Breaking the most popular Web Application Firewalls in the market

This is a walk-through that shows how to bypass the SQL injection and cross-site scripting rules of the following Web Application Firewalls:

By seeing the process of how I broke the rules of these WAFs, you'll gain the necessary skills to evaluate the security of the rules of any WAF/IDS.

In this post you'll find 4 types of bypasses for each WAF:

  • Detection phase (vectors to see if the page is vulnerable to sqli)
    • Boolean-based injections
    • Blind time-based injections for MySQL, PostgreSQL and MSSQL
  • Exploitation phase
    • UNION-based injections
    • Blind boolean-based injections

Sometimes there are cross-site scripting vectors as well.

At the very end of the post, there is a pseudo-universal SQL injection bypass that works against a great number of multiple WAFs.

If you're having trouble bypassing a firewall (or want to be updated on further posts), reach me out at X @ruben_v_pina or at ruben@nzt-48.org and I'll see if I can break it.

(more…)