In this blog, we will unravel all the concepts related to the security of WAF (Web Application Firewall). We will also know about how to bypass firewalls so that you can be prepared for most malicious threats and vulnerabilities.
WAF bypass is one of the most talked about concepts as the advanced threats are targeting web applications to gain a lot of data nowadays.
Let us get to know everything about Web application firewalls right here.
What is a Web Application Firewall?
A Web Application Firewall (WAF) is a security tool that provides protection for web applications against a variety of attacks, such as SQL injection, cross-site scripting, and other common vulnerabilities.
WAFs are deployed in front of web servers or applications, analyzing all incoming HTTP/HTTPS traffic and blocking any requests that match predefined security rules.
They can be configured to allow only specific types of traffic to reach the web application, based on various criteria such as IP address, user agent, and other request attributes.
WAFs use a variety of techniques to detect and prevent attacks, such as signature-based detection, anomaly detection, and behavioral analysis.
They can also provide additional security features, such as encryption and authentication. WAFs are an important tool for protecting web applications, but they are not a complete solution and should be used in conjunction with other security measures such as secure coding practices, regular vulnerability scanning, and penetration testing.
How does a WAF work?
Web Application Firewalls (WAFs) work by inspecting incoming web traffic to a web application, analyzing the requests, and blocking any malicious or suspicious requests according to a set of predefined security rules. The following are the basic steps of how WAF works:
Traffic interception: WAF sits between the internet and the web server/application, intercepting all HTTP/HTTPS requests.
Traffic analysis: WAF analyzes the request headers and body, looking for known patterns and signatures of attacks, such as SQL injection, cross-site scripting, and other vulnerabilities.
Rule matching: WAF checks the request against a set of predefined security rules that define what is allowed or blocked. The rules can be configured to match specific patterns, such as a certain type of SQL injection or a particular user agent.
Decision making: If the request matches one of the security rules, WAF blocks the request and sends an error message to the client or takes other action as defined by the security policy. If the request does not match any rules, it is allowed to pass through to the web server/application.
Logging and reporting: WAF logs all traffic and security events, allowing administrators to monitor and analyze traffic and security incidents.
In addition to these basic steps, WAFs can use various advanced techniques such as machine learning and behavioral analysis to detect and prevent zero-day attacks and other emerging threats.
Overall, WAFs provide an essential layer of security for web applications and can help organizations protect against a wide range of attacks.
Types of Web Application Firewalls
There are three configurable types of firewall models based on the kind of security operation you require.
While each has its own set of advantages and disadvantages, it is a piece of good advice to understand each type before deciding which one is perfect for your requirement.
Blocklist/ Blacklist
This approach blocks access to resources based on a predefined list of known malicious actors, IP addresses, or domain names. This approach can be effective against known threats but may not protect against new or unknown threats.
Allowlist/ Whitelist
This approach only allows access to resources for a predefined list of approved users, IP addresses, or domain names. This approach can be more secure as it only allows access to approved entities but can be more difficult to manage as it requires frequent updates to the list.
Hybrid
This approach combines both the blocklist and allowlist approaches to provide a comprehensive approach to access control. By using both approaches, organizations can prevent known malicious actors from accessing resources while allowing access to approved entities.
Overall, the choice of approach depends on the specific needs and security requirements of the organization.
In combination with WAFs, blocklist, allowlist, and hybrid approaches can be used to enhance security by providing additional layers of protection against web application threats.
Types of WAF implementation
Your WAF implementation must suit your organizational needs to keep you protected. We have broken down the three types of WAF implementation strategies for you to gauge the ideal solution for your needs better.
Host-based WAF
This deployment option involves installing the WAF software directly on the web server. The WAF operates as a module within the operating system or as an extension to the web server software.
Host-based WAFs are typically software-based WAFs and can provide granular control over web traffic to the server, but may have limited scalability and require more resources to maintain.
Cloud-based WAF
This deployment option involves deploying the WAF (Web Application Firewall) as a service in the cloud. Cloud-based WAFs are typically offered by third-party providers, such as Amazon Web Services (AWS) or Microsoft Azure.
Cloud-based WAFs can provide high scalability, flexibility, and reduced maintenance, but may have higher costs and require more trust in the third-party provider.
Network-based WAF
This deployment option involves placing the WAF between the client and the server and monitoring all traffic between them.
Network-based WAFs can be hardware-based or software-based and can provide comprehensive protection against web application threats. However, they may have higher latency and require more complex network infrastructure.
Overall, the choice of WAF deployment option depends on the organization’s specific needs and security requirements, as well as factors such as budget, existing infrastructure, and staff resources.
Here is your WAF bypass cheatsheet
Here are some techniques you can follow to bypass WAF for ethical reasons to ensure that you have a plan of action when the threat uncovers.
Case Toggling
A few Web application firewalls are inadequate and only filter certain scenarios. To optimize the creation of payloads, it’s possible to use a combination of both uppercase and lowercase characters.
Standard: <script>alert()</script>
Bypassed: <ScRipT>alert()</sCRipT
URL encoding
To transform regular payloads, you can use encoding methods such as % encoding or URL encoding. Online tools are available for this purpose. Burp comes equipped with an encoder/decoder built-in feature.
This technique can be used on the majority of modern web applications, which typically use UTF-8 encoding and are therefore susceptible.
Unicode-encoded ASCII characters can provide useful alternatives for bypassing security measures. You can encode either the complete or partial payload to achieve the desired outcome.
Standard: prompt()
Obfuscated: \u0070r\u06f\u006dpt()
HTML encoding
Frequently, web applications transform special characters into HTML-encoded formats and display them appropriately.
This can result in fundamental bypass scenarios involving HTML encoding, either through generic or numeric methods.
Web Application Firewall (WAF) rules frequently target a particular type of encoding. However, this type of filter can be evaded by utilizing mixed encoding payloads, which combine multiple encoding techniques. Additionally, using tabs and newlines can contribute to the obfuscation of the payload.
Obfuscated:
<A HREF=”h
tt p://6 6.000146.0×7.147/”>XSS</A>
Using comments
Comments can conceal standard payload vectors, and distinct types of payloads may require different approaches to obfuscation.
Blocked: <script>alert()</script>
Bypassed: <!–><script>alert/**/()/**/</script>
Double encoding
Double encoding is a technique used to bypass Web Application Firewalls (WAFs) by encoding characters twice. For instance, if a WAF is designed to block the % character, which is used in URL encoding, then an attacker could double encode the character as %25 to bypass the WAF.
Wildcard Obfuscation Technique
Wildcard obfuscation is a technique used to bypass Web Application Firewalls (WAFs) by using wildcard characters.
The technique involves encoding the payload in a way that the WAF cannot recognize it. Here is a code snippet that demonstrates how wildcard obfuscation can be used:
Input:
SELECT * FROM users WHERE username = ‘admin’ AND password = ‘password’
In this example, the asterisk (*) is used as a wildcard character to replace spaces in the original SQL query.
The WAF will not recognize the encoded payload as a SQL query and will allow it to pass through.
By using this technique, attackers can evade WAFs that are designed to block certain characters or keywords.
Junk Characters Technique
The junk character technique is a method used to bypass Web Application Firewalls (WAFs) by inserting random or meaningless characters into the payload. Here is a code snippet that demonstrates how junk characters can be used to evade WAFs:
The line break technique is a method used to bypass Web Application Firewalls (WAFs) by inserting line breaks into the payload.
The technique involves breaking up the payload into multiple lines and inserting line breaks (newlines) to conceal the malicious code. Here is an example of the line break technique:
Review your firewall configuration with SecureLayer7
SecureLayer7 is a comprehensive cybersecurity solutions provider that offers a wide range of services to help organizations secure their applications, systems, and networks.
Our Firewall Configuration Review service is designed to help organizations identify and fix vulnerabilities in their firewall configurations, ensuring that their networks are secure against cyber threats.
Our team of cybersecurity experts will review your firewall configuration to identify any weaknesses, misconfigurations, or gaps in security.
We will then provide a detailed report of our findings, along with recommendations for improving your firewall configuration. Our team will work closely with you to implement these recommendations, ensuring that your firewall is configured correctly and optimized for maximum security.
With SecureLayer7’s Firewall Configuration Review service, you can rest assured that your organization’s network is protected against cyber threats.
Contact us today to learn more about our Firewall Configuration Review service and how we can help you fortify your organization’s cybersecurity defenses.