Research unveils advanced WAF bypass methods through Burp Suite add-on

May 28, 2024
1 min read

TLDR:

  • Security experts have disclosed methods for bypassing Web Application Firewalls (WAFs) on a large scale.
  • A new Burp Suite plugin called nowafpls has been introduced to simplify the process of bypassing WAF protection.

Security expert Shubham Shah highlighted the shift in WAF deployment in recent years, with mature companies now using WAFs across their entire attack surface. Shah emphasized the importance of keeping bypass techniques simple and accessible, rather than relying on complex methods. He discussed the common flaw of request size limits in WAFs and introduced the nowafpls Burp Plugin to exploit this vulnerability by automatically padding out requests. Additionally, Shah shared advanced tools like IP Rotate, Fireprox, and ShadowClone, as well as innovative bypass techniques such as utilizing shared certificates and H2C smuggling. These advancements underscore the evolving nature of WAF bypass techniques and the need for security researchers to stay ahead in the cybersecurity arms race.

Latest from Blog

EU push for unified incident report rules

TLDR: The Federation of European Risk Management Associations (FERMA) is urging the EU to harmonize cyber incident reporting requirements ahead of new legislation. Upcoming legislation such as the NIS2 Directive, DORA, and