Keywords
Post-Exploitation
F5 WAF
Web Application Firewall Bypass
Encoding
Obfuscation
Cybersecurity
Command and Control
C2
Static Analysis
Dynamic Analysis
SIEM
IDS/IPS
How to Cite
Abstract
The post-exploitation phase of a cyberattack is where adversaries achieve their ultimate objectives, often centered on the exfiltration of sensitive data. While Web Application Firewalls (WAFs), such as those from F5 Networks, serve as a critical defense layer, their reliance on static, signature-based detection can present a significant vulnerability. This article explores a practical methodology for bypassing F5 WAF protections to enable data exfiltration after an initial compromise. The technique involves a multi-layer encoding scheme (Base64, Reversal, and Hexadecimal encoding) applied to both the attacker's commands within the HTTP request and the stolen data within the HTTP response. This process effectively obfuscates malicious payloads from static rule sets. We detail the step-by-step methodology, discuss the inherent limitations of static analysis in WAFs, and present potential solutions for defenders, including dynamic analysis, parameter validation, and behavioral anomaly detection. The conclusion underscores the evolving threat landscape and proposes future research directions, such as employing custom encryption and asymmetric cryptography for more sophisticated evasion.
References
A. Bichnigauri, I. Kartvelishvili, L. Shonia - “Development and implementation of a model of an effective mechanism for preventing phishing and malicious code websites in a web browser environment”, Georgian Technical University International Scientific-Practical Conference “Modern Challenges and Achievements in Information Technologies - 2023”
A. Bichnigauri, O. Shonia - “Means for detecting IoT devices in a local network to ensure their cybersecurity”, Scientific Works. Automated Control Systems. № 1(32), Vol.1. Tbilisi, 2021
A. Bichnigauri, O. Shonia, T. Kaishauri - "Detecting Suspicious Domain Names for Cyber Threat Identification Using CTL Technology", International Scientific-Practical Conference "Innovations and Modern Challenges - 2022" dedicated to the 100th anniversary of the Georgian Technical University and the 65th anniversary of the Faculty of Information Systems, Tbilisi, 2022
OWASP CRS: https://owasp.org/www-project-modsecurity-core-rule-set/
F5 Networks, "What is a Web Application Firewall (WAF)?", https://www.f5.com/glossary/web-application-firewall-waf
MITRE ATT&CK, "Obfuscated Files or Information - T1027", https://attack.mitre.org/techniques/T1027/
MITRE ATT&CK, "Exfiltration - T1020", https://attack.mitre.org/techniques/T1020/