Skip to content
Bypassing WAF by abusing SSL/TLS Ciphers
Branch: master
Clone or download
LandGrey update
1. update README
2. fix some code
Latest commit f4f3b51 Jul 5, 2018
Type Name Latest commit message Commit time
Failed to load latest commit information.
curl upload code Jul 5, 2018
pictures update Jul 6, 2018
.gitignore update Jul 6, 2018 update Jul 6, 2018 upload code Jul 5, 2018


Helping you find the SSL/TLS Cipher that WAF cannot decrypt and Server can decrypt same time

Referer article: Bypassing Web-Application Firewalls by abusing SSL/TLS



python --help

If you can find keyword or regex when hit the WAF page, you can use:

python -regex "regex" -target

or you cannot find keyword or regex when filter by WAF,you can use:

python -thread 4 -target

Notice: If you are worry about WAF drop the connection, you have better not use -thread option.




Notice: If your operation system is not Windows, you should be modify ,adjust curl and sslscan path & command values.


If you don't know what the type of the WAF, you can compare the html response content length and try to find the bypassing WAF ciphers

knowing the hit WAF page keyword or regex:

When using some SSL/TLS ciphers request the payload URL, If WAF keyword or regex not in html page, there is a way bypassing WAF using Cipher!

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.