WAF 101: Bypassing the Shield
Introduction: What is a WAF? A Web Application Firewall (WAF) is a security solution designed to protect web applications from malicious requests and common cyber attacks. Acting as a gatekeeper between the internet and your application, a WAF analyzes incoming traffic, filters out harmful payloads like SQL Injection (SQLi) or Cross-Site Scripting (XSS), and only forwards legitimate requests to the server.
2025-06-30 07:02:44 - Venom
WAFs come in three primary types:
- Network-Based WAF: Deployed at the network level, offering high performance and low latency.
- Host-Based WAF: Installed directly on the server, providing deep application-layer protection.
- Cloud-Based WAF: Offered as a cloud service, providing ease of deployment and scalability.
Regardless of the type, the basic principle remains the same: inspect traffic, block malicious requests, and allow legitimate ones to pass.
WAF Operating Modes
Most WAFs operate in one of the following modes:
- Skip Mode:
- The WAF allows all traffic — both malicious and legitimate — to pass through to the server without filtering.
- Block Mode:
- Only legitimate traffic is forwarded to the server. Malicious requests are blocked at the WAF level.
- Log Mode:
- All traffic is forwarded to the server, but malicious requests are logged for monitoring and analysis. Organizations often use this mode during the initial deployment phase to avoid accidentally blocking legitimate traffic.
Can WAFs Be Bypassed?
Absolutely!
While WAFs add a crucial layer of defense, they are not foolproof. With the right techniques and understanding of how they function, attackers (or security researchers) can find ways to bypass them.
In this blog, we’ll explore one common WAF bypass technique known as Request Body Introspection Bypass, with real-world examples. Other methods will be covered in upcoming blogs.
WAFs inspect various parts of an HTTP request:
✅ Request URL
✅ Request Headers
✅ Request Body
However, inspecting large request bodies consumes server resources. To prevent resource exhaustion, WAFs impose introspection limits, which define the maximum size of the request body that will be inspected. Anything beyond this limit may pass through unfiltered.
Popular WAF Introspection Limits
Akamai: 64 KB
GoDaddy/Sucuri: 128 KB – 256 KB
AWS WAF: 8 KB
Cloudflare: 128 KB
Note: These values are based on public information. Always refer to official WAF documentation for the latest specifications.
The Bypass in ActionBypassing GoDaddy/Sucuri WAF
During one of my pentests, I discovered a SQL Injection vulnerability on a website protected by GoDaddy/Sucuri WAF. Here’s the initial request:
As expected, the WAF detected and blocked the malicious request.
The Trick:
I simply padded the request body with empty spaces or + characters to exceed the WAF’s introspection limit. After surpassing the inspection threshold, I appended my payload.
Result: WAF bypassed successfully!
Bypassing AWS WAF
In another engagement, I attempted to upload a web shell to a site protected by AWS WAF. My initial request was blocked:
Knowing AWS WAF’s introspection limit is just 8 KB, I modified the request by inserting HTML comments (<!----!>) to increase the payload size beyond 8 KB.
Outcome:
The WAF no longer inspected the actual payload after the size limit was exceeded, allowing the malicious request to slip through.
Conclusion
Request Body Introspection Bypass is a practical and often overlooked technique for bypassing WAF protections. By understanding how WAFs operate and exploiting their limitations, attackers can slip past defenses unnoticed.
But remember — this knowledge is meant to strengthen defenses, not to misuse.
I’ll be covering more WAF bypass methods like HTTP parameter pollution, header manipulation, and encoding tricks in upcoming blogs. Follow along if you’re curious to dive deeper into the art of WAF evasion.
Got Questions or Suggestions?
Drop a comment or connect with me on Instagram: @i.m.gauravchaudhary