Bypassing WAF with DirBuster

TL;DR

Web Application Firewalls (WAFs) often block common directory brute-forcing tools like DirBuster. This guide shows techniques to modify your requests to evade detection, including using different request methods, adding headers, and employing URL encoding.

1. Understand the Problem

WAFs identify malicious patterns in HTTP requests. DirBuster uses a predefined wordlist of common directory names and file extensions. WAFs can detect these patterns and block your requests. Common blocks are based on:

• Request Method: GET is often flagged as suspicious for brute-forcing.
• User Agent: DirBuster’s default User-Agent is easily identifiable.
• URL Patterns: Repeated requests with common directory names (e.g., /admin, /login) are a giveaway.

2. Modify Request Methods

Try using different HTTP request methods instead of just GET.

1. HEAD: Use HEAD requests to check for the existence of directories without downloading their contents. This is faster and less noticeable than GET.
2. OPTIONS: Some servers allow OPTIONS requests, which can reveal information about allowed resources.

In DirBuster, you can change the request method in Options > Request Settings.

3. Change User-Agent

WAFs often block requests from known scanners like DirBuster. Change your User-Agent to mimic a common web browser.

1. Edit the User-Agent: In Options > Request Settings, change the ‘User-Agent’ field to something like:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
2. Randomize User-Agents: Use a plugin or script to rotate through a list of valid User-Agent strings.

4. URL Encoding

URL encoding can help obfuscate common directory names and file extensions.

1. Encode Characters: Encode characters like slashes (/), dots (.), and spaces (%) in your wordlist. For example, /admin becomes %2fadmin.
2. Use an Online Encoder: Several online tools can encode URLs.

You’ll need to modify your wordlist file directly for this approach.

5. Add Random Headers

Adding random headers can make requests appear more legitimate and less like a scanner.

1. Edit Request Headers: In Options > Request Settings, add custom headers such as:Accept-Language: en-US,en;q=0.9

   X-Forwarded-For: 127.0.0.1

2. Randomize Headers: Use a script to generate and add random headers with each request.

6. Slow Down Requests

Rapid requests are a strong indicator of brute-forcing. Reduce the number of concurrent threads.

1. Reduce Threads: In Options > Request Settings, lower the ‘Max Threads’ value to something like 10 or even 5.
2. Add Delays: Introduce a small delay between requests (e.g., 0.5-2 seconds). This can be done using scripting tools alongside DirBuster.

7. Use a Proxy

Using a proxy server hides your IP address and can help bypass IP-based blocking.

1. Configure Proxy Settings: In Options > Request Settings, enter the proxy server’s address and port.
2. Rotate Proxies: Use a list of proxies to avoid being blocked by a single proxy server.