RESEARCH ON WEB APPLICATION FIREWALL BYPASS MECHANISMS
DOI:
https://doi.org/10.28925/2663-4023.2025.31.1008Keywords:
web application firewall, network attacks, SQL injection, cross-site scripting, cross-site request forgery, external entity injection, HTTP requestAbstract
The growing dependence of modern organizations on web applications has led to a significant increase in the number of cyberattacks aimed at disrupting their functionality, compromising data, or gaining unauthorized access to resources. Attackers actively exploit vulnerabilities in web applications to steal confidential information, manipulate databases, and undermine the integrity of services. In response to these threats, Web Application Firewalls (WAF) have become essential security elements, serving to filter and control traffic between web applications and the Internet. Traditional WAFs, which rely on signature-based detection, are effective against known threats but struggle to identify new types of network attacks, particularly zero-day attacks. To overcome these limitations, anomaly-based detection methods have emerged, allowing for the assessment of deviations in request behavior from the norm. Currently, WAFs that combine signature and anomaly detection methods are widely implemented, utilizing machine learning algorithms to adapt to new threats. Furthermore, WAFs incorporate Data Loss Prevention (DLP) methods to protect confidential information. To evaluate the effectiveness of WAFs, this study analyzes the impact of various attack types on web systems, including cross-site scripting (XSS), SQL injection, and cross-site request forgery (CSRF). It also examines the main methods for bypassing WAFs. An experiment was conducted using a virtual machine with a web application designed for cybersecurity training and testing (DVWA), focusing on WAF bypass techniques with SQL Injection, XSS, and CSRF attacks. Malicious commands in the form of requests with pattern characters were used, which, even under correctly configured filtering rules, can prove to be an effective means of bypassing WAFs. To protect web applications from malicious requests, testing was conducted based on the ModSecurity firewall with policy levels PL1–3. Given that SQL injection attacks remain a serious threat, this research aims to study existing protection mechanisms, identify vulnerabilities, and provide recommendations for future improvements in this area.
Downloads
References
Shan, A., & Myeong, S. (2024). Proactive Threat Hunting in Critical Infrastructure Protection through Hybrid Machine Learning Algorithm Application. Sensors, 24(15), 4888. https://doi.org/10.3390/s24154888. MDPI
Stuttard, D., & Pinto, M. (2011). The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws. Wiley
Huang, K. A., & Smith, L. (2019). Web Application Firewalls: Performance and Security. IEEE Transactions on Dependable and Secure Computing, 16(4), 511-525. https://doi.org/10.1109/TDSC.2018.2879804
Anderson, T., & Brown, N. (2020). A Survey on Intrusion Detection Systems. ACM Computing Surveys, 52(2), 1-36. https://doi.org/10.1145/3372247
Zhang, M., & Yang, R. (2021). Security in Web Applications: A Survey. Journal of Computer Security, 29(3), 293-315. https://doi.org/10.3233/JCS-201117
Hulet, K. (2022). Web Application Security Testing Cookbook. O’Reilly Media.
Clement, A. (2024). Web Application Security: A Pragmatic Exposé. CRC Press
Hemmati, M., & Hadavi, M. A. (2021). Using deep reinforcement learning to evade web application firewalls. In 2021 18th International ISC Conference on Information Security and Cryptology (ISCISC) (pp. 35–41). IEEE.
Author(s) (2023). Deep Learning Technique-Enabled Web Application Firewall for the Detection of Web Attacks. [Journal/Conference Name, if applicable].
10.Brown, C., & Davis, D. (2024). Improving Firewall Usability Through Comprehensive Documentation. International Journal of Human-Computer Studies, 180, 103125.
Kostiuk, Yu. V., Skladannyi, P. M., Bebeshko, B. T., Khorolska, K. V., Rzaieva, S. L., & Vorokhob, M. V. (2025). Information and communication systems security. [Textbook] Kyiv: Borys Grinchenko Kyiv Metropolitan University.
Kostiuk, Yu. V., Skladannyi, P. M., Hulak, H. M., Bebeshko, B. T., Khorolska, K. V., & Rzaieva, S. L. (2025). Information security systems. [Textbook] Kyiv: Borys Grinchenko Kyiv Metropolitan University.
Hulak, H. M., Zhyltsov, O. B., Kyrychok, R. V., Korshun, N. V., & Skladannyi, P. M. (2023). Enterprise information and cyber security. [Textbook] Kyiv: Borys Grinchenko Kyiv Metropolitan University.
Published
How to Cite
Issue
Section
License
Copyright (c) 2025 Іван Тишик
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
