TLDR:
- Security experts have disclosed methods for bypassing Web Application Firewalls (WAFs) on a large scale.
- A new Burp Suite plugin called nowafpls has been introduced to simplify the process of bypassing WAF protection.
Security expert Shubham Shah highlighted the shift in WAF deployment in recent years, with mature companies now using WAFs across their entire attack surface. Shah emphasized the importance of keeping bypass techniques simple and accessible, rather than relying on complex methods. He discussed the common flaw of request size limits in WAFs and introduced the nowafpls Burp Plugin to exploit this vulnerability by automatically padding out requests. Additionally, Shah shared advanced tools like IP Rotate, Fireprox, and ShadowClone, as well as innovative bypass techniques such as utilizing shared certificates and H2C smuggling. These advancements underscore the evolving nature of WAF bypass techniques and the need for security researchers to stay ahead in the cybersecurity arms race.