WAF bypass in HTTP/2: the protection layer forwards the request before it even sees the body

Diyan Apostolov tested six reverse proxies and found WAF bypasses in five of them — all rooted in HTTP/2 architecture.

In HTTP/1.1, headers and body are transmitted together, allowing a WAF to inspect the entire request before making a decision. In HTTP/2, they are sent separately: first HEADERS frames, then DATA frames containing the body.

An attacker can intentionally delay the DATA frame. If the WAF operates as an external service, the proxy may request a verdict immediately after receiving the headers, without waiting for the body. The WAF sees an effectively empty request and returns "allow". The proxy then forwards the request to the backend, while the body arrives later.

As a result, the application may begin processing the request before the WAF has inspected the payload.

T+0 ms     HEADERS received
T+1 ms     WAF sees only headers → allow
T+500 ms   DATA frame with payload arrives
T+501 ms   request already forwarded to backend
T+502 ms   WAF finally sees the body → block

The article also examines other bypass classes:

• the payload is placed beyond the first 64 KB of the request body, which the WAF does not inspect; • the request passes through a ForwardAuth service that validates only headers and never sees the body; • the WAF and backend parse URLs differently, so one path is inspected while another is processed; • the WAF and application parse JSON differently, allowing dangerous data to bypass filtering.

📎 Article: https://lab.ctbb.show/research/h2-WAF-Bypasses

📎 PoC and test requests: https://gist.github.com/apostolovd/42a91d54ee27c50b46b15166d610b19a