Added new technique to bypass wafs

This commit is contained in:
Pinaki 2022-03-12 10:22:44 +05:30 committed by GitHub
parent 88fd889e28
commit ce6d289546
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -3191,6 +3191,17 @@ CLI tools like cURL can come very handy for PoCs:
curl --ciphers <cipher> -G <test site> -d <payload with parameter> curl --ciphers <cipher> -G <test site> -d <payload with parameter>
``` ```
### Abuse WAF limit on HTTP Responses
#### Method
- Many a times, WAFs have a limit on _how much_ of the HTTP request they are meant to handle.
- By sending a HTTP request with a size __greater than the limit__, we can fully evade WAFs.
#### Technique
- Use a hit and trial approach to find out how much of the HTTP request is being inspected by the WAF (usually in multiples of 4 kB).
- Once done, attach your payload to the request after filling the limit with garbage.
> A similar technique was used to [bypass Google Cloud Platform WAF](https://kloudle.com/blog/piercing-the-cloud-armor-the-8kb-bypass-in-google-cloud-platform-waf).
### Abusing DNS History: ### Abusing DNS History:
- Often old historical DNS records provide information about the location of the site behind the WAF. - Often old historical DNS records provide information about the location of the site behind the WAF.
- The target is to get the location of the site, so that we can route our requests directly to the site and not through the WAF. - The target is to get the location of the site, so that we can route our requests directly to the site and not through the WAF.
@ -3209,6 +3220,7 @@ bash bypass-firewalls-by-DNS-history.sh -d <target> --checkall
#### Technique: #### Technique:
- Using the whitelist string as a parameter in GET/POST/PUT/DELETE requests smuggles our payload through the WAF. - Using the whitelist string as a parameter in GET/POST/PUT/DELETE requests smuggles our payload through the WAF.
- Usually some `*-sync-request` keywords or a shared token value is used as the secret. - Usually some `*-sync-request` keywords or a shared token value is used as the secret.
- Often adding specific headers may trigger a similar whitelist behaviour.
Now when making a request to the server, you can append it as a parameter: Now when making a request to the server, you can append it as a parameter:
``` ```