This tweet discusses a simple yet surprisingly effective technique used to bypass Web Application Firewalls (WAFs) and authorization mechanisms by adding a trailing slash to URLs, including random pages and APIs. Although the WAF vendor is not specified, this method can apply to many types of WAFs and authorization systems.
Technical details:
– Many web servers and WAFs differentiate between URLs with and without a trailing slash. For instance, "example.com/api" and "example.com/api/" might be treated differently.
– Some WAFs or authorization systems may block or restrict certain URLs but overlook their trailing slash variants.
– By appending a trailing slash to a URL, an attacker or a penetration tester might access resources that should be protected, thereby bypassing the WAF or authorization checks.
Implications:
– This bypass technique can lead to unauthorized access or data leakage.
– It is prevalent and effective primarily due to the oversight in handling URL normalization by many systems.
Recommendations:
– Developers and security teams should ensure consistent URL normalization in their applications and WAFs.
– WAFs should be configured to treat URLs with and without trailing slashes equivalently or apply consistent security policies.
– Regular testing and validation of URL-based controls for such bypasses should be performed.
In summary, this method reminds security professionals to pay close attention to seemingly minor URL formatting issues that can have a significant impact on security.
For more insights, check out the original tweet here: https://twitter.com/the_IDORminator/status/2036915440208011359