WAF Bypass: How to Bypass a Firewall?

With the increasing number of WAFs or web application firewalls, the difficulty level of a penetration test is also going high. And it’s because WAFs are generally used for security purposes, such as protecting web apps from various app layer attacks (cookie poisoning, SQL Injection, Cross-site scripting). That’s to say, with the help of WAF protection measures, you can ensure the safety of your valuable data.

But before we go and explore in more detail, let’s first understand what a WAF is and how it works.

What Is a Web Application Firewall, and How Does It Work?

WAF uses a group of filters and monitors to protect your web apps by blocking even the most minor network attacks. It also forbids any unauthorized data to escape from the app. It’s important to note that WAF is different from Network Firewall. Web Application Firewalls follow several policies that help find and differentiate malicious traffic from safe ones.

WAFs can come in different forms and ways. It can be an appliance, software, or even a service. Policies and procedures are defined according to your web server security system and are mainly customized to its needs. However, you may sometimes need to update the policies regularly to detect new vulnerabilities and check penetration testing. In some cases, though, WAFs are updated automatically with the help of machine learning technologies.

Let’s see some of the main features of WAF:

  • Adding a security layer to protect the web application.
  • Determining malicious requests and blocking them.
  • Standing between web layers and users.
  • A better understanding of an HTTP parameter and traffic than traditional web firewalls.

How to Bypass WAF? Tools and Deployment Modes

You can use the main WAF bypass tools for verifying the type and scale of information an attacker may have access to. Some of them are listed below:

  1. CloudFail – A tactical recognition tool trying to detect the original IP address behind the Cloudflare WAF.
  2. w3af – The primary functions of the framework are audit and attack.
  3. BypassWAF – It successfully checks and searches outdated DNS records analyzing if the server is responding to the domain or not.

There’re also other WAF Bypass tools and WAF signatures you can use for detection: NMAP, wafw00f, checking response body, checking server header, sending a random parameter, etc.

Deployment Modes of WAF

Based on different factors, you can deploy WAF in several ways. The main details are: what services you need, how you would like to manage them, and the level of performance you want to require.

Here are some options:

  1. Cloud-based + Fully-Managed. This option is perfect for you if the fastest and most efficient WAF is what you’re looking for in your web applications support.
  2. Cloud-based + Self-Managed. While choosing this type of deployment, you will receive all the security policy portability of the cloud and keep control of traffic management.
  3. On-Premises Advanced WAF. It combines all the requirements, such as performance, flexibility, and more advanced security measures.

Techniques for Bypassing WAF

There is no completely working bypassing technique that can rule all the WAF types. That’s because modern WAFs are trained and can observe user behavior by relying on a set of rules. However, there are also a lot of WAFs that are not too complicated and have a basic configuration. And dealing with these types of WAFs is possible through some techniques and methods we list below.

Various Types of Encoding

There are several encoding types depending on what they are supported by: the web app, the application server, or the database server.

When a user sends a request, it goes through various applications and layers before reaching the final database. That’s why we need encoding, which is not supported by the Database server. Instead, it is supported by applications, making it possible to decode your input and pass it to the database server. This environment and behavior are sometimes the best for bypassing WAF.

Basic bypass cases with encoding are URL Encoding, Unicode, Binary, and Hexing. These kinds of encoding will enable you to generate several bypasses and payloads.

Double Encoding

This bypass method encodes user request parameters two times in hexadecimal format before reaching the database. The purpose is to encode characters that can exploit behavior from the application and bypass security controls.

With the help of double encoded parameters, it’s possible to bypass security systems and authentication schemes with poorly developed filters as they decode user input only once.

SQLI: SQL Injection Vulnerabilities

SQLI is one of the principal vulnerabilities among other web apps security types.

The function of this attack is to insert a SQL query via the input data provided by the client. A successful SQL Injection can execute administration operations and even give system commands. It also can read and modify the database data by deleting, recovering, or updating multiple files.

There are several types of SQL Injection:

  • SQL Comment: Comments /**/ help you bypass many filters and WAFs and obfuscate standard payload vectors.
  • Dynamic Payload Generation Method: As programming languages come in different patterns, this technique allows you to create payloads and avoid their filters.
  • HTTP Parameter Pollution: HPP is an evasion technique. It is used to craft an HTTP request for manipulating hidden information. With the help of this technique, an attacker can bypass input validation or modify internal variables.
  • Mixed Encoding: Mixed Encoding Payloads can filter WAF types that can detect only one encoding technique and bypass it.
  • Token Breakers Method: The primary purpose of Token-breakers is to allow affecting the correspondence between an unknown token and an element of a string.
  • Line Breaks Method: Many modern apps use regex-based firewalls to block malicious attempts. That’s why the Line Breaks technique is essential. It can break firewall regex and avoid detection.


We can see that WAF is not a full-fledged security measure but a part of the entire security structure of the application. However, as the number of hackers and attackers increases daily, the protection policies and rules are becoming strict. Therefore, for bypassing WAF, one needs to explore and try different methods because there is always a huge possibility of additional protection layers and mechanisms.