By: Babak Esmaeili
December 28, 2016
Chapter 5 - Practical Web Application Penetration Testing Series - Bypass Web Applications Firewalls
By: Babak Esmaeili
December 28, 2016
Chapter 5 - practical web pentesting - Bypass Web Applications Firewalls
As it is illegal to test a website without permission, and I could not find a test site with WAF(web application firewall) enabled I decided to carry on this section theoretically. A WAF filters all web application accesses, inspecting both the traffic towards the web application and the response traffic from the application. By securing both the application infrastructure as well as the application user, a WAF complements traditional network firewalls, which are not designed to protect at this level.A WAF can be either network-based or host-based and is typically deployed through a proxy and placed in front of one or more Web applications. When pen testing web applications in the real world, we should consider if the website has WAF and ask ourselves what kind of WAF we are dealing with in this website?
I usually use a handy script in Kali Linux called wafw00f (pre-installed in Kali Linux) to detect the kind of WAF before starting Blackbox web pen testing.
The usage instruction is very easy. Just copy the URL of the target website and paste it in front of the command, then press "enter":chapter 3a of this series we saw how to set and config Bypass WAF plugin for burp suite.now it’s time to use it. If you want more information on how this plugin works in the background take a look at this link:
We are going to rescan http://testsparker.com/ website with Bypass WAF plugin enabled in Burpsuite.
Open up Burp and set your browser to use it as its proxy. Now browse the site and capture the request. Forward the request in Burp and click the target menu. In the left pane, right click on http://testsparker.com/ and click on "Add to scope".
We have this:
Everything is ready now for bypassing WAF and automated testing.We can now test website for vulnerabilities with WAF bypassing. Right click on http://testsparker.com/ in target menu ->site map and click on Actively scan this host to start scanning.That was it.
Now let’s talk about Sqlmap and bypassing WAF when injecting the payloads.
You may know about tamper parameter in sqlmap.we can use custom python script for many aims with --tamper parameter. One of the uses is WAF bypassing. We can simply use these kinds of scripts with tamper parameter:To use tamper script on sqlmap, you use --tamper flag.To test mysql, you can use all tamper below or just one of them alone :
# no spaces should be between the commas/words. The spaces below were added for the formatting purposes of this article.
tamper=between, bluecoat, charencode, charunicodeencode, concat2concatws, equaltolike, greatest, halfversionedmorekeywords, ifnull2ifisnull, modsecurityversioned, modsecurityzeroversioned, multiplespaces, nonrecursivereplacement, percentage, randomcase, securesphere, space2comment, space2hash, space2morehash, space2mysqldash, space2plus, space2randomblank, unionalltounion, unmagicquotes, versionedkeywords, versionedmorekeywords, xforwardedfor
To test mssql, you can use all tamper below or just one of them alone :
Below is tamper list that support both mssql and mysql:tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes
tamper=between, charencode, charunicodeencode, equaltolike, greatest, multiplespaces, nonrecursivereplacement, percentage, randomcase, securesphere, sp_password, space2comment, space2dash, space2mssqlblank, space2mysqldash, space2plus, space2randomblank, unionalltounion, unmagicquotes
Examples :1. Use just one tamper script
Thanks for reading.
Read the other parts of this series -