Detecting & Bypassing Web Application Firewalls (part 1)

When we hear the term firewall, most people think of the network filtering solution. But have you heard about the web application firewall (WAF)?

Web applications have some serious vulnerabilities, and WAF provides a very important extra protection layer to the web solution. Hackers can find access points through errors in code, and we find that having a WAF in front of our web application is very important for security.

WAF acts as a special mechanism governing the interaction between the server and client while processing the HTTP-packets. It also provides a way to monitor the data as it is received from the outside. The solution is based on a set of rules that exposes if there is an attack targeting the server. Usually, the web application firewall aims to protect large websites like banks, online retailers, social networks, large companies… But now anyone can use it now that we have some open-source solutions available.

WAF can be implemented in two ways, via hardware or software, and in three forms:

1. Implemented as a reverse proxy server.
2. Implemented in routing mode / bridge.
3. Integrated in the Web application.

The first form can be as mod_security , Barracuda , nevisProxy . These types of WAF Automatically block or redirect the request to the web server without any changes or editing data.

The second category consists mainly of hardware WAF. For example, Impreva SecureSphere ( These solutions require additional configuration on the internal network, but eventually the option gains in productivity.

And finally, the third type implies the existence in the Web application like integrating the WAF in the CMS.
WAF rules contain a Blacklist (compared with a list of unacceptable actions) and Whitelist (accepted and permitted actions), for example we can find in the black list strings like: «UNION SELECT», «< script>», «/ etc / passwd» while whitelist rules may contain a number parameters value (from0 to 65535).

We will now look at how pentesting can detect the WAF server, and more importantly how to bypass it.
Each firewall has a special method in responding that helps in identifying the type of WAF implemented (fingerprint) for example:

• HTTP-response cookies parameters.
• Modifying HTTP-headers to mask the server
• The way of responding to a special data and queries
• The way in closing connection under not authorized actions.

For example, when we launch an attack on mod_security we get 501 error code; WebKnight – the code 999; Barracuda on cookie-parameter barra_counter_session.

This can certainly help in identifying the WAF, and there are some scanners that can automate the operation so you will be able to get the information like w3af a framework plug-in WAF_fingerprint and wafw00f. These tools are important for the pentesting operation.

Next part will be looking at different technics to bypass web application firewall and exploit most popular vulnerabilities.

make sure you subscribe to my RSS feed!