Self-paced

Explore our extensive collection of courses designed to help you master various subjects and skills. Whether you're a beginner or an advanced learner, there's something here for everyone.

Bootcamp

Learn live

Join us for our free workshops, webinars, and other events to learn more about our programs and get started on your journey to becoming a developer.

Upcoming live events

Learning library

For all the self-taught geeks out there, here is our content library with most of the learning materials we have produced throughout the years.

It makes sense to start learning by reading and watching videos about fundamentals and how things work.

Search from all Lessons

LoginGet Started
← Back to Lessons
Edit on Github

Bypassing a firewall

What are we trying to evade against a firewall?
Evasion methods
Bypassing a firewall using SSL
Bypassing a firewall using NMAP Script Engine
How to evade a WAF
Tools to verify and bypass WAF
Evading a Web Application Firewall

Before reading this article, we recommend reading about firewalls and how they work, we will be focusing on firewall evasion, but you need some fundamental firewall knowledge to understand evasion.

What are we trying to evade against a firewall?

Most firewalls examine network packages with a series of filters (at the application or network level) as they attempt to enter the network. Then, depending on the source and destination IP addresses, protocols, and ports, the firewall decides whether they can enter, some Web application firewalls (WAF) also analyze the HTTP package payloads for malicious code, and others include antivirus, encrypted traffic inspection, and intrusion prevention systems (IPS).

Evasion methods

Although firewalls and IDSs can prevent malicious packets from entering a network, an attacker can send modified packets to the target so that it can bypass the IDS/Firewall. These are ten methods of evasion:

  1. Encrypting data: by encrypting the data being transmitted, it becomes more difficult for the firewall or intrusion detection system to detect any malicious activity.
  2. VPN: a virtual private network (VPN) can help bypass firewalls and intrusion detection systems by routing traffic through a secure server.
  3. Proxy server: A proxy server can help mask the origin of traffic, making it difficult for the firewall or intrusion detection system to trace the source of an attack.
  4. TOR: The TOR network can help mask the user's identity and the origin of the traffic, making it difficult for the firewall or intrusion detection system to detect any malicious activity.
  5. Port hopping: By constantly changing the port used to transmit data, it becomes more difficult for the firewall or intrusion detection system to detect any malicious activity.
  6. Steganography: By hiding data within another file or message, it is more difficult for the firewall or intrusion detection system to detect any malicious activity.
  7. Application layer protocols: By using application layer protocols such as HTTP or SMTP, it is more difficult for the firewall or intrusion detection system to detect any malicious activity.
  8. Malicious code: When using malicious code or malware, it is more difficult for the firewall or intrusion detection system to detect any malicious activity.
  9. Social engineering: By tricking users into divulging confidential information or performing certain actions, it is easier for an attacker to bypass the firewall or intrusion detection system.
  10. Physical access: By physically accessing the network or system, an attacker can bypass the firewall or intrusion detection system.
  11. Outdated software: Firewalls rely on software to function properly, and this software must be updated periodically to keep up with the latest threats. If you do not update your firewall software, you may become vulnerable to attacks discovered since the last update.
  12. Weak passwords: A strong and unique password is one of the most important ways to protect your firewall against breaches. If you use a weak or easy-to-guess password, hackers can easily access your firewall and compromise your system.
  13. Insecure remote access: If you allow remote access to your system, it is essential to protect this access with a strong password and two-factor authentication. If these measures are not taken, hackers can potentially gain access to your firewall through remote access.
  14. Incorrectly configured rules: Firewalls rely on rules to determine what traffic is allowed and what is blocked. If these rules are not configured correctly, unwanted traffic may be allowed to pass through the firewall and compromise your system.

To protect your firewall against breaches, it is essential to regularly update your software, use strong passwords, protect against malware infections, protect remote access, and configure your firewall rules correctly.

Bypassing a firewall using SSL

There is a method to bypass network restrictions by encapsulating various types of traffic within an HTTPS connection on port 443. It involves setting up a reverse proxy server with an SSL certificate and using Stunnel to create an encrypted tunnel that masks SSH traffic as HTTPS. This approach allows users to circumvent firewalls that typically allow HTTPS traffic while blocking other types of traffic, effectively disguising non-web traffic as secure web browsing. The technique is particularly useful in less secure environments but may be less effective against advanced firewalls with SSL inspection capabilities.

🔥 Here is a detailed article on how to bypass a firewall using SSL

Bypassing a firewall using NMAP Script Engine

The Nmap Scripting Engine (NSE) can be particularly effective for firewall bypass by using specific scripts designed to evade detection and penetrate restricted networks. These scripts can manipulate packet structures, employ decoy scans, or spoof IP addresses to trick firewalls into allowing traffic that would otherwise be blocked. NSE scripts can also help in identifying open ports that might be overlooked by firewalls or misconfigured security rules, providing a pathway to bypass network defenses. This makes NSE a powerful tool for testing and circumventing firewall restrictions during security assessments or penetration testing.

🔥 Here is a detailed article on how to use the NMAP Script Engine to bypass a firewall.

How to evade a WAF

What to do to find the WAF provider and the real IP address?

Real IP Disclosure

  1. RUN shodan.io or censys.io
  2. Search for SPF records and TXT records.

SPF and TXT records can have an IP address of a non-CloudFlare point source.

  1. You can also check securitytrails.com. The Historical data may have the original IP in the old records field.

How to test that the WAF is configured correctly:

  • WAFs use standard ports 80, 443, 8000, 8008, 8080 and 8088.
  • WAFs set their cookies on requests.
  • WAFs are associated with separate headers.
  • WAFs are exposed in the server header.
  • WAFs are exposed in the response content.
  • WAFs respond with unique response codes to malicious requests.
  • Send a standard GET request from a browser, intercept, and log response headers (specific cookies).
  • Send a request from the command line (e.g., cURL) and then verify the content and headers of the response.
  • Send GET requests to random open ports and verify banners that may expose the identity of WAFs.
  • Test some SQL injection payloads such as: or 1 = 1: to log into forms or forget a password.
  • Try noisy XSS payloads like in some input fields.
  • Try adding ../../../etc/passwd to a random parameter in the URL.
  • Add some payloads like ' OR SLEEP(5) OR ' at the end of URLs to any random parameter.
  • Send GET requests with deprecated protocols such as HTTP/0.9 (HTTP/0.9 does not support POST queries).
  • Refer to the server header for different types of interactions.
  • Send a raw FIN&RST packet to the server and identify a response.
  • Side channel attacks: examine the temporal behavior of the request and response content.

Tools to verify and bypass WAF

w3af: web application attack and auditing framework

  • wafw00f: Identify and fingerprint the web application firewall

  • BypassWAF: bypass firewalls abusing DNS history. This tool will look for old DNS A records and check if the server is responding for that domain.

  • CloudFail: is a tactical reconnaissance tool that tries to find the original IP address behind the Cloudflare WAF.

Evading a Web Application Firewall

Various specific hacking techniques can be used to evade different types of firewalls, particularly Web Application Firewalls (WAFs), such as URL Encoding, Unicode Encoding, HTML Rendering, and Mixed Encoding, which modify or obfuscate the payloads in a way that might bypass the firewall's detection mechanisms.

The effectiveness of these techniques depends on the type of firewall being targeted. For instance, simple packet-filtering firewalls may be more susceptible to techniques that manipulate parameters. In contrast, more advanced firewalls like Next-Generation Firewalls (NGFWs) or Web Application Firewalls (WAFs) might require more sophisticated evasion strategies like Dynamic Payload Generation or Time-based SQL Injection.

We have prepared the following article about Web Application Firewall Evasion techniques to understand better. We hope it is a practical resource for understanding and applying firewall evasion techniques in cybersecurity contexts.