Web Application Firewalls (WAFs) have been introduced as essential and popular security gates that inspect incoming HTTP traffic to filter out malicious requests and provide defenses against a diverse array of web-based threats. Evading WAFs can compromise these defenses, potentially harming Internet users. In recent years, parsing discrepancies have plagued many entities in the communication path; however, their potential impact on WAF evasion and request smuggling remains largely unexplored. In this work, we present an innovative approach to bypassing WAFs by uncovering and exploiting parsing discrepancies through advanced fuzzing techniques. By targeting non-malicious components such as headers and segments of the body and using widely used content-types such as application/json, multipart/form-data, and application/xml, we identified and confirmed 1207 bypasses across 5 well-known WAFs, AWS, Azure, Cloud Armor, Cloudflare, and ModSecurity. To validate our findings, we conducted a study in the wild, revealing that more than 90% of websites accepted both form/x-www-form-urlencoded and multipart/form-data interchangeably, highlighting a significant vulnerability and the broad applicability of our bypass techniques. We have reported these vulnerabilities to the affected parties and received acknowledgments from all, as well as bug bounty rewards from some vendors. Further, to mitigate these vulnerabilities, we introduce HTTP-Normalizer, a robust proxy tool designed to rigorously validate HTTP requests against current RFC standards. Our results demonstrate its effectiveness in normalizing or blocking all bypass attempts presented in this work.

翻译：Web应用防火墙（WAF）作为关键且广泛部署的安全网关，通过检查传入的HTTP流量以过滤恶意请求，并为各类基于Web的威胁提供防护。绕过WAF可能破坏这些防御机制，从而对互联网用户造成潜在危害。近年来，解析差异问题已困扰通信路径中的众多实体，然而其对WAF绕过与请求走私的潜在影响在很大程度上仍未得到充分探索。本研究提出一种创新方法，通过先进的模糊测试技术发现并利用解析差异来绕过WAF。通过针对HTTP头部及正文片段等非恶意组件，并采用广泛使用的内容类型（如application/json、multipart/form-data和application/xml），我们在5款主流WAF（AWS、Azure、Cloud Armor、Cloudflare和ModSecurity）中识别并确认了1207种绕过方式。为验证研究发现，我们在真实环境中开展实验，结果显示超过90%的网站可同时接受form/x-www-form-urlencoded与multipart/form-data格式的互换使用，这凸显了严重的安全漏洞及本研究所提绕过技术的广泛适用性。我们已向相关厂商报告这些漏洞，并获得了全部厂商的确认，部分厂商还提供了漏洞赏金。此外，为缓解此类漏洞，我们提出了HTTP-Normalizer——一款设计用于严格依据现行RFC标准验证HTTP请求的鲁棒代理工具。实验结果表明，该工具能有效规范化或阻断本研究中提出的所有绕过尝试。