Home 0P3N Blog Chapter 5 - Practical Web Application Penetration Testing Series - Bypass Web Applications Firewalls
Ready to Start Your Career?
Create Free Account
By: Babak Esmaeili
December 28, 2016

Chapter 5 - Practical Web Application Penetration Testing Series - Bypass Web Applications Firewalls

By: Babak Esmaeili
December 28, 2016
By: Babak Esmaeili
December 28, 2016

2

Chapter 5 - practical web pentesting - Bypass Web Applications Firewalls

 

As it is illegal to test a website without permission, and I could not find a test site with WAF(web application firewall) enabled I decided to carry on this section theoretically. A WAF filters all web application accesses, inspecting both the traffic towards the web application and the response traffic from the application. By securing both the application infrastructure as well as the application user, a WAF complements traditional network firewalls, which are not designed to protect at this level.A WAF can be either network-based or host-based and is typically deployed through a proxy and placed in front of one or more Web applications. When pen testing web applications in the real world, we should consider if the website has WAF and ask ourselves what kind of WAF we are dealing with in this website?

I usually use a handy script in Kali Linux called wafw00f (pre-installed in Kali Linux) to detect the kind of WAF before starting Blackbox web pen testing.

1

The usage instruction is very easy. Just copy the URL of the target website and paste it in front of the command, then press "enter":

2

Wafw00f tries to detect web application firewall and gives us useful information about it. In chapter 3a of this series we saw how to set and config Bypass WAF plugin for burp suite.now it’s time to use it. If you want more information on how this plugin works in the background take a look at this link:

https://portswigger.net/bappstore/ShowBappDetails.aspx?uuid=ae2611da3bbc4687953a1f4ba6a4e04c

We are going to rescan http://testsparker.com/ website with Bypass WAF plugin enabled in Burpsuite.

Open up Burp and set your browser to use it as its proxy. Now browse the site and capture the request. Forward the request in Burp and click the target menu. In the left pane, right click on http://testsparker.com/ and click on "Add to scope".

We have this:

3

Everything is ready now for bypassing WAF and automated testing.We can now test website for vulnerabilities with WAF bypassing. Right click on http://testsparker.com/  in target menu ->site map and click on Actively scan this host to start scanning.That was it.

Now let’s talk about Sqlmap and bypassing WAF when injecting the payloads.

You may know about tamper parameter in sqlmap.we can use custom python script for many aims with --tamper parameter. One of the uses is WAF bypassing. We can simply use these kinds of scripts with tamper parameter:

To use tamper script on sqlmap, you use --tamper flag.To test mysql, you can use all tamper below or just one of them alone :

# no spaces should be between the commas/words. The spaces below were added for the formatting purposes of this article.

--tamper=between, bluecoat, charencode, charunicodeencode, concat2concatws, equaltolike, greatest, halfversionedmorekeywords, ifnull2ifisnull, modsecurityversioned, modsecurityzeroversioned, multiplespaces, nonrecursivereplacement, percentage, randomcase, securesphere, space2comment, space2hash, space2morehash, space2mysqldash, space2plus, space2randomblank, unionalltounion, unmagicquotes, versionedkeywords, versionedmorekeywords, xforwardedfor

 

To test mssql, you can use all tamper below or just one of them alone :

tamper=between, charencode, charunicodeencode, equaltolike, greatest, multiplespaces, nonrecursivereplacement, percentage, randomcase, securesphere, sp_password, space2comment, space2dash, space2mssqlblank, space2mysqldash, space2plus, space2randomblank, unionalltounion, unmagicquotes

Below is tamper list that support both mssql and mysql:tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes

Examples :

1. Use just one tamper script

4

2. Use multi tamper script to bypass WAF:

5

Or

6

 

Thanks for reading.


Read the other parts of this series -

Chapter 4: Practical Web Application Pentesting Series

Chapter 3b: Practical Web Application Pentesting Series

Chapter 3a: Practical Web Application Pentesting Series

Chapter 2: Practical Web Application Pentesting Series

Chapter 1: Practical Web Application Pentesting Series

Request Demo

Build your Cybersecurity or IT Career

Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry