•   1 min read

SQLi: WAF Bypass Techniques

During a recent pentest, I encountered a WAF (CloudFlare in this case). I learned some interesting things about how to go about bypassing various filters.

Identifying What is Blocked

  1. Find an SQL injection.
  2. Use as simple of a test case as you can such that the WAF does not block your request.
  3. Use that as a base request for sqlmap (see documentation here).
  4. Proxy all sqlmap traffic through your proxy of choice (I like Burp).
  5. Start sqlmap and look at Burp to identify which requests are getting blocked.
  6. For each blocked request, compare them to the successful requests to find out what was different. Very likely, there is a slight change that the WAF is picking up. Simplify the request to identify what strings/patterns are blocked by the WAF. I use Burp Repeater for this.

Bypassing the WAF

  • There are lots of good examples of how to bypass various WAF protections in the sqlmap tamper directory. Read through the code there to get some ideas.
  • Other techniques include replacing single occurrences of spaces or plus signs with two of them (eg: + replaced with ++). This makes it so things like union+all statements (blocked by some WAFs) can get through the WAF by using union++all.