Automate WAF Bypass with Burp
I read an article from a Fortify security researcher earlier this week that provided a very simple and effective way to bypass some Web Application Firewalls (WAFs). The article can be found here. After reading, I updated my Burp configuration to automatically take advantage of this flaw in design and thought I would share the simple approach with my readers (if you have been using Burp for a while, you will likely already know how to do this).
The flaw relies on adding HTTP headers to each request we make to the application. This can be done simply by adding some rules in the proxy options. First, navigate to the “Proxy” tab, and then click on the “Options” tab. If you scroll down, you will see the option to “Match and Replace.” Click on the add button:
Now, all you have to do is add the match. The “Type” field should be “Request Header,” as you want to add a header. If you leave the match field blank, then instead of looking for a match Burp will add the header you create in the “Replace” field. In the “Replace” field, type in one of the headers that can be used to bypass the WAF.
The list of headers includes, but is probably not limited to:
- x-originating-IP: 127.0.0.1
- x-forwarded-for: 127.0.0.1
- x-remote-IP: 127.0.0.1
- x-remote-addr: 127.0.0.1
Add each of these as matches, and check the box as shown in the image above when you want them enabled and sent in each request. An example is provided below:
That’s it! Crazy simple huh?
Search Posts
Security Categories
- Android
- Apache Security
- Burp
- CodeWatch
- Deadrop
- Java
- Linux
- Metasploit
- OWASP 2010 A1
- OWASP 2010 A10
- OWASP 2010 A2
- OWASP 2010 A3
- OWASP 2010 A4
- OWASP 2010 A5
- OWASP 2010 A6
- OWASP 2010 A7
- OWASP 2010 A9
- OWASP 2013 A9
- Penetration Testing
- Phishing
- PHP Security
- PowerShell
- Python
- Social Engineering
- Unix
- Windows
Top Tags
ASVS 3.1 ASVS 3.2 ASVS 3.3 ASVS 3.4 ASVS 3.5 ASVS 3.6 ASVS 3.7 ASVS 3.8 ASVS 3.9 ASVS 3.10 ASVS 3.11 ASVS 3.12 ASVS 3.13 ASVS 11.4 bcrypt Burp Suite Pro CodeWatch CryptoPP Hashcat Hyperion Java Linux Metasploit Meterpreter mimikatz msfencode msfpayload Ophcrack OWASP 2010 A1 - Injection OWASP 2010 A2 - Cross-Site Scripting (XSS) OWASP 2010 A3 - Broken Authentication and Session Management Penetration Testing Phishing PHP Powershell Python SET Shellcodeexec Social Engineering Unix Veil VirusTotal WAF Web App Pentesting Windows