SQL injection: 9 ways to bypass Web Application Firewall
A web application firewall (or WAF) filters, monitors, and blocks HTTP traffic to and from a web application. A WAF is differentiated from a regular firewall in that a WAF is able to filter the content of specific web applications while regular firewalls serve as a safety gate between servers. By inspecting HTTP traffic, it can prevent attacks stemming from web application security flaws, such as SQL injection, cross-site scripting (XSS), file inclusion, and security misconfigurations.__Wiki
How WAF work?
- Exception Detection Protocol: Denies requests that do not meet HTTP standards
- Enhanced input validation: Proxy and server-side validation, not just client-side validation
- WhiteList & Blacklist
- Rule-based and exception-based protection: more black-based mechanisms based on rules, more flexible based on exceptions
- State management: focus on session protectionThere are also: Cookies protection, anti-intrusion avoidance technology, response monitoring and information disclosure protection.
How to bypass WAF
- Mixed CaseChange case of malicious input triggering WAF protections. union may become uNIoN, If the WAF is using a case sensitive blacklist, changing case may bypass that filter.
- Replace the keyword(Insert special characters that will be removed by WAF) – SELECT may become SEL<ECT which would be passed on as SELECT once the offending character is removed.
+ URL encode
- Use comments
Insert comments in middle of attack strings. For instance, /*!SELECT*/ might be overlooked by the WAF but passed on to the target application and processed by a mysql database.
- Equivalent functions and commands
Some functions or commands can not be used because this keywords are detected, but in many cases we can be used with equivalent or similar code of them.
- Special symbolsHere I have non-alphanumeric characters in the special symbols of a class, special symbols have a special meaning and usage.
+ ` symbol: select `version()`;
+ +- :select+id-1+1.from users;
+ @:select@^1.from users;
+Mysql function() as zzz
- HTTP parameter controlSupply multiple parameter= value sets of the same name to confuse the WAF. Given the example http://example.com?id=1&?id=’ or ‘1’=’1′ — ‘ in some circumstances such as with Apache/PHP, the application will only parse the last (second) instance of id= while the WAF only parses the first. It appears to be a legitimate request but the application still receives and process malicious input. Most WAF’s today are not vulnerable to HTTP Parameter Pollution (HPP) but it is still worth a try when building bypasses.
+ HPP (HTTP Parameter Polution)
HPP is also known as repeated parameter contamination, the simplest is: uid = 1 & uid = 2 & uid = 3, for this case, different Web server processing as follows:
+HPF (HTTP Parameter Fragment)
This method is HTTP segmentation injection, similar to CRLF (using control characters% 0a,% 0d, etc. to perform line breaks)
+HPC (HTTP Parameter Contamination)
RFC2396 defines the following characters:
Different Web server processing processes have different logic when constructing special requests:
In the case of the magic character %, Asp / Asp.net will be affected
- Buffer overflowWAF’s are, afterall, applications and vulnerable to the same software flaws as any other application. If a buffer overflow condition can create a crash, even if it does not result in code execution, this may result in a WAF failing open. In other words, a bypass.
- IntegrationIntegration means the use of a variety of bypass technology, a single technology may not be able to bypass the filtering mechanism, but the use of a variety of technologies with the possibility of success will increase a lot.