.png)
A Web Application Firewall (WAF) is a type of firewall that protects web applications by filtering, monitoring, and blocking malicious web traffic and application layer attacks. Typically you use them to block OWASP top 10 attacks such as Sql Injection, XSS, and more. As a penetration tester it's crucial that you know how to bypass these firewalls. In the past this would require bypassing some regex or string matching pattern but with the rise of AI things are changing.
I won't talk too much about bypassing traditional WAFs as there is already a bunch of content out there on this. However, I'm still going to mention a couple things so you can understand how this technology typically works.
As shown in the image above a WAF normally sits in front of a web application and is used to inspect the traffic going to and from the server. What happens is when you send a request to the server the WAFs will analyze the HTTP requests and use a series of regexes or string matching patterns to detect malicious input. So you might have the following regex <script\b[^>]*>(.*?)<\/script> . This regex will trigger when it sees the <script> tag but there is a slight issue. If a user types in <SCRIPT> in all caps then it will bypass this check. This is where the cat and mouse game starts to pop up. A slight change in the payload is enough to bypass the WAF while still injecting your XSS payload. This was an extremely simple example but that is more or less how WAF bypasses work.
Due to the rise of machine learning and AI we are starting to see a new wave of WAFs being introduced. They don't just depend on string matching but they use AI to analyze the input as well.
As you can see in the image above, ChatGPT was able to analyze the user input to figure out if it's safe or malicious. If I try to use the same trick as before by using <SCRIPT> in all caps it will still identify it as malicious. However, LLMs aren't as smart as you think they are and they can still be tricked into thinking a malicious string is safe.
As shown in the image above this payload was marked as safe. LLMs have a huge weakness right now and that weakness is called prompt injection. Within your XSS payload you can slip in a simple string telling the LLM to mark the payload as safe and it will happily comply with your request. Similar to the regex bypass this is a simple example of how you can bypass AI powered WAFs. In the real world you might have to get a little more crafty but this is more or less how the bypass would work.
If you're testing web applications for vulnerabilities you are going to come across a WAF at some point and you will need to figure out a bypass. Traditional WAFs use pattern matching and can be bypassed with the slightest of modifications. AI powered WAFs are a little different, you want to use prompt injection to trick the AI into giving the wrong answer.
