The most powerful WAF evasion techniques?

blog + security solutions + Website security + Penetration test Z. Oualid todaySeptember 6, 2021

Background
share close

A WAF is one of the most recommended security solutions for web applications. This solution was made to stop known and unknown attacks against websites. However, cyber security researchers have discovered many techniques on how to bypass those firewalls and successfully exploit vulnerabilities. So, what are the most powerful web application firewall evasion techniques?

Here is a list of the most powerful web application firewall evasion techniques actively used by attackers:

  • Fuzzing/Bruteforcing
  • Regex Reversing
  • Obfuscation/Encoding
  • Browser Bugs
  • HTTP Header Spoofing
  • Known WAF bypasses

You should know that web application firewall evasion techniques depend on the nature of vulnerability you want to exploit. In this blog post, I will explain some techniques that are used to bypass the WAF will exploiting some well-known vulnerabilities.

Fuzzing/Bruteforcing

The most obvious technique to bypass web application firewalls that attackers use is fuzzing or brute-forcing the WAF with multiple known and tested payloads. Most Web application firewalls have already been vulnerable to some evasion techniques, some could still be not up to date.

In addition, when a bypass is discovered in one solution, there is a high probability that the same technique might work for the other ones.

Therefore, testing the old payloads against the firewall is the first thing that should be performed to evade the firewall. This technique could be considered as a quick win for the attacker as it doesn’t take too much time to try all the techniques.

Unfortunately, this technique is very noisy and is usually easily detected by the WAFs. Therefore, when the attacker wants to use this technique and that he seriously think about hacking the website, they test this technique against your firewall in a local or private environment. Then, when the right payload is detected, it gets used against the website in one request.

Regex Reversing

The regex reversing technique can be divided into two main methods depending on the type of web application firewall. The type of the WAF is defined by the method used to block attacks. Some WAF uses blacklists and other use white lists.

A black list technique is based on blocking the well-known dangerous patterns from reaching the app. A white list blocking technique is based on blocking all unknown patterns. Both techniques have their pros and cons.

It might look like the white list technique is the most powerful as it helps to block unknown attacks. However, you should know that to be able to use this technique the WAF vendors require a learning period that if it was not well performed might have a serious impact on the app.

 The regex reversion technique is based on actively interacting with the WAF to detect which technique it is used and then try to either not send the known malicious pattern or send the exact white listed pattern.

Obfuscation/Encoding

Obfuscation and encoding techniques are some of the most used techniques to bypass web application firewalls. Those techniques are getting more and more detected by web application firewalls. However, those two techniques might still work for some old WAFs and in some scenarios.

The main idea behind this technique is to change the structure and the syntax of the malicious code sent to exploit the vulnerability without semantically changing that code. Most black list-based web application firewalls can be bypassed using this technique if a normalization step is not well performed in the detection process of the WAF.

Here is a list of some well-known obfuscation techniques that still work until now:

  • Case Toggling
  • URL Encoding
  • Wildcards
  • Comments
  • Dynamic Payload Generation

Most of the previously listed obfuscation and encoding technique can be used for all types of vulnerabilities exploitation. However, the wildcards technique is a specific technique used when exploiting a command injection vulnerability only as the wildcards can only be understood by a Linux system.

Browser Bugs

This technique is based on exploiting a known bug in the victim browser to bypass the WAF. This technique is the most dangerous among all the others as it is very difficult to get discovered by the WAF support team. Here are some examples of well-known bugs that were exploited by attackers to bypass WAF protections:

  • Charset Bugs
  • Null Bytes
  • Parsing Bugs
  • Unicode Separators

What makes this technique even more dangerous is the fact that some bugs are not known by the browser vendor itself and are being exploited in the wild by the attacker. This attack is known as a Zero-day attack and it is the most dangerous type of cyberattack.

HTTP Header Spoofing

The HTTP header spoofing technique is a very simple and efficient technique used by attackers to bypass the WAFs. Usually, a web application firewall might be configured to allow some type of queries and syntax to pass through the firewall if it comes from an internal address.

This is in some cases performed to allow some quick application debugging if the same WAF protects the test environment.

Therefore, the attacker in this technique tries to fool the WAF to think that the request is coming from an inside network by sending some tricky headers.

Here is how a tricky header may look like:

X-Originating-IP: 127.0.0.1
X-Forwarded-For: 127.0.0.1

Know WAF bypasses

Web application firewalls are becoming more and more secure and intelligent in terms of detecting attacks and bypass techniques. However, that does not mean that they are not vulnerable or that their detecting algorithms and code are flowless. All WAF were at some point of their life cycle vulnerable to some kind of bypass technique.

Cyber security researchers are trying each day to find new ways to bypass those firewalls and they were successful many times. In some cases, researchers even publish their works to the public. Therefore, attacks could look for those techniques and test them first before even trying to understand the web application firewall logic.

Conclusion

You need to understand that any web application firewall, can be vulnerable at some point to some evading technique. However, the difference between firewalls that makes one better than the other resides in the time needed to fix the issues so that evading technique start getting blocked.

I have personally seen how fast some web application firewall vendors are when dealing with such problems, and here is the best web application firewall that I recommend depending on the size of the website.

Written by: Z. Oualid

Rate it

About the author
Avatar

Z. Oualid

I am a Cyber Security Expert, I have worked with many companies around the globe to secure their applications and their networks. I am certified OSCP and OSCE which are the most recognized and hard technical certifications in the industry of cybersecurity. I am also a Certifed Ethical hacker (CEH). I hope you enjoy my articles :).


Previous post

Similar posts

Post comments (0)

Leave a reply

Your email address will not be published. Required fields are marked *