WAF bypass some of the summary and thinking, WAF how to prevent bypass. 01/15 Update SLTechnology News&Howtos

WAF bypass some of the summary and thinking, WAF how to prevent bypass.

2025-01-15 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)06/01 Report--

WAF classification:

1. Network layer class

two。 The most common and easy to deploy application layer class (deployed before APAC++HE, after APAC++HE)

Application layer WAF-take advantage of WAF's own defects and MYSQL syntax features and combine with actual bypass:

The most common WAF detection method: keyword detection, for example, if a SQL statement such as [space] union [space] appears, it is regarded as a malicious request. The packet is discarded, and the XSS code is the same.

Common bypass types:

Type 1:

Packet-> WAF (use string to store request parameters and detect after decoding)-> APAC++HE

C++ language and others use string and other storage structures to store requests. When decoding, they will become NULL and truncate the next request content.

So for example, id=1%20and%201=1 becomes id=1, thus bypassing WAF detection

Type 2:

Packet-> WAF-> APAC++HE

Bypass logic:

Special release of some User-Agent by WAF (such as UA of Baidu spider)

WAF releases some POST packages specially (file upload packages)

Type 3:

Packet-> WAF-> APAC++HE

Bypass by making use of the syntax characteristics of mysql, the special writing mode of html code and the rendering mode of the browser. Since the actual detection logic of WAF is not clear during the actual testing, using fuzz is the best method, which is also the most common bypass method for WAF.

FUZZ Dictionary:

% a0union%a0 (the regular expression\ s in WAF does not match% a0 but MYSQL sees it as a space)

% 0aunion%0a

Union (the regular expression\ s\ t in WAF does not recognize a match)

% 09union%09

/ * / union/**/

% 0dunion%0d

/ *% e4*/union/*%e4*/ (any match character (.) in half a Chinese regular expression in UTF8 Cannot match this content)

`version` () (MYSQL syntax feature function can be written as `function name` ())

/ *! union*/

8E0union (grammatical feature of MYSQL. The context ends when it is detected as a floating-point number, which is regarded as a space, the same as in the following 2)

8.0union

\ Nunion

.1union / * .1 * /

...

A fuzz instance of the XSS class:

"Fuzz

To detect what characters can be seamlessly connected before onerror. "

The code for fuzzz.php and fuzz.php is as follows

Fuzzz.php:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.