This post is part 2 of a series aimed at bug hunters focusing on bypassing Web Application Firewalls (WAFs). The example given shows that the straightforward command 'cat /etc/hosts' triggers the WAF, indicating the system is monitoring for simple command injection attempts involving common commands to read files.
To bypass this, alternative commands are used that effectively perform the same function—reading the '/etc/hosts' file—but avoid detection by the WAF's pattern matching. These commands include:
– Using 'xxd' to convert the file to a hexadecimal dump and then back again
– Using 'xargs' with 'echo' to print contents
– Using 'perl' to process the file with an empty program
– Using 'sed' with empty program
– Using 'awk' to print each line
– Using 'dd' to read the file while suppressing errors
These bypasses work because they avoid the typical 'cat' command pattern that the WAF blocks, showing how attackers can use alternative shell commands and techniques to evade command filters.
This technique is universal in nature as it targets the detection mechanism rather than a specific vulnerability type like XSS or SQLi, and can be used against many WAFs that rely on signature-based blocking of common attack commands.
Bug hunters and security testers can use these examples to test if a WAF can be bypassed by command injection payloads that substitute common commands with less obvious equivalents.
For more insights, check out the original tweet here: https://twitter.com/akaclandestine/status/1954740657450352774. And don’t forget to follow @akaclandestine for more exciting updates in the world of cybersecurity.