WAF Evasion
In this section I will explain techniques to found the original IP of the hosted webapp.
Last updated
Was this helpful?
In this section I will explain techniques to found the original IP of the hosted webapp.
Last updated
Was this helpful?
First we need to look inside the SSL Certificate of the webapp in order to find the fingerprint (SHA256)
With censys you can search different hosted webpages with the same SSL fingerprint, so these are from the same company.
Once you obtained the different domains or IPs that have the same fingerprint try to discover the IPs and play with the Host HTTP header.
It's common that the companies buys a range of IPs, so you should need to check more parent IPs.
Some times the companies put a WAF on a web application, but they don't configure it properly and any source IP instead of only the WAF can request the server.
So we can check the DNS history with viewdnsinfo
to search the old IP.
Finally with suip.biz
we can check which apps are hosted on a server.
The whitelisting mode is prone to false positives, which is the reason it is very common to find WAFs deployed in blacklisting mode rather than whitelisting mode.
The blacklisting mode is a collection of well-known attacks. WAF producers put together a list of rules to protect a web application against various attack vectors that are used to exploit the most common vulnerabilities.
So we can use different payloads to bypass some filters.
Instead of using alert('xss')
or alert(1)
we can choose a better option:
Instead of using alert(document.cookie)
we can use:
Instead of using <img src=x onerror=alert(1);>
we can use:
Instead of javascript:alert(document.cookie)
we can use:
Instead of using ' or 1=1
we can use:
Instead of UNION SELECT
we can use:
Instead of using /etc/passwd
we can use:
Instead of using c99.php
, r57.php
, shell.aspx
, cmd.jsp
, CmdAsp.asp
we can use:
WAF systems leave several footprints of their presence, which allow us to detect which WAF is in place.
wafw00f
is a tool that can detect up to 20 different WAF products.
Also it can be possible to detect the WAF vendor with a nmap script.
Some WAF systems reveal their presence through cookies.
Citrix Netscaler
n_saf, citrix_ns_id or NSC_
F5 BIG-IP ASM
^TS[a-zA-Z0-9]{3,6}
Barracuda
barra_counter_session and BNI__BARRACUDA_LB_COOKIE
Some WAFs rewrite the HTTP headers. Usually modify the Server
header.
Original Request
Modified Request