From ce6d289546220dd7efac6e1973bf003f8699f886 Mon Sep 17 00:00:00 2001 From: Pinaki <0xinfection@gmail.com> Date: Sat, 12 Mar 2022 10:22:44 +0530 Subject: [PATCH] Added new technique to bypass wafs --- README.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/README.md b/README.md index 325ce22..9b8485d 100644 --- a/README.md +++ b/README.md @@ -3191,6 +3191,17 @@ CLI tools like cURL can come very handy for PoCs: curl --ciphers -G -d ``` +### Abuse WAF limit on HTTP Responses +#### Method +- Many a times, WAFs have a limit on _how much_ of the HTTP request they are meant to handle. +- By sending a HTTP request with a size __greater than the limit__, we can fully evade WAFs. + +#### Technique +- Use a hit and trial approach to find out how much of the HTTP request is being inspected by the WAF (usually in multiples of 4 kB). +- Once done, attach your payload to the request after filling the limit with garbage. + +> A similar technique was used to [bypass Google Cloud Platform WAF](https://kloudle.com/blog/piercing-the-cloud-armor-the-8kb-bypass-in-google-cloud-platform-waf). + ### Abusing DNS History: - Often old historical DNS records provide information about the location of the site behind the WAF. - The target is to get the location of the site, so that we can route our requests directly to the site and not through the WAF. @@ -3209,6 +3220,7 @@ bash bypass-firewalls-by-DNS-history.sh -d --checkall #### Technique: - Using the whitelist string as a parameter in GET/POST/PUT/DELETE requests smuggles our payload through the WAF. - Usually some `*-sync-request` keywords or a shared token value is used as the secret. +- Often adding specific headers may trigger a similar whitelist behaviour. Now when making a request to the server, you can append it as a parameter: ```