Skip to content

Latest commit

 

History

History
108 lines (81 loc) · 6.04 KB

README.md

File metadata and controls

108 lines (81 loc) · 6.04 KB

Bypassing the AWS WAF: How to Bypass AWS WAF

AWS WAF is an innovative resource for protecting websites from the countless dangers of the online world. While its superiority is world-renowned and unquestionable, it is not flawless. Its actionable limitations on the size of packets it handles can be troublesome, and there are now products that can bypass the protection offered by AWS WAF.

Bonus Code

A bonus code for Capsolver: AMN. After redeeming it, you will get an extra 5% bonus after each recharge, Unlimited image

What is AWS WAF?

AWS WAF (Web Application Firewall) is a web application firewall service provided by Amazon Web Services (AWS). It is designed to protect web applications from common web exploits, such as SQL injection, cross-site scripting (XSS), and other Layer 7 attacks. AWS WAF allows you to create custom rules to filter and block malicious web traffic before it reaches your web applications running on AWS. image

The AWS WAF operates by inspecting incoming web requests and comparing them against a set of rules that you define. These rules can be based on various criteria, such as IP addresses, HTTP headers, request bodies, and more. If a request matches a rule, AWS WAF can either allow or block the request, or perform other actions like logging or redirecting the request.

AWS WAF is highly scalable and can handle a vast amount of web traffic, making it suitable for protecting web applications with high traffic volumes. It integrates seamlessly with other AWS services, such as Amazon CloudFront, Application Load Balancer, and API Gateway, allowing you to deploy WAF protection across your entire web infrastructure.

Can AWS WAF be Bypassed?

AWS WAF is a very well known and reputed tool in the AWS security suite. Like other WAFs, it acts as a gatekeeper or guardian for targeted web applications, keeping out vulnerabilities such as XSS, SSRF, SQL injection, and more.

While AWS WAF is a powerful security tool, it is essential to understand that no security measure is entirely foolproof. Like any web application firewall, AWS WAF can potentially be bypassed under certain circumstances. However, the likelihood and difficulty of bypassing AWS WAF depend on several factors, including the specific configuration of the WAF rules, the complexity of the web application, and the attacker's skills and resources.

Here are a few of the most recommended ways to insure that you need to know how to bypass the target:

  1. IP Address Reputation: Blocks requests from IPs marked as unreliable or dangerous. You can use a web scraping proxy to avoid this.
  2. CAPTCHA: CAPTCHAs displayed on web pages are easy enough for us ordinary humans to work around, but complicated for bots. CAPTCHA services can help you avoid these problems.
  3. Honeypots: Bot traps embedded in web pages that are not visible to human users.
  4. user behaviour analysis: Tracking user activity on web pages to determine if they are bots. This is prevented by using headless browsers to simulate humans.
  5. Device fingerprinting: Look for hardware and software features that only real users' devices have.

How to Bypass AWS WAF

Many websites implement CAPTCHA challenges as an additional layer of security to prevent automated bypass. To bypass these CAPTCHA challenges, you may leverage captcha solving services like CAPSolver. CAPSolver provides APIs and extention to programmatically or hand-free to solve various types of CAPTCHAs, including those protected by AWS WAF.

The following steps can be found on how to bypass the target captcha and complete the captcha solving

Create Task

Create a recognition task with the createTask method.

Example Request

POST https://api.capsolver.com/createTask
Host: api.capsolver.com
Content-Type: application/json

{
    "clientKey": "YOUR_API_KEY",
    "task": {
        "type": "AntiAwsWafTask", //Required
        "websiteURL": "https://efw47fpad9.execute-api.us-east-1.amazonaws.com/latest", //Required
        "awsKey": "",
        "awsIv": "",
        "awsContext": "",
        "awsChallengeJS": "",
        "proxy": "http:ip:port:user:pass" // socks5:ip:port:user:pass // Optional
    }
}

After you submit the task to us, you should receive in the response a 'Task id' if it's successfull. Please read errorCode: full list of errors if you didn't receive the task id. For more information, you can also refer to this blog post How to solve aws amazon captcha token

Example Response

{
    "errorId": 0,
    "errorCode": "",
    "errorDescription": "",
    "taskId": "61138bb6-19fb-11ec-a9c8-0242ac110006"
}

Getting Results

After you have the taskId, you need to submit the taskId to retrieve the solution. Response structure is explained in getTaskResult.

Depending on the system load, you will get the results within the interval of 5s to 30s

Example Request

POST https://api.capsolver.com/getTaskResult
Host: api.capsolver.com
Content-Type: application/json

{
    "clientKey": "YOUR_API_KEY",
    "taskId": "61138bb6-19fb-11ec-a9c8-0242ac110006"
}

Example Response

{
  "errorId": 0,
  "taskId": "646825ef-9547-4a29-9a05-50a6265f9d8a",
  "status": "ready",
  "solution": {
    "cookie": "223d1f60-0e9f-4238-ac0a-e766b15a778e:EQoAf0APpGIKAAAA:AJam3OWpff1VgKIJxH4lGMMHxPVQ0q0R3CNtgcMbR4VvnIBSpgt1Otbax4kuqrgkEp0nFKanO5oPtwt9+Butf7lt0JNe4rZQwZ5IrEnkXvyeZQPaCFshHOISAFLTX7AWHldEXFlZEg7DjIc="
  }
}

Conclusion

This article focuses on The most efficient way to bypass AWS WAF with a captcha solution at the moment, and as mentioned, Capsolver is one of the best, an all-in-one solution for bypassing CAPTCHA and other captchas. Don't hesitate to try Capsolver for free!