Blue Arachnid

Penetration Tester and Security Reseracher

Attack & DefenseRed Team

WAF Evasion Techniques for Red Teams

by Mohamed Munazzir

Introduction:

Web Application Firewalls (WAFs) are designed to protect web applications from various cyber attacks by monitoring and filtering incoming HTTP traffic. WAFs are often deployed by organizations to add an extra layer of security to their web applications. However, as a Red Teamer, your job is to bypass these security measures and gain unauthorized access to your target network. In this blog post, we will explore some common WAF Evasion Techniques that Red Teams can use to bypass WAFs and achieve their objectives.

WAF Evasion Techniques:

  1. HTTP Parameter Pollution:

HTTP Parameter Pollution (HPP) is a technique that involves modifying the parameters of a request to bypass the WAF. HPP can be used to evade WAFs that are configured to block specific parameters or patterns. By adding additional parameters to the request, Red Teams can bypass the WAF and deliver their payload to the target system.

  • Bypassing Authentication

Let’s assume that a web application is using a “username” and “password” parameter for user authentication. The WAF is configured to block the “username” parameter, which is vulnerable to SQL injection attacks.

To bypass the WAF, the attacker can use HTTP Parameter Pollution by adding another “username” parameter with a different value to the same request. This will confuse the WAF and allow the SQL injection to bypass the security check.

  • Evasion of Parameter Validation

Assume that a web application uses the “id” parameter to display a user’s information. The WAF is configured to block the “id” parameter, which is vulnerable to Cross-Site Scripting (XSS) attacks.

To bypass the WAF, the attacker can use HTTP Parameter Pollution by adding another “id” parameter with a different value to the same request. This will confuse the WAF and allow the XSS payload to bypass the security check.

  • Bypassing SQL Injection Filters

Let’s say a web application is using a “search” parameter to query a database. The WAF is configured to block certain SQL keywords such as “OR” and “UNION”, which are commonly used in SQL injection attacks.

To bypass the WAF, the attacker can use HTTP Parameter Pollution by adding another “search” parameter with a different value to the same request. This will confuse the WAF and allow the SQL injection payload to bypass the security check.

In all of these examples, HTTP Parameter Pollution is used to bypass the WAF by adding another parameter with a different value to the same request. By doing so, the attacker can confuse the WAF and bypass security checks, allowing them to exploit vulnerabilities in the web application. It’s important for web application developers to be aware of these types of attacks and implement appropriate security measures to protect against them.

  1. Unicode and Character Encoding:

Unicode and character encoding techniques can be used to bypass WAFs that are configured to block specific characters or patterns. By encoding characters, Red Teams can bypass the WAF and deliver their payload to the target system. For example, using Unicode encoding, the character ‘a’ can be encoded as %u0061, which can bypass a WAF that is configured to block the character ‘a’.

  • SQL Injection Bypass using Unicode

Consider a web application that uses a WAF to filter out SQL injection attacks. The WAF blocks any requests that contain SQL keywords such as “OR”, “SELECT”, and “UNION”. However, an attacker can bypass this protection by using Unicode encoding.

For example, the Unicode character for the letter “O” is “\u004f”. By encoding the SQL keyword “OR” with Unicode, an attacker can evade the WAF’s detection. The encoded SQL injection payload would look like this: “\u004fR 1=1”. When this request is sent to the web application, the WAF will not detect the SQL injection because it is hidden behind the Unicode encoding.

  • Cross-Site Scripting (XSS) Bypass using Character Encoding

Let’s say a web application uses a WAF to filter out XSS attacks. The WAF is configured to block certain characters such as “<” and “>” that are commonly used in XSS payloads. However, an attacker can bypass this protection by using character encoding.

For instance, the character “<” can be encoded as “%3c”. By encoding the XSS payload with character encoding, an attacker can evade the WAF’s detection. The encoded XSS payload would look like this: “%3cscript%3ealert(‘XSS Attack’)%3c/script%3e”. When this request is sent to the web application, the WAF will not detect the XSS because it is hidden behind the character encoding.

  • Directory Traversal Bypass using Double Encoding

Assume that a web application is vulnerable to directory traversal attacks. The WAF is configured to block directory traversal payloads such as “../” that are used to navigate up the directory tree. However, an attacker can bypass this protection by using double encoding.

For example, the “../” payload can be encoded as “%2e%2e%2f”. By encoding the directory traversal payload with double encoding, an attacker can evade the WAF’s detection. The encoded payload would look like this: “%252e%252e%252f”. When this request is sent to the web application, the WAF will not detect the directory traversal because it is hidden behind the double encoding.

In summary, attackers can use Unicode and character encoding to bypass WAF protections by hiding malicious payloads behind encoding. Web application developers must take these types of attacks into consideration when designing their security measures to protect against them.

  1. HTTP Method Tampering:

HTTP Method Tampering is a technique that involves modifying the HTTP method of a request to bypass the WAF. WAFs are designed to block specific HTTP methods, such as PUT, DELETE, or TRACE, which are often used in cyber attacks. By modifying the HTTP method, Red Teams can bypass the WAF and deliver their payload to the target system.

  • GET to POST Request Tampering

Assume a web application that is using a WAF to block certain HTTP methods such as PUT and DELETE. The attacker can bypass the WAF by tampering the HTTP request method from GET to POST using various methods such as Burp Suite, cURL or even JavaScript.

For instance, the attacker can use a tool such as Burp Suite to intercept and modify a GET request by changing the request method to POST. The modified request would contain the payload that the attacker wants to send to the web server, but the WAF will not block the request because it is being sent as a POST request.

  • POST to GET Request Tampering

Assume another scenario where the web application is configured to allow only GET requests to a particular endpoint. The attacker can bypass the WAF by tampering the HTTP request method from POST to GET.

For example, the attacker can use a tool such as cURL to send a POST request with the payload that he wants to inject. The attacker then intercepts the request using a tool like Burp Suite, modifies the request method to GET and forwards the request to the web server. The WAF will not block this request because it is being sent as a GET request.

  • HTTP Method Override

Another technique that attackers use to bypass WAFs is by using the HTTP method override feature. This feature allows a client to send an HTTP request with an override header that specifies the HTTP method to use, even if the original method is not allowed by the server.

For instance, the attacker can send a POST request to the web server with the “X-HTTP-Method-Override” header set to PUT. The web server will treat the request as a PUT request and execute it accordingly. The WAF will not block this request because it is being sent as a POST request.

In summary, attackers can use HTTP method tampering to bypass WAF protections by modifying the HTTP request method or by using HTTP method override. Web application developers must take these types of attacks into consideration when designing their security measures to protect against them. WAFs can be configured to block requests that use invalid or unusual HTTP methods or to prevent HTTP method override.

  1. Fragmentation Attacks:

Fragmentation attacks involve splitting packets into smaller fragments to bypass WAFs that are configured to block specific packet sizes or patterns. By fragmenting packets, Red Teams can bypass the WAF and deliver their payload to the target system.

  • HTTP Request Fragmentation

In this type of attack, the attacker can split the HTTP request into multiple smaller packets and send them individually to the web server. This can be done using various techniques, such as using the “Content-Length” header to specify the length of the request or using “Transfer-Encoding: chunked” to indicate that the request is being sent in chunks.

The attacker can then use a tool like Burp Suite to intercept the packets and modify them to inject malicious code or payloads. Since the packets are sent in fragments, the WAF may not be able to detect the malicious code or payloads and may allow them to pass through to the web server.

  • HTTP Response Fragmentation

In this type of attack, the attacker can split the HTTP response into multiple smaller packets and send them individually to the client. The attacker can use this technique to hide malicious payloads or to bypass WAFs that are unable to reassemble the packets.

For instance, the attacker can use a tool like cURL to send a request to the web server and intercept the response using Burp Suite. The attacker can then split the response into smaller packets and modify them to inject malicious payloads. Since the packets are sent in fragments, the WAF may not be able to detect the malicious code or payloads and may allow them to pass through to the client.

  • TCP/IP Fragmentation

In this type of attack, the attacker can exploit the TCP/IP protocol by splitting the malicious payload across multiple packets and sending them in different IP fragments. This can be done using various tools and techniques, such as using Scapy or hping3 to send fragmented packets.

The attacker can then use a tool like Wireshark to intercept the packets and modify them to inject malicious code or payloads. Since the packets are sent in fragments, the WAF may not be able to detect the malicious code or payloads and may allow them to pass through to the web server.

In summary, fragmentation attacks are a powerful technique that can be used by attackers to bypass WAF protections. Web application developers must ensure that their WAFs are able to handle fragmented requests and responses and can reassemble them properly to prevent these types of attacks.

Conclusion:

WAFs are an essential component of any web application security strategy, and Red Teams must be able to bypass them to achieve their objectives. By using techniques such as HTTP parameter pollution, Unicode and character encoding, HTTP method tampering and fragmentation attacks, Red Teams can bypass WAFs and gain unauthorized access to their target network. However, it’s important to note that these techniques can also be used by malicious actors, and organizations should take proactive steps to protect their web applications against these threats. As a Red Teamer, it’s important to stay up to date with the latest WAF Evasion Techniques and stay one step ahead of the defenders.

Share this post

Related posts

Introduction to Malware Analysis: A Blue Team Perspective

Google Dorking

Using Sysmon to Block Files and sending alert to slack using webhook