Bypassing WAF with incorrect proxy settings for Hunting Bugs.

Let’s Suppose the target system has the address-:

"Https: // targetdomain"

The odd thing was that while browsing the end node (something like) I received an HTTP 404 response from the server, which made me suspect the presence of WAF (Web Application Firewall).

"Https: //auth.targetdomain/vulnerable_endpoint? Param = malicious_RCE_payload"

(for example, https: // targetdomain/appname/appname ), I got authentication at the address “ https: //auth.targetdomain “ .

So I noticed another strange thing during authentication. At some point, a redirect to an address like : “https: // targetdomain /? Cfru = aHR0cHM6Ly90YXJnZXRkb21haW4vYXBwbmFtZQ = =”

The string “aHR0cHM6Ly90YXJnZXRkb21haW4vYXBwbmFtZQ == “ is explicitly base64 encoded. After decoding, this payload it turned out to be nothing more than the “https: // targetdomain / appname” address , which I tried to access before starting authentication.

https: //auth.targetdomain/vulnerable_endpoint? param = malicious_RCE_payload
https: //auth.targetdomain/vulnerable_endpoint? param = malicious_RCE_payload
“AHR0cHM6Ly9hdXRoLnRhcmdldGRvbWFpbi92dWxuZXJhYmxlX2VuZHBvaW50P3BhcmFtPW1hbGljaW91c19SQ0VfcGF5bG9hZA ==“
https // targetdomain /? cfru = aHR0cHM6Ly9hdXRoLnRhcmdldGRvbWFpbi92dWxuZXJhYmxlX2VuZHBvaW50P3BhcmFtPW1hbGljaW91c19SQ0VfhcZGF5=bG9

In this case:

  1. The request goes through the WAF and is not recognized as suspicious.
  2. Then the request goes to Bluecoat, where the cfru parameter is decoded and a GET request is sent to the internal host.
  3. As a result, a vulnerability is initiated.

Bingo! Happy Hacking…….

Security Researcher | DevSecOps | Twitter:-