This bypass technique exploits the use of multibyte character encodings, specifically GBK or other East Asian encodings, to evade Web Application Firewalls (WAFs). The payload "%df%27" represents a multibyte character sequence that is often misinterpreted differently by server-side parsers compared to the WAF. This discrepancy allows an attacker to inject malicious characters that the WAF does not correctly identify or block.
GBK encoding is a character encoding for Simplified Chinese characters, and it uses multibyte sequences to represent characters. When a WAF is designed to filter ASCII or single-byte sequences, it may fail to correctly decode or inspect multibyte sequences and thus improperly filter malicious inputs. This results in a bypass where the server interprets the payload as a valid command or query, while the WAF does not detect it as malicious.
This bypass can affect multiple types of vulnerabilities, including cross-site scripting (XSS), SQL injection (SQLi), remote code execution (RCE), and others, depending on how the server-side application handles the payload.
In summary, the use of multibyte/GBK encoding attacks is a powerful technique to bypass WAF filters that are not robust against multibyte character sets. Developers and security teams should ensure their WAFs and input validation mechanisms correctly handle multibyte encodings to prevent such bypasses.
For more details, check out the original tweet here: https://twitter.com/_0b1d1/status/1948422555372519891