Normalization is the preprocessing step performed by Web Application Firewalls (WAFs) to decode and transform incoming HTTP requests before applying security logic like signature inspection or rule-based checks.
Attackers often use obfuscation and encoding tricks to disguise malicious payloads, attempting to bypass WAF detection. Normalization ensures that these disguised payloads are decoded into their true form, exposing any embedded threats.
For example:
-
An encoded URL like
/big%20sales.htmlis decoded to/big sales.html. -
A multi-encoded string like
%252e%252e%252f(double-encoded “../”) becomes../after normalization, revealing a directory traversal attempt.
Normalization is crucial in anti-bypass detection — it “cleans” the request to its logical form, ensuring malicious content is not hidden under layers of encoding or formatting.
Use this checklist to validate whether a WAF engine supports the full spectrum of anti-evasion normalization strategies:
General Decoding & Transformation
-
ASCII Decoding: Decodes
%XXinto ASCII (e.g.,%3c→<) -
%u Decoding: Decodes Unicode encodings (e.g.,
%u0038→8) -
Multiple Decoding: Recursively decodes multi-encoded strings (
%252e→%2e→.) -
Bad Unescape Detection: Detects malformed encodings (e.g.,
%RR)
Path & Directory Handling
-
Multiple Slashes Normalization: Collapses
/////into/ -
Directory Traversal Normalization: Resolves
../and./to their logical path -
IIS Backslashes Normalization: Converts backslashes
\to forward slashes/
Unicode and Platform-Specific Handling
-
IIS Unicode Codepoints: Interprets special IIS character encodings (e.g.,
%u0103) -
Apache Whitespace Detection: Flags whitespace like
%09,%0b,%0cin suspicious positions
Risky or Suspicious Inputs
-
Bare Byte Decoding: Detects high ASCII bytes (e.g., 0xBC →
<) that may imply XSS -
Normalization Violation Alerting: Flags requests where normalization reveals a hidden attack
-
Decoding Pass Limit Control: Allows tuning of how many decoding passes are performed before blocking or alerting