SafeLine icon indicating copy to clipboard operation
SafeLine copied to clipboard

Published 20 hours ago verified publisher icon chaitin

[SECURITY] Encoded requests (Content-Encoding) bypass WAF

Open Cycloctane opened this issue 2 months ago • 0 comments
trafficstars

Content

SafeLine WAF does not implement HTTP Content-Encoding defined in rfc. This makes SafeLine vulnerable to protocol-level WAF evasion.

Details

According to rfc9110, Content-Encoding can be applied to both http requests and responses. Although it is less common in requests, many widely deployed application servers actually do support this by default (and not documented), like apache httpd with mod_deflate, nodejs, aiohttp.

However, SafeLine WAF is unable to decode and inspect encoded request bodies, which allows attackers to bypass WAF protection if the protected backend application is using above servers or web frameworks.

PoC

  1. Setup a simple expressjs web application and protect it with SafeLine.
  2. Send the encoded payload.
echo "{\"sqli\": \"' or 1=1 --\"}" | gzip -f | curl --http1.1 -X POST --data-binary @- -H "Content-Encoding: gzip" -H "Content-Type: application/json" http://waf-protected.com
  1. SafeLine is unaware of the body content and forwards the request body and Content-Encoding header. Malicious request can be successfully forwarded and processed by expressjs.

Impact

SafeLine users who use WAF to protect nodejs-based web application (or any other web servers that support request content-encoding) are vulnerable to WAF evasion.

Cycloctane avatar Aug 28 '25 12:08 Cycloctane