Evasion techiques for WAFs
It can be difficult to predict how a WAF will inspect traffic because WAF rules and methods are not standardized and work so high up the stack. Basically, you are looking for weaknesses in detection and/or to make it as difficult as possible for a WAF to properly interpret the communication sent to the target.
Some techniques that can be used:
- mixed case in attack strings (used to by-pass WAF regex configurations)
- random comments in SQL commands
- URI encoding
- packet fragmentation
In one simple home-grown WAF system I tested, I defeated the SQL injection protection by switching from
' OR 1=1 --
to
' OR foo=foo --
On the topic of tools, SQLMap and Havij are well-known. The SQLMap evasion scripts may also provide deeper insight into specific WAF evasion techniques.
Any IPS evasion technique can also be potentially applied to WAF.
Check out Ivan Ristić's research. Snippets below from his post on the Qualys blog:
Today at Black Hat [2012] we are announcing a new research project on protocol-level evasion of web application firewalls. This type of evasion focuses on the low level operation of WAFs, aiming to exploit little differences in how WAFs see traffic and how backend web servers and applications see it. If you get the WAF to see something different from what the backend is seeing, you have an evasion opportunity that could possibly be used to execute any attack type, without detection.
[...]
Attached to this post is our research paper that focuses on request path, parameter, and multipart/form-data evasion. Also attached are the Black Hat talk slides that introduce the research. The testing suite (a sort of a research toolkit) is in the IronBee WAF Research repository on GitHub.
Protocol-Level Evasion of Web Application Firewalls v1.1 (18 July 2012).pdf
Protocol-Level Evasion of Web Application Firewalls (Ivan Ristic, Qualys, Black Hat USA 2012) SLIDES.pdf
You could play with sqlmap:
Bypassing Web Application Firewalls with SQLMap Tamper Scripts