Select Page

Web applications suffer continuously evolving attacks, where a web application firewall (WAF) is the first line of defense and a necessary part of organisations’ cybersecurity strategies.

WAFs are getting more sophisticated all the time, but as its core protection starts with efficient pattern matching, typically using Regular Expressions, and classifying malicious traffic to block cyber attacks.

Evading pattern matching

However, unfortunately, this technique is no silver bullet against determined attackers. Once it’s known that there is a protection layer enabled, malicious actors find ways to bypass it, and most of the time, they even succeed.

It usually can be achieved when the same attacking payload, blocked by WAF, can be disguised to make it ‘invisible’ to the pattern matching mechanism to evade security.

Context-Specific Obfuscation

The web uses many technologies, and they all have different rules for what comprises valid syntax in their grammar, e.g., the browser itself has (at least) 3 different grammars – HTML, CSS, and JavaScript.

Depending on the context where the attack is targeted, payloads using mixed case, whitespace, comments work in the same way as the original payload.

Encodings

There are numerous ways to encode the requests sent, including standard encodings like URL, Hex, Base64, character encoding, etc. The parameter/payload can be encoded multiple times with any combination of encodings allowing the encoded attack payload to slip through.​

images from Hacker News