Fingerprinting WAF Rules with Timing Based Side Channel Attacks

Side Channel Attacks?

Web Application Firewalls

Why Fingerprint ’em Rules?

Understanding The Setup

  1. Reverse Proxy: The WAF literally sits between the client and the server, intercepting requests. The client connects directly to the WAF and then the WAF passes the query (if normal) to the server. In case of a blocked request, the query never reaches the server.
  2. Server-Resident: This is the setup when a WAF is typically installed on the server it is protecting. This can be further categorized into 2 topologies, the first being that the WAF is installed as a plugin, while the second one is when the WAF is installed as a programming library.
  3. Out-of-Band: In this case, the WAF usually gets a copy of the traffic via a monitoring port on a network device. This mode of implementation limits the WAF’s ability to block a request and can only send TCP-reset packets to interrupt traffic whenever a malicious query is detected.
  4. Cloud-Deployment: This setup comprises of the WAF functioning within the network cloud of the provider. The working is similar to reverse proxy setup, with the exception that every single request to the server has to pass through the network cloud.

Conventional Methods of WAF Fingerprinting

  • WAF Block Message: Signifying that the WAF has flagged and blocked the request as malicious. Usually the blocked response page or a header defines that the request has been blocked. Sometimes the response status code (403 Forbidden) indicates a blocked request too.
Some examples of WAF block-pages
  • Web-App Error Message: Signifying that the web-app bugged out upon the request. However the error message gets cloaked by the custom block page of the WAF. In this case, the WAF did not block the request, but only cloaked the error message of the web application to prevent sensitive information disclosure via stack traces, etc.
Secure Entry WAF cloaking the server’s stack traces
  • Normal Response: Signifying that the request has clearly passed through the WAF to the web server. However, there remains a possibility that the WAF intercepted the request and removed the malicious part of the request before passing it onto the server.

The Main Drawback

Why Timing Attacks?

Idea of the Attack


The Approach

Attack Approach Analysis of our Methodology
  1. Learning Phase: In this phase we measure and learn what could be the possible response time for a blocked and a passed request for further reference in our attack phase.
  2. Attack Phase: In this phase we perform the actual tests, i.e. the rogue requests are being sent for the final results and further statistical analysis.

Performing the Experiment

The Setup

The Learning Phase

Examples of blocked and passed requests

The Attack Phase

Comparison how normal and polymorphic payloads look like
Results Visualized for Attack Phase on Reverse Proxy Topology
Results Visualized for Attack Phase on Server Resident Topology
Final Results in a Nutshell

Downsides of the Method

Dealing with It

Amplifying the Attack

1. Choosing a Longer URL Path

2. Denial of Service Attacks

3. Cross Site Rule Fingerprinting

<img id="test" style="display: none">
var test = document.getElementById(’test’);
var start = new Date();
test.onerror = function() {
var end = new Date();
alert("Total time: " + (end - start));
test.src = "http://sitename.tld/path?" + parameter + "=" + payload;
  • First, the attackers identity remains concealed. Since multiple users will be sending requests to the server with the WAF, it is virtually impossible to distinguish who is the actual actor behind this.
  • This method absolutely overrules the impact of WAFs blocking IP addresses as a counter security measure.
  • Also, it is notably important to state that this method works reliably only with timing based attacks. Sometimes SOP (Same Origin Policy) might restrict reading page content from other origins. So, in such situations, one may not be able to observe the blockpage and fingerprint the WAF using storage side channels.





I am just an Infected Geek. \o/

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

HTTPS: an awesome, secure tale (pt 1)

Which one is more private VPN or Private Browsing

Guide to set-up an Ad blocker & VPN Server on Cloud

Update/Install custom ROM on Android like a Pro

How to Setup a Wallet in Plug — Quick Guide

{UPDATE} Terrorhedron Hack Free Resources Generator

Liquidity Mining ARA — Announcement, Important Links, and Step-by-step Guide

Trias Project Weekly (Oct 28, 2019 — Nov 3, 2019)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


I am just an Infected Geek. \o/

More from Medium

No logs No Crime — A beginners guide to Splunk in Security

Nuclear Ransomware 3.0: Uncovering the new generation of cyberattacks

Cyber Apocalypse CTF 2022 — Puppeteer

An Inspirational Mentor Story of Gina Yacone — Denver Metropolitan Area