Technical Analysis of "Jumping to the HELL with 10 attempts to bypass DEVIL’s WAF"

Overview:
This write-up documents a series of sophisticated techniques and iterations used to bypass a Web Application Firewall (WAF) protecting DEVIL's application. It elucidates various payload crafting processes, evasion methodologies, and an exploratory approach revealing the fragile aspects of WAF rule management.

Key Technical Details:

1. Initial Reconnaissance and Identification:
2. Payload Crafting: The author began by understanding the target's WAF by sending a series of benign and malicious requests. The initial attacks using basic payloads like alert('XSS') quickly hit the WAF filters, which flagged them as malicious.

3. Behavioral Analysis: The responses from the server indicated detailed error messages that allowed the attacker to infer the type of WAF and its filtering rules over time.

4. Payload Evasion Techniques:

5. Case Fluctuation: The attacker first employed basic case manipulation techniques such as replacing alert with aLeRt, or script with ScRiPt. This approach aimed at evading case-sensitive string matching.
6. Non-Standard Encoding: An attempt was made to use URL encoding, HTML entity encoding, and their combinations. For example, transforming < to %3C or <.

7. JavaScript Obfuscations: Standard payloads were obfuscated further using string concatenations and function constructors, employing techniques such as eval('al'+'ert(1)').

8. Nested Payloads and Indirect Execution:

9. Double Encoding: Nested encoding was applied to payloads to bypass multiple layers of filters. For instance, encoding the payload twice or mixing different types of encodings within a single payload.

10. Indirect Execution: Exploitation via indirect execution methods like setTimeout or setInterval functions, which can sometimes bypass filters that specifically look for eval.

11. Less Common Attack Vectors:

12. Attribute-Based Payloads: The author utilized HTML attributes, such as <img src='x' onerror='alert(1)'>, to exploit lesser-known vectors less likely to be filtered by the WAF.

13. Event Handlers and Inline Scripts: Bypassing the WAF through event handlers embedded within attributes or inline JavaScript within HTML tags, e.g., <body onload=alert(1)>.

14. Filter Blind Spots:

15. Capitalization and Encoding Combinations: Combining different evasion techniques proved effective. For instance, alternating capitalization in conjunction with different encoding layers often slipped past filters that did not comprehensively normalize inputs before checking them.

16. Inessential Spaces: Introducing inessential spaces within identifiers and keywords was another way to evade detection, with payloads such as <img src=x on error=alert(1)>.

17. Custom Crafted Payloads:

18. Payload Chaining: The process involved chaining multiple benign scripts together that when executed in sequence, reassembled into a malicious payload. For instance, using event handlers in chained attributes or nested tags.

Key Takeaways:

• WAF Evasion Techniques: Multiple techniques can be leveraged to bypass WAFs, including case manipulation, encoding, indirect execution, nested payloads, and lesser-known vectors such as HTML attributes or event handlers.
• WAF Rule Weaknesses: The necessity for comprehensive normalization of inputs before applying WAF rules is crucial. Failing to account for multiple encoding layers or non-canonical input can leave significant blind spots.
• Importance of Multi-Layered Defense: Reliance on WAF alone is insufficient. A combination of input validation, proper encoding/escaping, content security policies (CSP), and rigorous testing can help mitigate such attack vectors.
• Exploratory Approach: Persistent and methodical testing of payloads with incremental changes based on response behavior is effective in discovering and exploiting WAF rule vulnerabilities.

Conclusion:

This write-up highlights the evolving nature of web application security, showing that even robust WAFs can be bypassed with sophisticated techniques. It underscores the importance of understanding WAF internals, tailored payload crafting, and comprehensive input normalization to shield web applications against advanced attacks.

For further insights, refer to the complete article on Medium.