This repository has been archived by the owner. It is now read-only.
No description or website provided.
Switch branches/tags
Nothing to show
Clone or download

README.md

WAF Bypasser module

It assists the penetration testers to diagnose WAF rules and bypass WAFs.

Run examples

  • Fuzzing using simple content placeholders. The response will be detected if the responce code is in range 300-599 or 100.
python wafbypasser.py -t 'http://127.0.0.1/xss.php?xss=@@@fuzzhere@@@' --mode fuzz -pl payloadlist.txt -rcd '300-599,100'
  • Fuzzing using simple content placeholders by adding cookies and post data

This example is fuzzing url using a payload list loaded from file, some post data, headers and a cookie. The response will be detected if contains the string 'permission'.

python wafbypasser.py -t 'http://127.0.0.1/xss.php?xss=@@@fuzzhere@@@' --mode fuzz -pl payloadlist.txt -X POST --contains' "permission" -H "Host: localhost" "Accept: */*" -d "var=1234" --cookie "name=tester"
  • Same example as above but fuzzing headers
python wafbypasser.py -t 'http://127.0.0.1/xss.php?xss=test' --mode fuzz -pl payloadlist.txt -X POST --contains' "permission" -H "Host: @@@fuzzhere@@@" "Accept: */*" -d "var=1234" --cookie "name=tester"
  • Same as above but reversing the detection functions (Negative testing).
python wafbypasser.py -t 'http://127.0.0.1/xss.php?xss=test' --mode fuzz -pl payloadlist.txt -X POST --contains' "permission" -H "Host: @@@fuzzhere@@@" "Accept: */*" -d "var=1234" --cookie "name=tester" -r
  • Testing usings CoNTains case_senvitice text
python wafbypasser.py -t 'http://127.0.0.1/xss.php?xss=test' --mode fuzz -pl payloadlist.txt -X POST --contains' "permission" cs -H "Host: @@@fuzzhere@@@" "Accept: */*" -d "var=1234" --cookie "name=tester" -r
  • Finding the fuzzing placeholder allowed length. The 'A' value is a white-listed character.
python wafbypasser.py -t http://demo.testfire.net?var=@@@length@@@ -cnt "long" --accepted_value A -m length
  • HTTP Parameter Pollution

ASP mode:
This mode is splitting the payload at the comma ',' character and it is sending it to a different variable

python wafbypasser.py -t http://127.0.0.1/xss.php -pl ./Backups/hpp.txt --contains 'whatever' --param_name xss --param_source URL  -m asp_hpp
  • Detecting Allowed sources
python wafbypasser.py -t http://127.0.0.1/xss.php --contains 'whatever' --detect_allowed_sources --accepted_method GET --param_name xss --accepted_param_value test --param_source URL
  • Fuzzing using templates and transforming payloads

The transformation functions are defined in the obfuscation_lib.py.

python wafbypasser.py -t 'http://127.0.0.1/xss.php' -pl xss2.txt -rcd '200-599,100' --data "xss=@@@<reverse><payload/></reverse>@@@" -m fuzz
python wafbypasser.py -t http://127.0.0.1/xss.php -rcd '200-599,100' --data "xss=@@@<utf8>Hello</utf8>@@@" -m fuzz
  • Testing for anomalies and bypasses by changing the Content-Type.
python wafbypasser.py -t http://127.0.0.1/xss.php?xss=test --mode content_type_tamper
  • Overchar testing. Sending the payload after a stream with valid characters.
python wafbypasser.py -t 'http://127.0.0.1/xss.php?xss=@@@fuzzhere@@@' -rcd 403 -X GET --headers "Accept: */*" "Host: localhost" -m overchar -pl ./Backups/xss.txt --accepted_value 1 --length 8196