WAF Bypass via Overlong UTF-8 #4189
Description
🚨 WAF Bypass: Path Traversal Using Overlong UTF-8 (%c0%ae%c0%af) Not Blocked
📌 Summary
OWASP Coraza WAF (Core Rule Set) running at https://sandbox.coreruleset.org does not detect or block path traversal payloads using overlong UTF-8 encoding, such as %c0%ae%c0%ae%c0%af, which bypasses filters expecting standard ../ patterns.
This leads to a false negative and allows for possible Local File Inclusion (LFI) or SSRF-like abuse in misconfigured servers.
🔥 Vulnerability Type
- WAF Bypass
- LFI / Path Traversal Obfuscation
- Overlong UTF-8 Encoding Exploitation
🧪 Proof of Concept
✅ Working Payload (Unexpected 200 OK Response):
https://sandbox.coreruleset.org/?search=%c0%ae%c0%ae%c0%af
📖 Decoding:
| Hex | Char | Meaning |
|---|---|---|
%c0%ae |
. |
dot (.) encoded as overlong UTF-8 |
%c0%af |
/ |
slash (/) encoded as overlong UTF-8 |
This payload translates to ../../, commonly used in path traversal attacks.
⚠️ Expected Behavior
- The WAF should decode all input and normalize obfuscated encodings.
- Overlong UTF-8 representations of
.and/should be recognized and blocked.
❌ Actual Behavior
- The WAF returned
HTTP 200 OK - No alert, log, or mitigation observed
- Payload processed normally by the backend
🧠 Security Impact
Attackers may:
- Bypass path traversal filters using
%c0%aeencoding - Trigger LFI in backend apps expecting sanitized inputs
- Abuse this in SSRF scenarios where
file://,gopher://, orphp://wrappers are interpreted
This presents a real-world risk when combined with LFI sinks or wrappers.
📦 Environment
| Field | Value |
|---|---|
| WAF | OWASP Coraza (via CRS) |
| URL | https://sandbox.coreruleset.org |
| HTTP Method | GET |
| Parameter | search |
| Payload Tested | %c0%ae%c0%ae%c0%af |
| Response | 200 OK (payload passed) |
| Date of Test | July 2025 |
💡 Suggested Fix
- Normalize all user input by decoding overlong UTF-8 forms before rule matching.
- Add CRS rules that block known obfuscations of:
.as%c0%ae,%e0%80%ae/as%c0%af,%e0%80%af
- Add regression test cases to cover canonicalization bypasses.
🧪 Suggested CRS Rule (Example)
SecRule ARGS "@rx (%c0%ae|%e0%80%ae){2,}%c0%af" \
"id:9999999,phase:2,deny,log,msg:'Path traversal attempt via overlong UTF-8 encoding'"🙋 Disclosure Status
This is a responsible security disclosure to help strengthen the OWASP Core Rule Set and Coraza WAF. The information has not been publicly disclosed elsewhere.
Please let me know if further testing or validation is required — I’m happy to assist.
Thanks for all the work maintaining this project!