This blogpost talks about a Web Application Firewall (WAF) bypass related to F5 WAFs and reverse proxies. F5 is a well-known vendor providing security solutions including WAFs that help protect web applications from various attacks such as Cross-Site Scripting (XSS). According to the analysis, F5 WAF inspects certain headers like 'supportid' to verify requests. Unlike Cloudflare's free WAF plan which does not have a built-in XSS firewall, the F5 WAF does provide XSS protection. However, the blog highlights that the F5 WAF is common to be bypassed by manipulating headers, specifically using certain bypass headers. This vulnerability arises because the F5 WAF reverse proxy setup sometimes processes traffic in a way that allows attackers to craft requests with specific headers bypassing the WAF's protections. The blog provides insights into how attackers can exploit this behavior to evade detection and suggests that F5's WAF protections against XSS can be circumvented by sending malicious payloads in headers that are not properly inspected or filtered. This serves as a warning to users of F5 WAFs to be aware of this bypass technique and to implement additional security controls or patches where possible.
Original tweet: https://twitter.com/bl4ckh4ck5/status/1950164895317541302