Chapter 5 – Practical Web Application Penetration Testing Series – Bypass Web Applications Firewalls

December 28, 2016 | Views: 7192

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Chapter 5 – practical web pentesting – Bypass Web Applications Firewalls

 

As it is illegal to test a website without permission, and I could not find a test site with WAF(web application firewall) enabled I decided to carry on this section theoretically. A WAF filters all web application accesses, inspecting both the traffic towards the web application and the response traffic from the application. By securing both the application infrastructure as well as the application user, a WAF complements traditional network firewalls, which are not designed to protect at this level.A WAF can be either network-based or host-based and is typically deployed through a proxy and placed in front of one or more Web applications. When pen testing web applications in the real world, we should consider if the website has WAF and ask ourselves what kind of WAF we are dealing with in this website?

I usually use a handy script in Kali Linux called wafw00f (pre-installed in Kali Linux) to detect the kind of WAF before starting Blackbox web pen testing.

1

The usage instruction is very easy. Just copy the URL of the target website and paste it in front of the command, then press “enter”:

2

Wafw00f tries to detect web application firewall and gives us useful information about it. In chapter 3a of this series we saw how to set and config Bypass WAF plugin for burp suite.now it’s time to use it. If you want more information on how this plugin works in the background take a look at this link:

https://portswigger.net/bappstore/ShowBappDetails.aspx?uuid=ae2611da3bbc4687953a1f4ba6a4e04c

We are going to rescan http://testsparker.com/ website with Bypass WAF plugin enabled in Burpsuite.

Open up Burp and set your browser to use it as its proxy. Now browse the site and capture the request. Forward the request in Burp and click the target menu. In the left pane, right click on http://testsparker.com/ and click on “Add to scope”.

We have this:

3

Everything is ready now for bypassing WAF and automated testing.We can now test website for vulnerabilities with WAF bypassing. Right click on http://testsparker.com/  in target menu ->site map and click on Actively scan this host to start scanning.That was it.

Now let’s talk about Sqlmap and bypassing WAF when injecting the payloads.

You may know about tamper parameter in sqlmap.we can use custom python script for many aims with –tamper parameter. One of the uses is WAF bypassing. We can simply use these kinds of scripts with tamper parameter:

To use tamper script on sqlmap, you use –tamper flag.

To test mysql, you can use all tamper below or just one of them alone :

# no spaces should be between the commas/words. The spaces below were added for the formatting purposes of this article.

tamper=between, bluecoat, charencode, charunicodeencode, concat2concatws, equaltolike, greatest, halfversionedmorekeywords, ifnull2ifisnull, modsecurityversioned, modsecurityzeroversioned, multiplespaces, nonrecursivereplacement, percentage, randomcase, securesphere, space2comment, space2hash, space2morehash, space2mysqldash, space2plus, space2randomblank, unionalltounion, unmagicquotes, versionedkeywords, versionedmorekeywords, xforwardedfor

 

To test mssql, you can use all tamper below or just one of them alone :

tamper=between, charencode, charunicodeencode, equaltolike, greatest, multiplespaces, nonrecursivereplacement, percentage, randomcase, securesphere, sp_password, space2comment, space2dash, space2mssqlblank, space2mysqldash, space2plus, space2randomblank, unionalltounion, unmagicquotes

Below is tamper list that support both mssql and mysql:

tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes

Examples :

1. Use just one tamper script

4

2. Use multi tamper script to bypass WAF:

5

Or

6

 

Thanks for reading.


Read the other parts of this series –

Chapter 4: Practical Web Application Pentesting Series

Chapter 3b: Practical Web Application Pentesting Series

Chapter 3a: Practical Web Application Pentesting Series

Chapter 2: Practical Web Application Pentesting Series

Chapter 1: Practical Web Application Pentesting Series

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
4 Comments
  1. thank you for sharing 🙂

  2. dont u think it will generate a lot of suspicious traffic ?

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel