WAFs & IPS: A Deep Dive into Advanced Bypass Techniques
Introduction: What is a WAF and IPS?
A Web Application Firewall (WAF) is a security system designed to protect web applications by filtering and monitoring HTTP traffic between a web application and the internet. Unlike traditional firewalls, which focus on network traffic, WAFs operate at the application layer, inspecting requests and responses for malicious behavior, such as SQL injection, cross-site scripting (XSS), and other attacks as outlined by the OWASP Top 10 vulnerabilities.
An Intrusion Prevention System (IPS), on the other hand, sits inline with network traffic and monitors for suspicious activity that could indicate an attack. While WAFs are designed specifically for web applications, IPS can be broader, protecting networks by blocking malicious traffic. IPS systems can detect and prevent exploits, malware, and denial-of-service (DoS) attacks.
How Attackers Identify the Presence of a WAF or IPS
Before attempting to bypass a WAF or IPS, attackers often probe the target to detect the presence of these security measures. There are several ways attackers can identify whether a WAF or IPS is in place:
- Unusual Error Messages: If an attacker sends a request that includes special characters (e.g., single quotes
'
, backslashes\
, or specific keywords likeUNION
), a WAF may block the request and return a generic error message (e.g., 403 Forbidden or 500 Internal Server Error). Attackers can use these error messages to determine the presence of a WAF. - Blocked or Altered Responses: WAFs may block or alter responses containing sensitive information. Attackers can attempt common payloads and see if certain responses (e.g., SQL errors) are missing or altered.
- Behavioral Anomalies: Attackers may detect WAFs or IPS by sending harmless payloads that mimic the structure of common attacks. For instance, an HTTP request containing a potential SQL injection may be allowed, but a slightly modified version (with additional SQL keywords) might be blocked. This can reveal the presence of a WAF that is inspecting for SQL signatures.
Once an attacker confirms the presence of a WAF or IPS, they can use advanced techniques to bypass these defenses. Let’s explore some of these sophisticated methods.
1. Advanced HTTP Parameter Pollution (HPP) with Mutation
HTTP Parameter Pollution (HPP) occurs when attackers send multiple parameters with the same name to a web server. An advanced version of this technique, HPP with Mutation, involves mutating the values through encoding or adding special characters to further evade detection.
Example:
Consider the following SQL injection payload:
username=admin' --
To bypass detection, the attacker could split and mutate the payload:
username=%61%64%6d%69%6e%27%20--%20
By sending multiple parameters like username=admin
and username=%61%64%6d%69%6e%27
, the WAF may fail to detect the attack. Additionally, depending on how the server handles repeated parameters, it may concatenate or prioritize one over the other, allowing the injection to bypass the WAF.
Mitigation:
WAFs must normalize all incoming parameters to a single format before analyzing them, and developers should ensure input validation happens consistently across all fields.
2. WAF Detection via Error Messages
Once an attacker knows a WAF is in place, they will attempt to map its detection rules. This is often done through WAF error probing — sending inputs that are syntactically valid but could trigger WAF block rules.
Example:
The attacker might try:
username=admin' AND '1'='1
If this triggers an error or block, but the variant:
username=admin' AND '1'='2
If the first is blocked or triggers a WAF-specific error page, but the second passes through or returns a standard application error, it confirms the presence of a WAF.
Mitigation:
Security teams should configure their WAFs to provide minimal information in error responses and ensure that all error handling is generic and does not disclose information about the security infrastructure.
3. Layered Encoding and Obfuscation
Attackers can use multiple layers of encoding to obscure payloads from WAF inspection. This involves encoding the payload in several formats (e.g., base64, hexadecimal) or nesting encodings like double URL encoding.
Example:
A SQL injection payload like:
admin' OR 1=1 --
Could be encoded as:
%61%64%6d%69%6e%27%20%4f%52%201%3d1%20--%20
The WAF might not decode this payload correctly, allowing it to pass undetected.
Mitigation:
To counter this, WAFs must be configured to decode multiple layers of encoding before analyzing the payload. Additionally, limiting or restricting unnecessary encoding mechanisms can prevent such attacks.
4. Bypassing via TLS Encryption (SSL)
When traffic is encrypted using SSL/TLS, WAFs that don’t terminate SSL connections are unable to inspect the content of the traffic, which provides an easy bypass for attackers.
Technique:
An attacker might send a malicious payload over HTTPS:
POST /login HTTP/1.1
Host: vulnerable.com
Content-Type: application/x-www-form-urlencoded
username=admin' AND '1'='1
Without SSL termination, the WAF won’t be able to inspect the payload, allowing the attack to go through.
Mitigation:
Organizations can mitigate this by terminating SSL/TLS traffic at the WAF or a proxy layer so the traffic can be inspected in its decrypted form before it is sent to the application server.
5. Cross-Site Scripting (XSS) Payload Bypassing
WAFs often block common XSS attack vectors such as <script>
tags, but attackers can use non-standard HTML elements or event-driven JavaScript to bypass these filters.
Example:
An attacker can use the following payload to evade <script>
tag detection:
<svg onload=alert(1)>
or use event attributes like onmouseover
:
<a href="#" onmouseover="alert('XSS')">Hover me!</a>
These types of payloads can slip past basic signature-based WAFs.
Mitigation:
WAFs should analyze the entire DOM and parse JavaScript execution to detect behavior-based XSS attacks. Enforcing Content Security Policies (CSPs) can also mitigate XSS attacks.
6. WAF Signature Evasion with Polymorphic Attacks
Polymorphic attacks involve altering the structure of malicious payloads in such a way that they no longer match the known signatures that WAFs look for.
Example:
An attacker might change a SQL injection query:
UNION SELECT username, password FROM users
to:
UNION SELECT 'user' || 'name', 'pass' || 'word' FROM users
This breaks the signature pattern the WAF is looking for, allowing the payload to bypass the filter.
Mitigation:
WAFs should incorporate anomaly-based detection techniques, such as machine learning, which can identify abnormal patterns in queries even if the payload structure has been altered.
Conclusion
Bypassing WAFs and IPS requires attackers to exploit the limitations of these systems through advanced techniques like encoding, parameter fragmentation, and encrypted traffic. To effectively guard against these evolving threats, organizations need to implement multi-layered security approaches that combine robust WAF configuration, SSL termination, advanced anomaly detection, and secure application design.
For further reading on WAFs, IPS, and advanced bypass techniques, check out resources from OWASP, Splunk, and other leading cybersecurity platforms.