This tweet highlights an effective technique to bypass Web Application Firewalls (WAFs) that can sometimes be necessary when other methods fail. The method involves using a mixture of different encodings in the payload sent to the WAF. Different WAFs may parse encoded data differently, and by mixing encodings, attackers can confuse or overwhelm the WAF's detection mechanisms. This 'mixing of encodings' can disrupt the WAF's ability to properly inspect and block malicious payloads, allowing simple attack payloads, such as those used in common vulnerabilities like Cross-Site Scripting (XSS), SQL Injection (SQLi), or Remote Code Execution (RCE), to bypass the filter. While the tweet does not specify a particular vendor, this technique is relevant for various WAF products. For instance, some WAFs might decode URL encoding (% encoding), HTML entity encoding, Unicode encoding, or Base64 in different stages or not handle multiple encoding layers consistently. Thus, attackers exploit this inconsistency by combining multiple encodings to effectively evade detection. Understanding the vulnerability of WAFs to mixed encoding attacks demonstrates the importance for security teams to ensure their WAF solutions can properly normalize and decode inputs consistently before inspection. This helps in preventing attackers from manipulating encoding formats to bypass security controls. In summary, mixing of encodings is a simple yet powerful bypass method that targets the way WAFs handle input decoding and can greatly improve the success of attack payloads in evading detection.
For more details, check out the original tweet here: https://twitter.com/0DG_Gh05t5h311/status/2032574453650174134