UWA/26.json is not a valid HTTP payload

Question

UWA/26.json is not a valid HTTP payload

Closed this issue 9 months ago · 1 comments

brandon-t-elliott commented 9 months ago

The portion of URLs after # is for client-side processing and does not get sent to the server in HTTP requests. Therefore, there is no way for a WAF to block this request, as it would only receive /do.php instead of the full /do.php#.png

/do.php is not malicious in and of itself and therefore the UWA/26.json payload should not be expected to be blocked by a WAF.

Answer 1 · 2024-04-09T05:10:10.000Z

After taking a closer look, while what I originally said is true, it is possible to craft a GET request etc. to /do.php#.png via other means.

My issue is that my WAF is specifically using Flask/Werkzeug which abstracts the requests enough to where the #.png is dropped from the request even when inspecting via @app.before_request, so although my WAF is unable to block it, it's inherently following the URI RFC and thus removing the "malicious part" before I even have a chance to inspect it.

I'm going to close the issue since it is a valid payload to inspect.