Waf Bypass....
WAF BYPASS SQL INJECTIONThis is such a wide Topic, but today were going to examine WAF bypas and SQL injection What is a WAF? A WAF is a Web Application Firewall used to filter certain malicious requests and/or keywords. Is a WAF a safe way to protect my Website? Well, thats a tough question. A WAF alone will not protect your website if your code is vulnerable, but a WAF and secure coding will. A WAF should be used as a tool in your tool shed, but you should never count on a WAF to keep attackers out because most, if not all WAF's can be bypassed with the time and
brains.Today,we will take a look into how exactly to do this
1)Comments:
SQL comments are a blessing to us SQL injectors. They allow us to bypass alot of the restrictions of Web application firewalls and to
kill certain SQL statements to execute the attackers commands while commenting out the actual legitimate query. Some comments in
SQL :
Code
//, -- , /**/, #, --+, -- -, ;
![[WAF-FLE] Web application firewall: fast log and event console](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNUiNj5SjQeu8VhkRyfVjV4mP1bHFkRLpos0NqOznjOFmrqXmnTaqDd-0btKDqtpn3Ay_K8B6Vy75b8yyJyCeSZrUY7NJPG0GRBfEbdmFs1A7fpWMRKQa5jzzm8JOrTc3zAC7GIumQmTk/s72-c/waf-fle.png "[WAF-FLE] Web application firewall: fast log and event console")
0 comments: