AppSecExplained
  • Index < START HERE
    • My courses
    • How to get started from zero
  • 📽️Live Stream Content
    • Resource of the week
  • Discovery / Recon
    • Methodology
    • Content discovery / recon
      • Subdomains
      • Endpoints
      • Parameters
      • Spidering
  • Common vulns
    • SQL injection overview
      • Detection
      • Blind SQLi
      • Second-order SQLi
      • SQLi lab setup & writeups
    • NoSQL injection
    • JavaScript injection (XSS)
      • XSS Methodology
    • File Inclusion
      • Local file inclusion
        • Directory traversal
    • Command injection
    • XXE (XML external entity) injection
      • Blind XXE
    • Template injection
      • Server-side template injection
      • Client-side template injection
    • Authentication
      • Attacking password-based authentication
      • Attacking MFA
      • Authentication lab setup & writeups
    • Cross-Site Request Forgery (CSRF)
    • Insecure deserialization
      • PHP
      • Java
      • Python
      • .NET
    • Server-side request forgery (SSRF)
    • Insecure file upload
    • Clickjacking
    • Open redirect
    • Vulnerable components
    • Race conditions
      • Limit overrun
    • Prototype pollution
      • Client-side prototype pollution
    • APIs
      • API: BOLA
      • API: Broken authentication
      • BOPLA
      • API: BFLA
  • Bypassing controls
    • Rate limiting
    • WAF Bypasses
  • Scripts
    • Docker-compose.yml files
      • Wordpress
      • SQLi testing labs
    • PHP scripts
      • RCE Function Check
    • Wordlists
      • Single characters
      • SQLi
  • Code review
    • Getting started
    • Sinks
  • Links worth your time
    • Practical API Hacking
    • Rana Khalil's Web Security Academy Course
    • Portswigger's Web Security Academy
    • TCM Security Discord
    • PentesterLand Writeups
Powered by GitBook
On this page

Was this helpful?

  1. Bypassing controls

WAF Bypasses

Encoding Evasion: Use URL, Unicode, Base64, or other encodings to disguise payloads.

HTTP Parameter Pollution: Manipulate parameters to exploit the way the WAF processes multi-instance parameters. (One of my favourite techniques!)

Session Splicing: Divide the attack into multiple requests or sessions to disrupt the WAF's ability to correlate the events.

Verb Tampering: Change the HTTP method (GET, POST, HEAD, etc.) to an unconventional one that the WAF might not inspect.

Path Obfuscation: Include irrelevant path information that gets ignored by the server but confuses the WAF (like using directory traversal techniques).

Query String Manipulation: Alter the query string with special characters or payloads that might be overlooked by the WAF.

Header Manipulation: Modify HTTP headers such as User-Agent, Referer, or custom headers in ways that are not expected.

Cookie Poisoning: Inject payloads into cookie values which may not be inspected or properly sanitized by the WAF.

Content-Type Evasion: Use unusual or mismatched content-types in the HTTP header to bypass checks that are content-type specific.

Extension Manipulation: Changing file extensions or using obscure ones to evade filters that inspect file names.

Protocol-Level Evasion: Utilize discrepancies in protocol implementations (like ambiguous requests) that may be differently interpreted by the WAF and the target web server.

Attack Obfuscation with Legitimate Requests: Mix in legitimate traffic with the attack traffic to reduce the anomaly score that might otherwise trigger the WAF.

Bypassing with JavaScript: Use JavaScript to construct the final payload in the client-side browser, which may not be executed or recognized by the WAF.

Using Comment Injection: Place comments within SQL statements or scripts to disrupt signature detection.

Utilizing Server-Side Request Forgery (SSRF): Exploit the server's functionality to make requests that bypass the WAF's rules.

Timing Attacks: Execute actions with delays, leveraging the fact that some WAFs have a time window for rule execution.

Ruleset Flaws: Exploit known weaknesses in the rulesets employed by popular WAFs, which are sometimes documented by security researchers.

PreviousRate limitingNextDocker-compose.yml files

Last updated 1 year ago

Was this helpful?