Proxy / WAF Protections Bypass

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Bypass Nginx ACL Rules with Pathname Manipulation

Nginx rule example:

location = /admin {
    deny all;
}

location = /admin/ {
    deny all;
}

In order to prevent bypasses Nginx performs path normalization before checking it. However, if the backend server performs a different normalization (removing characters that nginx doesn't remove) it might be possible to bypass this defense.

NodeJS - Express

Nginx Version	Node.js Bypass Characters
1.22.0	`\xA0`
1.21.6	`\xA0`
1.20.2	`\xA0`, `\x09`, `\x0C`
1.18.0	`\xA0`, `\x09`, `\x0C`
1.16.1	`\xA0`, `\x09`, `\x0C`

Flask

Nginx Version	Flask Bypass Characters
1.22.0	`\x85`, `\xA0`
1.21.6	`\x85`, `\xA0`
1.20.2	`\x85`, `\xA0`, `\x1F`, `\x1E`, `\x1D`, `\x1C`, `\x0C`, `\x0B`
1.18.0	`\x85`, `\xA0`, `\x1F`, `\x1E`, `\x1D`, `\x1C`, `\x0C`, `\x0B`
1.16.1	`\x85`, `\xA0`, `\x1F`, `\x1E`, `\x1D`, `\x1C`, `\x0C`, `\x0B`

Spring Boot

Nginx Version	Spring Boot Bypass Characters
1.22.0	`;`
1.21.6	`;`
1.20.2	`\x09`, `;`
1.18.0	`\x09`, `;`
1.16.1	`\x09`, `;`

PHP-FPM

Nginx FPM configuration:

location = /admin.php {
    deny all;
}

location ~ \.php$ {
    include snippets/fastcgi-php.conf;
    fastcgi_pass unix:/run/php/php8.1-fpm.sock;
}

Nginx is configured to block access to /admin.php but it's possible to bypass this by accessing /admin.php/index.php.

How to prevent

location ~* ^/admin {
    deny all;
}

Bypass Mod Security Rules

Path Confusion

In this post is explained that ModSecurity v3 (until 3.0.12), improperly implemented the REQUEST_FILENAME variable which was supposed to contain the accessed path (until the start of the parameters). This is because it performed an URL decode to get the path. Therefore, a request like http://example.com/foo%3f';alert(1);foo= in mod security will suppose that the path is just /foo because %3f is transformed into ? ending the URL path, but actually the path that a server will receive will be /foo%3f';alert(1);foo=.

The variables REQUEST_BASENAME and PATH_INFO were also affected by this bug.

Something similar ocurred in version 2 of Mod Security that allowed to bypass a protection that prevented user accessing files with specific extensions related to backup files (such as .bak) simply by sending the dot URL encoded in %2e, for example: https://example.com/backup%2ebak.

Bypass AWS WAF ACL

Malformed Header

This research mentions that it was possible to bypass AWS WAF rules applied over HTTP headers by sending a "malformed" header that wasn't properly parsed by AWS but it was by the backend server.

For example, sending the following request with a SQL injection in the header X-Query:

GET / HTTP/1.1\r\n
Host: target.com\r\n
X-Query: Value\r\n
\t' or '1'='1' -- \r\n
Connection: close\r\n
\r\n

It was possible to bypass AWS WAF because it wouldn't understand that the next line is part of the value of the header while the NODEJS server did (this was fixed).

References

Websec | Uw Cybersecurity Specialist

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousSteal postmessage modifying iframe location NextRace Condition

Last updated 19 days ago