Search the Community

WAF bypass Tool is an open-source tool to analyze the security of any WAF for False Positives and False Negatives using predefined and customizable payloads. Check your WAF before an attacker does. WAF Bypass Tool is developed by the Nemesida WAF team with the participation of the community. Payloads Depending on the purpose, payloads are located in the appropriate folders: FP – False Positive payloads API – API testing payloads CM – Custom HTTP Method payloads GraphQL – GraphQL testing payloads LDAP – LDAP Injection etc. payloads LFI – Local File Include payloads MFD – multipart/form-data payloads NoSQLi – NoSQL injection payloads OR – Open Redirect payloads RCE – Remote Code Execution payloads RFI – Remote File Inclusion payloads SQLi – SQL injection payloads SSI – Server-Side Includes payloads SSRF – Server-side request forgery payloads SSTI – Server-Side Template Injection payloads UWA – Unwanted Access payloads XSS – Cross-Site Scripting payloads Write your own payloads When compiling a payload, the following zones, methods, and options are used: URL – request’s path ARGS – request’s query BODY – request’s body COOKIE – request’s cookie USER-AGENT – request’s user-agent REFERER – request’s referer HEADER – request’s header METHOD – request’s method BOUNDARY – specifies the contents of the request’s boundary. Applicable only to payloads in the MFD directory. ENCODE – specifies the type of payload encoding (Base64, HTML-ENTITY, UTF-16) in addition to the encoding for the payload. Multiple values are indicated with a space (e.g. Base64 UTF-16). Applicable only to for ARGS, BODY, COOKIE and HEADER zone. Not applicable to payloads in API and MFD directories. Not compatible with option JSON. JSON – specifies that the request’s body should be in JSON format BLOCKED – specifies that the request should be blocked (FN testing) or not (FP) [hide][Hidden Content]]

Ante todo, buenos días, tardes o noches..........me llamo ZeroDay, no suelo postear mucho y me gustaría que esto cambiara un poco y poder así compartir conocimientos y experiencias, ya que en los años que llevo como Hacker, o aprendiz de Hacker (ya que no me considero ningún pro) donde más he aprendido ha sido en comunidad, o mejor dicho, investigando por mi cuenta compartiendo en comunidad y volviendo investigar por mi cuenta, ya que este trabajo es 80% investigacion propia. Como auditor creo que es un tema con el que todos nos hemos topado alguna vez, el WAF de Claudflare. En mi primera auditoria me encontré con este problema, los que son auditores saben que no son CFTs, que hay un tiempo establecido para realizar esa auditoria, unas normas, y que tu trabajo depende de esto, con lo cual hay muchos factores que entran en juego, los nervios y la presión suelen jugar malas pasadas. Todos en nuestra primera auditoria hemos intentado hacer una CTF en vez de una auditoria, por lo menos en mi caso y en los muuuchos que conozco, la costumbre de hackearlo todo, o por lo menos intentarlo. Mi intención aquí no es enseñar a Bypassear el WAF de Claudflare, (se que la mayoría saben hacerlo en este foro) quiero compartir una herramienta que os ayudara a realizar esta tarea de forma automatizada. Como ya seguramente sepan para este Bypass es necesario utilizar los siguientes buscadores. [Hidden Content] [Hidden Content] y el muy conocido [Hidden Content] Esta es la herramienta: [Hidden Content] En este enlace hay otro donde te explica como se hace de forma manual, ahora hay muchos, si quieren compartir alguna otra forma que yo no conozca seria muy bueno para todos, por lo que veo el tema de Pentesting no esta muy abordado en este foro. En este caso se trata de una auditoria que realice hace ya tiempo, y lo que quiero es ir abordando temas que he sufrido yo en las que he realizado y que cada uno comparta sus experiencias. Quiero dejar claro, por motivos personales, que yo no estoy enseñando a saltarse el WAF a nadie, solo estoy proporcionando información para que investiguen y pueden saber por donde empezar. Si que me gustaría que la gente que trabaja en el sector, quieren trabajar o que ya lo esta haciendo, aportaran sus experiencias en este tema, vamos a ver cuantos Pentesters hay por aquí, ya que como he comentado no hay mucha participación en la parte de Pententing, vamos a intentar potenciar esto, ya que considero que hay muchísima gente con un nivel muy bueno para poder debatir los temas que iremos abordando, la gran mayoría mejores que yo mil veces, así que aporten si lo ven conveniente. Un saludo a toda la comunidad.

identYwaf is an identification tool that can recognize web protection type (i.e. WAF) based on blind inference. The blind inference is being done by inspecting responses provoked by a set of predefined offensive (non-destructive) payloads, where those are used only to trigger the web protection system in between (e.g. [Hidden Content] AND 2>1). Currently, it supports more than 80 different protection products (e.g. aeSecure, Airlock, CleanTalk, CrawlProtect, Imunify360, MalCare, ModSecurity, Palo Alto, SiteGuard, UrlScan, Wallarm, WatchGuard, Wordfence, etc.), while the knowledge-base is constantly growing. Also, as part of this project, screenshots of characteristic responses for different web protection systems are being gathered (manually) for future reference. [hide][Hidden Content]]

Raptor is a Web application firewall made in C, uses DFA to block SQL injection, Cross-site scripting, and path traversal. Why is this tool made in C language? C has a high delay time for writing and debugging, but no pain no gain, have fast performance, addition to this point, the C language is run at any architecture like Mips, ARM, and others… other benefits of C, have a good and high profile to write optimizations if you think to write some lines in ASSEMBLY code with AES-NI or SiMD instructions, I think is a good choice. Why you do not use POO ? in this project I follow the”KISS” principle: [Hidden Content] It Simple C language has a lot of old school dudes like a kernel hacker… Raptor is very simple, have three layers reverse proxy, blacklist, and Match(using deterministic finite automaton). Proxy using the select() function to check multiple sockets, at the future change to use libevent(signal based is very fast) If someone sends a request, Raptor does address analysis… Address blacklisted? block! If deterministic finite automaton and Blacklist don’t match, Raptor doesn’t blockRaptor get a Request with GET or POST method and make some analysis to find dirt like an sql injection, cross-site scripting… Raptor gets a Request with GET or POST method and makes some analysis to find dirt like an sql injection, cross-site scripting… External match string mode • At directory, config has a file of lists of rules • You can match the string with different algorithms • You can choose with an argument –match or -m • Choice one option between Karpe Rabin, DFA, or Boyer Moore Horspool Changelog v0.6.2 Patch fix to the improving documentation. to run: $ git clone [Hidden Content] $ cd raptor_waf; make; bin/raptor Don’t execute with “cd bin; ./raptor” use path “bin/raptor” look detail [Hidden Content] [hide][Hidden Content]]

identYwaf is an identification tool that can recognize web protection type (i.e. WAF) based on blind inference. The blind inference is being done by inspecting responses provoked by a set of predefined offensive (non-destructive) payloads, where those are used only to trigger the web protection system in between (e.g. [Hidden Content] AND 2>1). Currently, it supports more than 80 different protection products (e.g. aeSecure, Airlock, CleanTalk, CrawlProtect, Imunify360, MalCare, ModSecurity, Palo Alto, SiteGuard, UrlScan, Wallarm, WatchGuard, Wordfence, etc.), while the knowledge-base is constantly growing. Also, as part of this project, screenshots of characteristic responses for different web protection systems are being gathered (manually) for future reference. [hide][Hidden Content]]

Creo que seria un tema interesante a tratar el tema de el WAF de Claudflare, pues si no obtienes la ip no vas a poder auditar bien la aplicación web o el equipo, así que, hace poco estuve haciendo una y me tope con un problema con Claudflare, y es que el método o los métodos y herramientas que utilizaba ya no me sirven para hacerme con la ip de origen, así que creo que seria buen tema a tratar para los pentesters, yo tengo mis técnica que saque de internet, así como herramientas y demás, pero no me ha funcionado esta vez, todos sabemos que Claudflare de pago es con figurable para ataques varios, así que al entrar el factor humano en juego pueden haber fallos de seguridad, pero aun así se conseguía sacar la ip, que me paso esta vez? La verdad que estoy esperando a hacerme con ella, si alguien lo hace yo compartiré los métodos que están en internet, y bueno alguno tengo yo por que dependiendo de la información que vaya teniendo pues puedo saber si.................por ejemplo si se que tiene cierto puerto y no es un puerto común pues eso me dará otra vía para poder encontrar la ip, que fue lo que me paso en este caso, pero por falta de tiempo no puede hacerme con ella, y estoy que .........descansare un poco y me pondré a ello, pues antes si la conseguía, deben a ver puesto mas seguridad o no se, estara configurado muy bien, aunque las configuraciones son para ataques varios, no lo se la verdad. Pero lo voy a investigar, si podeis compartir vuestros conocimientos yo comparto los míos, es mas, a mi me da igual publicarlo como lo hago pero no me han servido. En cuando me conteste alguien sigo el hilo así no pierdo tiempo ni os hago perder tiempo leyendo si no vals a contestar. Un saludo a todos señor@s.

identYwaf is an identification tool that can recognize web protection type (i.e. WAF) based on blind inference. The blind inference is being done by inspecting responses provoked by a set of predefined offensive (non-destructive) payloads, where those are used only to trigger the web protection system in between (e.g. [Hidden Content] AND 2>1). Currently, it supports more than 80 different protection products (e.g. aeSecure, Airlock, CleanTalk, CrawlProtect, Imunify360, MalCare, ModSecurity, Palo Alto, SiteGuard, UrlScan, Wallarm, WatchGuard, Wordfence, etc.), while the knowledge-base is constantly growing. Also, as part of this project, screenshots of characteristic responses for different web protection systems are being gathered (manually) for future reference. [hide][Hidden Content]]

Raptor is a Web application firewall made in C, uses DFA to block SQL injection, Cross-site scripting, and path traversal. Why is this tool made in C language? C has a high delay time for writing and debugging, but no pain no gain, have fast performance, addition to this point, the C language is run at any architecture like Mips, ARM, and others… other benefits of C, have a good and high profile to write optimizations if you think to write some lines in ASSEMBLY code with AES-NI or SiMD instructions, I think is a good choice. Why you do not use POO ? in this project I follow the”KISS” principle: [Hidden Content] It Simple C language has a lot of old school dudes like a kernel hacker… Changelog v0.6.1 Fix memory error handler [hide][Hidden Content]]

identYwaf is an identification tool that can recognize web protection type (i.e. WAF) based on blind inference. The blind inference is being done by inspecting responses provoked by a set of predefined offensive (non-destructive) payloads, where those are used only to trigger the web protection system in between (e.g. [Hidden Content] AND 2>1). Currently, it supports more than 80 different protection products (e.g. aeSecure, Airlock, CleanTalk, CrawlProtect, Imunify360, MalCare, ModSecurity, Palo Alto, SiteGuard, UrlScan, Wallarm, WatchGuard, Wordfence, etc.), while the knowledge-base is constantly growing. Also, as part of this project, screenshots of characteristic responses for different web protection systems are being gathered (manually) for future reference. [HIDE][Hidden Content]]

identYwaf is an identification tool that can recognize web protection type (i.e. WAF) based on blind inference. The blind inference is being done by inspecting responses provoked by a set of predefined offensive (non-destructive) payloads, where those are used only to trigger the web protection system in between (e.g. [Hidden Content] AND 2>1). Currently, it supports more than 80 different protection products (e.g. aeSecure, Airlock, CleanTalk, CrawlProtect, Imunify360, MalCare, ModSecurity, Palo Alto, SiteGuard, UrlScan, Wallarm, WatchGuard, Wordfence, etc.), while the knowledge-base is constantly growing. Also, as part of this project, screenshots of characteristic responses for different web protection systems are being gathered (manually) for future reference Changelog v1.0.124 Adding support for Kuipernet [HIDE][Hidden Content]]

identYwaf is an identification tool that can recognize web protection type (i.e. WAF) based on blind inference. The blind inference is being done by inspecting responses provoked by a set of predefined offensive (non-destructive) payloads, where those are used only to trigger the web protection system in between (e.g. [Hidden Content] AND 2>1). Currently, it supports more than 80 different protection products (e.g. aeSecure, Airlock, CleanTalk, CrawlProtect, Imunify360, MalCare, ModSecurity, Palo Alto, SiteGuard, UrlScan, Wallarm, WatchGuard, Wordfence, etc.), while the knowledge-base is constantly growing. Changelog v1.0.123 Update (Hello from Hyundai) [HIDE][Hidden Content]]

identYwaf is an identification tool that can recognize web protection type (i.e. WAF) based on blind inference. The blind inference is being done by inspecting responses provoked by a set of predefined offensive (non-destructive) payloads, where those are used only to trigger the web protection system in between (e.g. [Hidden Content] AND 2>1). Currently, it supports more than 60 different protection products (e.g. aeSecure, Airlock, CleanTalk, CrawlProtect, Imunify360, MalCare, ModSecurity, Palo Alto, SiteGuard, UrlScan, Wallarm, WatchGuard, Wordfence, etc.), while the knowledge-base is constantly growing. [HIDE][Hidden Content]]

identYwaf is an identification tool that can recognize web protection type (i.e. WAF) based on blind inference. The blind inference is being done by inspecting responses provoked by a set of predefined offensive (non-destructive) payloads, where those are used only to trigger the web protection system in between (e.g. [Hidden Content] AND 2>1). Currently, it supports more than 60 different protection products (e.g. aeSecure, Airlock, CleanTalk, CrawlProtect, Imunify360, MalCare, ModSecurity, Palo Alto, SiteGuard, UrlScan, Wallarm, WatchGuard, Wordfence, etc.), while the knowledge-base is constantly growing. Also, as part of this project, screenshots of characteristic responses for different web protection systems are being gathered (manually) for the future reference. Changelog v1.0.118 Adding signatures for new WAF (Wapples) [HIDE][Hidden Content]]

Imperva SecureSphere WAF version 11.5 suffers from a bypass vulnerability due to first validating that a Content-Type header must be passed. View the full article