Web Application Firewall Presentation

R3zk0n ยท October 2, 2025

Cloud   Evasion   Malware   Security   Web
Contents

    Resources

    • https://www.darkreading.com/cloud/transforming-sql-queries-bypasses-waf-security
    • https://www.blackhat.com/asia-22/briefings/schedule/index.html#autospear-towards-automatically-bypassing-and-inspecting-web-application-firewalls-25503
    • https://www.youtube.com/watch?v=scnCP1YLtZI
    • https://infosecwriteups.com/module-3-introduction-pentesting-bypassing-aws-azure-gcp-cloud-waf-fun-profit-6b38a836d78f
    • https://portswigger.net/daily-swig/json-syntax-hack-allowed-sql-injection-payloads-to-be-smuggled-past-wafs
    • https://www.alibabacloud.com/blog/protecting-websites-through-semantics-based-malware-detection_235116
    • https://github.com/coreruleset/coreruleset
    • https://www.securitynewspaper.com/2022/12/08/new-json-based-sql-injection-attacks-allow-bypassing-palo-alto-f5-aws-cloudflare-and-imperva-waf/

    WAFs

    • First line of defense for web applications and it is a fundamental feature of web security that provides protection against common web attack techniques such as via malware detection or preventing injection-based attacks like XSS/SQLi.

    Types of WAF

    • Signature-based
      • Regex-based: Uses managed rules which are created by the team which prevents patterns of known attacks by recognising a distinct fingerprint of it, but the weakness is that attack variations (bypasses) are more frequent as it employs a deny-listing strategy. Fuzzing techniques are especially effective against these WAFs.
      • Semantic-analysis-based: Categorising types of attacks with natural language semantics, such as through tokenization, and then determining if an attack is a permuation or combination of a previously determined attack set.
      • Machine-learning-based: Uses previously collected datasets to train a model to identify variations in attack patterns.
    • Also split between

    image Source: https://www.alibabacloud.com/blog/protecting-websites-through-semantics-based-malware-detection_235116

    Setting up a testing instance on AWS WAF

    • Use DVWA, SQL injection vulnerability
      • SELECT first_name, last_name FROM users WHERE user_id = '1';
    • Disadvantage of rule-based WAF: if we can find SQL syntax that is not discovered by WAF

    JSON in SQL

    • JSON was added to database engines

      Web Attacks and WAF

    • Injection attacks prevalent
    • WAF is deployed in front of the origin server
      • Also split between traditional WAFs and WAFs as a service

    WAF Bypassing Methods

    • WAFs need to balance between FP and FN
      • Architectural Level
      • Protocol Level
      • Payload Level
        • Generating an changing payloads
    • WAFNinja - FUZZ
    • Multi-point fuzzing
    • SQLMap + tamper scripts
    • WAF-A-MoLE (Full Auto(?))

    Twitter, Facebook