Fingerprinting WAF Rules with Timing Based Side Channel Attacks

Aug 18 · 12 min read

Side Channel Attacks?

Web Application Firewalls

Why Fingerprint ’em Rules?

Understanding The Setup

Conventional Methods of WAF Fingerprinting

Some examples of WAF block-pages
Secure Entry WAF cloaking the server’s stack traces

The Main Drawback

Why Timing Attacks?

Idea of the Attack


The Approach

Attack Approach Analysis of our Methodology

Performing the Experiment

The Setup

The Learning Phase

Examples of blocked and passed requests

The Attack Phase

Comparison how normal and polymorphic payloads look like
Results Visualized for Attack Phase on Reverse Proxy Topology
Results Visualized for Attack Phase on Server Resident Topology
Final Results in a Nutshell

Downsides of the Method

Dealing with It

Amplifying the Attack

1. Choosing a Longer URL Path

2. Denial of Service Attacks

3. Cross Site Rule Fingerprinting

<img id="test" style="display: none">
var test = document.getElementById(’test’);
var start = new Date();
test.onerror = function() {
var end = new Date();
alert("Total time: " + (end - start));
test.src = "http://sitename.tld/path?" + parameter + "=" + payload;


Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade