This blog post will explain how to bypass web application firewall so that you will understand what kind of payloads are used to get access to your site. See the payload examples below.

Web application firewall or WAF for short is becoming an essential part of your personal or client’s website.

It is important that your WAF is up-to-date with the latest cyber threats and methods as there are new methods and threats coming out on a daily basis.

Websites are prime targets in cyber attacks and because of one overlooked issue, the business and reputation can be ruined.

There are three WAF operation models that can be categorized in:

Whitelist (accepts known good)

Blacklist (reject known bad)

Hybrid (a combination of whitelist and blacklist)

Brute forcing to bypass web application firewall

Throwing a bunch of malicious payloads and hoping that one of them will work. Most WAFs are preventing this by limiting the number of requests per time unit.

For this method, you can use different active scanning tools or develop your own. Some of the tools that can be useful in the mix with the active scanner:

Another way around

Bypassing DNS based firewall can sometimes be very simple. Often there are subdomains that are not protected by the firewall due to DNS misconfiguration which can lead to server IP exposure, which is not protected by firewall due to the nature of DNS based firewalls.

Browser bugs to bypass web application firewall

By exploiting known browser bugs we can craft a special payload that will bypass the WAF and work in the affected web browser.

This is most suitable for client-side attacks such as cross-site scripting. An example of this would be bypassing Internet Explorer and Edge with double encoding.

Regular Expression reversing

This method is most accurate but requires a great deal of independent research and study on how the firewall works.

You will need to understand what operation model it is using, enumerating possible whitelisted URLs, enumerating special characters that are not blacklisted, etc.

You can try some of the payloads we found useful: