charset request header bypasses web firewall

Posted by tetley at 2020-04-06

I've published several articles before that use coding technology to bypass WAF. In this article, I not only introduced the method of bypassing WAF, but also made it clear that WAF products can make the bypassing method invalid by intercepting a specific character set or only allowing charset in the white list to be used in content type.

Content-Type charset

After a period of research, I found a request header x-up-devcap-post-charset in to wrap around WAF, which can be used to represent charset, so as to bypass the detection and protection mechanism of WAF for content type request headers.

x-up-devcap-post-charset charset Content-Type

Now let me officially introduce x-up-devcap-post-charset. The example is as follows:

x-up-devcap-post-charset POST /test/a.aspx?%C8%85%93%93%96%E6%96%99%93%84= HTTP/1.1 Host: target User-Agent: UP foobar Content-Type: application/x-www-form-urlencoded x-up-devcap-post-charset: ibm500 Content-Length: 40 %89%95%97%A4%A3%F1=%A7%A7%A7%A7%A7%A7%A7

As shown above, there is no charset in the content type request header, and x-up-devcap-post-charset indicates the character set used for encoding. In addition, to tell to pay attention to this new request header, the user agent value needs to start with up!

Content-Type charset x-up-devcap-post-charset User-Agent UP

The encoded parameters in the above request are automatically generated by burp suite http smugler. The original request is as follows:

POST /testme87/a.aspx?HelloWorld= HTTP/1.1 Host: target User-Agent: UP foobar Content-Type: application/x-www-form-urlencoded Content-Length: 14 input1=xxxxxxx

The reason why I found this special request header is that I found it when I was looking for something else in the framework code of The following is a piece of code related to this request header in, which shows how reads content encoding before viewing charset in content type:

Content-Type charset

as well as

I think the code bypass technology I found should be applicable to most WAFS, because I don't think they take it seriously. Of course, OWASP ModSecurity core rule set (CRS) will soon create a special filter rule for it. Before I published this article, I showed the technical details to Christian folini (@ chrfolini) of CRS. The new rules will appear at

参考文献: 感谢你的阅读!

本文由白帽汇整理并翻译,不代表白帽汇任何观点和立场 来源: