Jump to content
YOUR-AD-HERE
HOSTING
TOOLS

Locked WAF Bypass Tool v1.18 - Open source tool to analyze the security of any WAF

itsMe

By MASTERitsMe
in Pentesting

 Share

Recommended Posts

itsMe Master Hacker

MASTERitsMe

Posted
Posted

This is the hidden content, please

WAF bypass Tool is an open-source tool to analyze the security of any WAF for False Positives and False Negatives using predefined and customizable payloads. Check your WAF before an attacker does. WAF Bypass Tool is developed by the Nemesida WAF team with the participation of the community.

Payloads

Depending on the purpose, payloads are located in the appropriate folders:

    FP – False Positive payloads
    API – API testing payloads
    CM – Custom HTTP Method payloads
    GraphQL – GraphQL testing payloads
    LDAP – LDAP Injection etc. payloads
    LFI – Local File Include payloads
    MFD – multipart/form-data payloads
    NoSQLi – NoSQL injection payloads
    OR – Open Redirect payloads
    RCE – Remote Code Execution payloads
    RFI – Remote File Inclusion payloads
    SQLi – SQL injection payloads
    SSI – Server-Side Includes payloads
    SSRF – Server-side request forgery payloads
    SSTI – Server-Side Template Injection payloads
    UWA – Unwanted Access payloads
    XSS – Cross-Site Scripting payloads

Write your own payloads

When compiling a payload, the following zones, methods, and options are used:

    URL – request’s path
    ARGS – request’s query
    BODY – request’s body
    COOKIE – request’s cookie
    USER-AGENT – request’s user-agent
    REFERER – request’s referer
    HEADER – request’s header
    METHOD – request’s method
    BOUNDARY – specifies the contents of the request’s boundary. Applicable only to payloads in the MFD directory.
    ENCODE – specifies the type of payload encoding (Base64, HTML-ENTITY, UTF-16) in addition to the encoding for the payload. Multiple values are indicated with a space (e.g. Base64 UTF-16). Applicable only to for ARGS, BODY, COOKIE and HEADER zone. Not applicable to payloads in API and MFD directories. Not compatible with option JSON.
    JSON – specifies that the request’s body should be in JSON format
    BLOCKED – specifies that the request should be blocked (FN testing) or not (FP)

This is the hidden content, please

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.