This tweet discusses an approach to bypassing the F5 WAF (Web Application Firewall) using cURL. It highlights that bypassing this WAF is rarely about the payload itself. Instead, the key to bypassing F5 WAF lies in avoiding detection by the fingerprinting mechanisms the WAF employs. These mechanisms include checking HTTP headers, managing cookies correctly, and mimicking the behavior of a real browser's TLS handshake, specifically the JA3 fingerprinting method.
JA3 is a technique used to fingerprint SSL/TLS clients by hashing specific fields in the TLS handshake. The tweet suggests that if these elements are not spoofed properly—meaning headers are not spoofed, cookies are not handled correctly, and the TLS handshake does not mimic a real browser—the request gets blocked by the WAF "at the gate," i.e., early in the filtering process.
To bypass F5 WAF using cURL, one needs to:
1. Spoof HTTP headers to mimic legitimate browser requests.
2. Handle cookies appropriately, as browsers do.
3. Emulate the JA3 fingerprint during TLS handshake to resemble a browser's handshake.
This makes it clear that successful bypass is more about evading detection by the fingerprinting methods of the WAF than using a specific malicious payload. This insight is useful for security researchers and penetration testers aiming to test web application defenses protected by F5 WAF.
For more details, check out the original tweet here: https://twitter.com/manlikecreed/status/2041684640872779820