I read an article from a Fortify security researcher earlier this week that provided a very simple and effective way to bypass some Web Application Firewalls (WAFs). The article can be found here. After reading, I updated my Burp configuration to automatically take advantage of this flaw in design and thought I would share the simple approach with my readers (if you have been using Burp for a while, you will likely already know how to do this).
The flaw relies on adding HTTP headers to each request we make to the application. This can be done simply by adding some rules in the proxy options. First, navigate to the “Proxy” tab, and then click on the “Options” tab. If you scroll down, you will see the option to “Match and Replace.” Click on the add button:
Now, all you have to do is add the match. The “Type” field should be “Request Header,” as you want to add a header. If you leave the match field blank, then instead of looking for a match Burp will add the header you create in the “Replace” field. In the “Replace” field, type in one of the headers that can be used to bypass the WAF.
The list of headers includes, but is probably not limited to:
- x-originating-IP: 127.0.0.1
- x-forwarded-for: 127.0.0.1
- x-remote-IP: 127.0.0.1
- x-remote-addr: 127.0.0.1
Add each of these as matches, and check the box as shown in the image above when you want them enabled and sent in each request. An example is provided below:
That’s it! Crazy simple huh?
