July 5, 2026
WAF: Exploitation Techniques -OWASP CRS
Learn to bypass Web Application Firewalls using practical evasion techniques.

By Jose Praveen
3 min read
Disclaimer: This blog post is based on a walkthrough hosted on TryHackMe and it is intended for educational purposes only.
The OWASP Core Rule Set (CRS)(opens in new tab) is a collection of generic detection rules for web application firewalls designed to identify common web attacks. It primarily uses pattern and signature-based matching and performs normalisation steps to identify malicious inputs. This approach makes CRS effective in blocking many known payloads. However, it can be evaded when an application and the WAF normalise or parse input differently, or when attackers use encoding techniques.
💪 Difficulty: Medium
🔗Link:https://tryhackme.com/room/wafexploitationtechniques
The VM attached to this task contains a Blog application that is protected by ModSecurity and is configured with the OWASP CRS. Additionally, the demonstrations and exercises also leverage the same setup. The Blog application will be used to complete all tasks in this room. You will need to use the AttackBox to start an HTTP server for specific tasks, or utilise the Burp Suite software and command-line tools that are installed on it.
A Blog application, accessible at http://MACHINE_IP/, contains multiple vulnerabilities. ModSecurity WAF leverages OWASP CRS and custom rules to protect the server. In this section, we will focus on exploiting the XSS vulnerability in the comment functionality while also bypassing the WAF protection. The specific version of OWASP CRS (3.3.5) that is in use contains a known bypass that allows a cross-site scripting (XSS) vulnerability to be exploited.
The admin user periodically checks the "Welcome to the Blog" post for new comments. Leverage the WAF bypass covered in this task by crafting an XSS payload that will send the admin's cookie to your HTTP server. What is the value of the cookie?
In the Blog application at http://MACHINE_IP/ (opens in new tab), navigate to the Login page and attempt to bypass the WAF and the authentication flow to access the Admin Panel. What flag can be found on the Admin Panel?
In the Blog application at http://MACHINE_IP/ (opens in new tab), navigate to the Template page and attempt to bypass the WAF to exploit the SSTI vulnerability. What is the hostname of the web server?
In the Blog application at http://MACHINE_IP/ (opens in new tab), navigate to the Search page and attempt to bypass the WAF to exploit the SQL injection vulnerability. What is the password hash of the user "alice"?
What is the flag revealed when you successfully bypass the command blocklist using an alternative command to read the secret file?
This demonstrates the fundamental weakness of blocklist-based filtering: it's impossible to enumerate all possible variations of dangerous commands. Try these alternative commands to explore this technique further:
tail secret_eddc7de8235bb36940a39a778f7bb962.txtmore secret_eddc7de8235bb36940a39a778f7bb962.txttac secret_eddc7de8235bb36940a39a778f7bb962.txt(cat backwards)
How many 'A' characters are needed as padding to bypass the XSS truncation filter (Rule 5006) that checks the first 50 characters?
What is the hash password for the user 'admin'?
What HTTP header can be manipulated to bypass the rate-limiting protection on the /api/posts endpoint?