Bypass Web Application Firewall using WAFNinja

WAFNinja is a CLI python tool that helps penetration testers to bypass Web Application Firewall by automating steps necessary for bypassing input validation. WAFNinja supports HTTP connections, GET and POST requests and the use of Cookies in order to access pages restricted to authenticated users. It also supports intercepting proxy, so yes MITM for you.

Bypass Web Application Firewall using WAFNinja - blackMORE Ops

The tool was created with the objective to be easily extendible, simple to use and usable in a team environment.

Supported web methods:

  • HTTP connections
  • GET requests
  • POST requests
  • Using Cookies (for pages behind auth)
  • Intercepting proxy

Using WAFNinja for WAF Bypass [-h] [-v] {fuzz, bypass, insert-fuzz, insert-bypass, set-db} ...

More examples


python fuzz -u "" 
-c "phpsessid=value" -t xss -o output.html

Bypass WAG

python bypass -u ""  -p "Name=PAYLOAD&Submit=Submit"         
-c "phpsessid=value" -t xss -o output.html

Insert fuzz

python insert-fuzz -i select -e select -t sql

Video demo

Here a complete video of a workshop that will teach you how to attack an application secured by a WAF. The moderator  describes WAF bypassing techniques and offers a systematic and practical approach on how to bypass web application firewalls based on these techniques. This video introduces WAFNinja, a tool that helps to find multiple vulnerabilities in firewalls.

Complete slides can be found here.


Check Also

Hacking remote desktop protocol using rdpy - blackMORE Ops

Hacking remote desktop protocol using rdpy

RDPY is a Microsoft RDP Security Tool developed in pure Python with RDP Man in …

Create MITM Test Environment using Snifflab

Create MITM Test Environment using Snifflab

Snifflab is a technical test environment for capturing and decrypting WiFi data transmissions. Snifflab creates …

One comment

  1. hey your site has great content, design but just wanted to ask how your site got approved by adsense although it has hacking contents.

Use, Twitter, Facebook, or Google+ accounts to comment (anonymous comments allowed)

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Privacy Policy on Cookies Usage

Some services used in this site uses cookies to tailor user experience or to show ads.

%d bloggers like this: