Security experts have disclosed advanced methods for bypassing Web Application Firewalls (WAFs) on a large scale, and they have also introduced a new Burp Suite plugin to facilitate this process.
Shubham Shah, a co-founder of Assetnote and an experienced bug bounty hunter, shared the results, which shed light on how WAF deployments are currently and how to bypass their protection effectively.
Shah highlighted the significant shift in WAF deployment over the past five years. Due to cost and usability concerns, WAFs were initially reserved for critical assets.
However, the landscape has changed, with mature companies deploying WAFs across their entire attack surface, sometimes covering over 20,000 assets with solutions like Akamai.
This widespread adoption necessitates new strategies for bug bounty hunters and security researchers to adapt and continue identifying vulnerabilities.
Shah suggests that instead of creating complex payloads to bypass WAFs, it’s better to keep it simple. He stressed that many modern WAFs can be bypassed without the need for complex techniques.
Instead, he proposed straightforward methods focusing on the mindset and methodology rather than altering payloads. This approach aims to demystify WAF bypass techniques and make them more accessible to the security community.
Common Flaw: Request Size Limits
One of the key vulnerabilities Shah discussed is the request size limit inherent in many WAFs. Due to performance constraints, WAFs typically inspect only a portion of the request body.
For instance, AWS WAFs inspect up to 8 KB for Application Load Balancer and AWS AppSync protections and up to 64 KB for CloudFront and API Gateway protections.
Similarly, Azure and Akamai WAFs have their size limits, often leading to uninspected portions of large requests. This flaw can be exploited by placing malicious payloads beyond the inspection limit, bypassing the WAF.
Shah introduced the nowafpls Burp Plugin to facilitate the exploitation of these request size limits. This tool simplifies the process by automatically padding out requests to exceed WAF inspection limits.
Depending on the content type, the plugin inserts junk data at the cursor’s position, making it easier to bypass WAFs without manual intervention. For example, it adds comments in XML, junk keys and values in JSON, and junk parameters in URL-encoded data.
Shah also discussed several advanced tools and techniques for bypassing WAFs:
- IP Rotate: A Burp Suite extension that routes traffic through multiple API gateways across different regions, helping to avoid rate limiting.
- Fireprox: Generates an API gateway URL for use with tools like ffuf, ensuring each request comes from a new IP.
- ShadowClone: Distributes tasks across serverless compute platforms like AWS, GCP, and Azure, providing high IP variability to bypass WAFs. This tool is particularly effective for large-scale vulnerability scanning and testing.
In addition to exploiting request size limits, Shah highlighted other innovative bypass techniques:
- Bypassing via the WAF: Utilizing shared certificates provided by WAF providers like Cloudflare to set up proxied connections to the origin IP, effectively reducing WAF settings to the lowest level.
- H2C Smuggling: Leveraging HTTP/2 Cleartext (H2C) smuggling to bypass rate limiting and WAF controls, particularly in on-premise or reverse-proxy based WAFs.
Shah’s presentation underscores the evolving nature of WAF bypass techniques and the importance of staying ahead in the cybersecurity arms race.
By simplifying the approach and leveraging tools like the nowafpls Burp Plugin, security researchers can more effectively identify and exploit vulnerabilities, ensuring robust protection against increasingly sophisticated threats.