybersecurity solutions provider that offers a wide range of services to help organizations secure their applications, systems, and networks.
Our Firewall Configuration Review service is designed to help organizations identify and fix vulnerabilities in their firewall configurations, ensuring that their networks are secure against cyber threats.
Our team of cybersecurity experts will review your firewall configuration to identify any weaknesses, misconfigurations, or gaps in security.
We will then provide a detailed report of our findings, along with recommendations for improving your firewall configuration. Our team will work closely with you to implement these recommendations, ensuring that your firewall is configured correctly and optimized for maximum security.
With SecureLayer7’s Firewall Configuration Review service, you can rest assured that your organization’s network is protected against cyber threats.
Contact us today to learn more about our Firewall Configuration Review service and how we can help you fortify your organization’s cybersecurity defenses.
