What is WAF (Web Application Firewall), And How Do You Bypass It?

Black Box Penetration Testing
A Brief Guide to Black Box Penetration Testing 
July 25, 2024
Gray Box Penetration Testing
Gray Box Penetration Testing: The Essential Guide
July 30, 2024

July 25, 2024

A Web Application Firewall (WAF) is a security tool designed to protect web applications from various attacks, including cross-site scripting (XSS), SQL injection, and cookie poisoning. These attacks are a major cause of data breaches, often targeting valuable data through vulnerabilities in web applications. A WAF is placed in front of web servers or applications to analyze all incoming HTTP/HTTPS traffic, blocking requests that match predefined security rules.

WAFs can be configured to allow only specific types of traffic based on criteria such as IP address, user agent, and other request attributes. They employ techniques like signature-based detection, anomaly detection, and behavioral analysis to identify and prevent attacks. Additionally, WAFs may offer extra security features such as encryption and authentication.

While WAFs are crucial for web application security, they are not a standalone solution. They should be used alongside other security measures like secure coding practices, regular vulnerability scanning, and penetration testing.

How does a WAF work?

Web Application Firewalls (WAFs) work by inspecting incoming web traffic to a web application, analyzing the requests, and blocking any malicious or suspicious requests according to a set of predefined security rules. The following are the basic steps of how WAF works:

Key Functions of a WAF: 

  • Traffic Interception: WAF sits between the internet and the web server/application, intercepting all HTTP/HTTPS requests.
  • Traffic analysis: WAF analyzes the request headers and body, looking for known patterns and signatures of attacks, such as SQL injection, cross-site scripting, and other vulnerabilities.
  • Rule Matching: WAF checks the request against a set of predefined security rules that define what is allowed or blocked. The rules can be configured to match specific patterns, such as a certain type of SQL injection or a particular user agent.
  • Decision Making: If the request matches one of the security rules, WAF blocks the request and sends an error message to the client or takes other action as defined by the security policy. If the request does not match any rules, it is allowed to pass through to the web server/application.
  • Logging and Reporting: WAF logs all traffic and security events, allowing administrators to monitor and analyze traffic and security incidents.

In addition to these basic steps, WAFs can use various advanced techniques, such as machine learning and behavioural analysis, to detect and prevent zero-day attacks and other emerging threats.

Additional Features and Benefits:

  • Forms and Delivery: WAFs can be implemented as software, appliances, or delivered as a service.
  • Policy Management: While many WAFs require regular updates to their policies, advances in machine learning allow some WAFs to update automatically, addressing new vulnerabilities more effectively.
  • Reverse Proxy Caching: As a reverse proxy, a WAF can also cache responses from backend servers. This caching improves web application performance by reducing response times and easing the load on backend servers, leading to better scalability and resource utilization.

Overall, WAFs provide essential protection for web applications and enhance performance, safeguarding against a wide range of attacks while improving efficiency through caching.

Types of Web Application Firewalls

There are three configurable types of firewall models based on the kind of security operation you require.

While each has its own set of advantages and disadvantages, it is a piece of good advice to understand each type before deciding which one is perfect for your requirement.

Types of Web Application Firewalls

Blocklist/ Blacklist

This approach blocks access to resources based on a predefined list of known malicious actors, IP addresses, or domain names. This approach can be effective against known threats but may not protect against new or unknown threats.

Allowlist/ Whitelist

This approach only allows access to resources for a predefined list of approved users, IP addresses, or domain names. This approach can be more secure as it only allows access to approved entities but can be more difficult to manage as it requires frequent updates to the list.

Hybrid

This approach combines both the blocklist and allowlist approaches to provide a comprehensive approach to access control. By using both approaches, organizations can prevent known malicious actors from accessing resources while allowing access to approved entities.

Overall, the choice of approach depends on the specific needs and security requirements of the organization. 

In combination with WAFs, blocklist, allowlist, and hybrid approaches can be used to enhance security by providing additional layers of protection against web application threats.

Types of Web Application Firewall Implementation

Your WAF implementation must suit your organizational needs to keep you protected. We have broken down the three types of WAF implementation strategies for you to gauge the ideal solution for your needs better.

Network-based WAF:

A network-based WAF involves placing the WAF between the client and the server to monitor all traffic. This type is generally hardware-based and installed locally, which minimizes latency and provides comprehensive protection against web application threats. However, network-based WAFs are the most expensive option and require the storage and maintenance of physical equipment. Additionally, they may introduce higher latency and necessitate a more complex network infrastructure.

Hosted-based WAF:

A host-based WAF involves installing the WAF software directly on the web server, where it operates as a module within the operating system or as an extension to the web server software. This approach offers more customizability and granular control over web traffic to the server and is less expensive than network-based WAFs. However, host-based WAFs consume local server resources, have limited scalability, and involve implementation complexity. They also require significant maintenance and engineering time.

Cloud-based WAF:

A cloud-based WAF is deployed as a service in the cloud, typically offered by third-party providers such as Amazon Web Services (AWS) or Microsoft Azure. Cloud-based WAFs provide high scalability, flexibility, and reduced maintenance. They are affordable with minimal upfront costs and easy to implement, often requiring just a DNS change. These WAFs are also regularly updated to protect against new threats without additional work or cost. The main drawbacks are higher ongoing costs, reliance on the third-party provider, and potentially limited visibility into the WAF’s operations, as it may function as a “black box.”

Choosing the right WAF implementation depends on the organization’s specific needs and security requirements, as well as factors such as budget, existing infrastructure, and staff resources. Each type of WAF offers unique advantages and trade-offs, so understanding these can help in selecting the most suitable solution.

WAF Bypass Cheat Sheet ?

Here are some techniques you can follow to bypass WAF for ethical reasons to ensure that you have a plan of action when the threat uncovers.

Case Toggling

A few Web application firewalls are inadequate and only filter certain scenarios. To optimize the creation of payloads, it’s possible to use a combination of both uppercase and lowercase characters.

Standard: <script>alert()</script>

Bypassed: <ScRipT>alert()</sCRipT

URL encoding

To transform regular payloads, you can use encoding methods such as % encoding or URL encoding. Online tools are available for this purpose. Burp comes equipped with an encoder/decoder built-in feature.

Blocked: <svG/x=”>”/oNloaD=confirm()//

Bypassed: %3CsvG%2Fx%3D%22%3E%22%2FoNloaD%3Dconfirm%28%29%2F%2F

Unicode encoding

This technique can be used on the majority of modern web applications, which typically use UTF-8 encoding and are therefore susceptible.

Unicode-encoded ASCII characters can provide useful alternatives for bypassing security measures. You can encode either the complete or partial payload to achieve the desired outcome.

Standard: prompt()

Obfuscated: \u0070r\u06f\u006dpt()

HTML encoding

Frequently, web applications transform special characters into HTML-encoded formats and display them appropriately.

This can result in fundamental bypass scenarios involving HTML encoding, either through generic or numeric methods.

Standard: “><img src=x onerror=confirm()>

Encoded: &quot;&gt;&lt;img src=x onerror=confirm&lpar;&rpar;&gt; (General form)

Encoded: &#34;&#62;&#60;img src=x onerror=confirm&#40;&#41;&#62;(Numeric reference)

Mixed encoding

Web Application Firewall (WAF) rules frequently target a particular type of encoding. However, this type of filter can be evaded by utilizing mixed encoding payloads, which combine multiple encoding techniques. Additionally, using tabs and newlines can contribute to the obfuscation of the payload.

Obfuscated:

<A HREF=”h

tt  p://6   6.000146.0×7.147/”>XSS</A>

Using  comments

Comments can conceal standard payload vectors, and distinct types of payloads may require different approaches to obfuscation.

Blocked: <script>alert()</script>

Bypassed: <!–><script>alert/**/()/**/</script>

Double encoding

Double encoding is a technique used to bypass Web Application Firewalls (WAFs) by encoding characters twice. For instance, if a WAF is designed to block the % character, which is used in URL encoding, then an attacker could double encode the character as %25 to bypass the WAF.

Wildcard Obfuscation Technique

Wildcard obfuscation is a technique used to bypass Web Application Firewalls (WAFs) by using wildcard characters.

The technique involves encoding the payload in a way that the WAF cannot recognize it. Here is a code snippet that demonstrates how wildcard obfuscation can be used:

Input:

SELECT * FROM users WHERE username = ‘admin’ AND password = ‘password’

Encoded Payload:

SELEC%2A%2AFROM%2A%2Ausers%2A%2AWHERE%2A%2Ausername%2A%2A%3D%2A%2A’admin’%2A%2AAND%2A%2Apassword%2A%2A%3D%2A%2A’password’

Decoded Payload:

SELECT**FROM**users**WHERE**username**=**’admin’**AND**password**=**’password’

In this example, the asterisk (*) is used as a wildcard character to replace spaces in the original SQL query.

The WAF will not recognize the encoded payload as a SQL query and will allow it to pass through.

By using this technique, attackers can evade WAFs that are designed to block certain characters or keywords.

Junk Characters Technique

The junk character technique is a method used to bypass Web Application Firewalls (WAFs) by inserting random or meaningless characters into the payload. Here is a code snippet that demonstrates how junk characters can be used to evade WAFs:

Basic Request: <script>confirm()</script>

Obfuscate Payload: <script>+-+-1-+-+confirm()</script>

Line Breaks Technique

The line break technique is a method used to bypass Web Application Firewalls (WAFs) by inserting line breaks into the payload.

The technique involves breaking up the payload into multiple lines and inserting line breaks (newlines) to conceal the malicious code. Here is an example of the line break technique:

Basic Request: <iframe src=javascript:confirm(hacker)”>

Obfuscate Payload: <iframe src=”%0Aj%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At%0A%3Aconfirm(hacker)”>

Review your firewall configuration with SecureLayer7

SecureLayer7 is a comprehensive cybersecurity solutions provider that offers a wide range of services to help organizations secure their applications, systems, and networks.

Our Firewall Configuration Review service is designed to help organizations identify and fix vulnerabilities in their firewall configurations, ensuring that their networks are secure against cyber threats.

Our team of cybersecurity experts will review your firewall configuration to identify any weaknesses, misconfigurations, or gaps in security.

We will then provide a detailed report of our findings, along with recommendations for improving your firewall configuration. Our team will work closely with you to implement these recommendations, ensuring that your firewall is configured correctly and optimized for maximum security.

With SecureLayer7’s Firewall Configuration Review service, you can rest assured that your organization’s network is protected against cyber threats.

Contact us today to learn more about our Firewall Configuration Review service and how we can help you fortify your organization’s cybersecurity defenses.

Discover more from SecureLayer7 - Offensive Security, API Scanner & Attack Surface Management

Subscribe now to keep reading and get access to the full archive.

Continue reading

Enable Notifications OK No thanks