A Common WAF Bypass Techniques and Principles - Tutorial Boy -->
Home
Posts

A Common WAF Bypass Techniques and Principles

 

Bypass WAF

Introduction

Let's discuss evading WAF and uploading. In a nutshell, WAF (Web Application Firewall) is a product that protects Web applications by implementing a set of HTTP/HTTPS security standards. Upload bypass is not a technology; it is the so-called unknown protection.

WAFs, of course, present certain challenges to hackers and pentesters. WAF makes finding and exploiting vulnerabilities more time-consuming (except if the attacker knows effective 0day bypass methods for a specific WAF). When it comes to assessing WAF-protected web apps, automatic scanners are basically useless. WAF is a solid defense against "script-kiddies." An expert hacker or a researcher with insufficient desire, on the other hand, would not want to waste time attempting to figure out how to get around it. It's worth noting that the more complicated a web app is, the larger its attack surface becomes, and the easier it is to find a way around it.

General developer defense strategy

Javascript validation on the client-side (generally only the suffix name is verified) Verification on the server.
  • Verification of the content-type field in the file header (image/gif).
  • Verification of file content headers (GIF89a).
  • Verification of the suffix name blacklist.
  • Whitelist verification for suffix names.
  • Periodic custom verification.
  • Verification of WAF devices (depending on different WAF products).

Bypass

  • Some waf will not prevent files with asp/php/jsp suffix, but he will detect the content inside. First upload a txt suffix file whose content is a Trojan horse, because the relationship between the suffix names does not check the content
  • Then upload a .php file with the content of at this point, the php file will refer to the content of the txt (Text) file, thereby bypassing the verification. The following syntax is included:
PHP
<?php Include("Uploaded txt file path");?>ASP<!--#include file="Uploaded txt file path" -->
JSP
<jsp:include page="Uploaded txt file path"/>
or
<%@include file="Uploaded txt file path"%>

Access shell.php to run the php code and see whether you can change the compressed file's suffix to zip, phar, or rar, which you can.

WTS-WAF Bypass

Content-Disposition: form-data; name="up_picture"; filename="xss.php"

Cloud Bypass

This is similar to the well-documented 8 KB limitation of the AWS web application firewall, however, in the case of Cloud Armor, the limitation is not as widely known and is not presented to customers as prominently as the limitation in AWS.

int(request.headers["content-length"])>=8192
It's a lot easier to avoid the cloud. Detecting php based on the file name case is insufficient.
Content-Disposition: form-data; name="img_crop_file"; filename="1.php"
Note: You are right, delete Content-Type: image/jpeg to bypass.
Content-Disposition: form-data; name="image"; filename="085733uykwusqcs8vw8wky.png"Content-Type: image/png

Bypass

Content-Disposition: form-data; name="image"; filename="085733uykwusqcs8vw8wky.png

Cloud Lock Bypass

Content-Disposition: form-data; name="up_picture"; filename="xss.php"

Defense


Let’s talk about Type’s bypass defense mechanism in detail, and other defense mechanisms can be studied by yourself.

The directory is set as non-executable:

As long as the web container cannot parse the files in this directory, even if the attacker uploads the script file, the server itself will not be affected, so this point is very important.

Determine the file type:

When judging the file type, it is recommended to use the whitelist method in combination with MIME-Type, suffix check, and other methods.

Rewrite with random numbers:

File upload If the code is to be executed, the user needs to have access to the file. In some environments, users can upload, but not access.


Summary

The goal of researching WAF bypass methods is to strengthen the force's defense capability. Don't simply stop at regular expressions and basic vulnerability principles while investigating breakthroughs; explore deeper into topics like HTTP protocol understanding and HTTP protocol source code analysis by PHP and Tomcat, MySQL logical analysis, and Fuzz ideas, among others. There will be a lot of fun and the opportunity to improve in many areas during this process.

Post a Comment