WAFNinja is a CLI python tool that helps penetration testers to bypass Web Application Firewall past times automating steps necessary for bypassing input validation. WAFNinja supports HTTP connections, GET together with POST requests together with the purpose of Cookies inward lodge to access pages restricted to authenticated users. It also supports intercepting proxy, thus yes MITM for you.
The tool was created amongst the objective to hold out easily extendible, elementary to purpose together with usable inward a squad environment.
Supported spider web methods:
- HTTP connections
- GET requests
- POST requests
- Using Cookies (for pages behind auth)
- Intercepting proxy
Using WAFNinja for WAF Bypass
wafninja.py [-h] [-v] {fuzz, bypass, insert-fuzz, insert-bypass, set-db} ...More examples
fuzzing
python wafninja.py fuzz -u "http://www.target.com/index.php?id=FUZZ"
-c "phpsessid=value" -t xss -o output.html
Bypass WAG
python wafninja.py bypass -u "http://www.target.com/index.php" -p "Name=PAYLOAD&Submit=Submit"
-c "phpsessid=value" -t xss -o output.html
Insert fuzz
python wafninja.py insert-fuzz -i choose -e choose -t sql
Video demo
Here a consummate video of a workshop that volition instruct y'all how to laid upward on an application secured past times a WAF. The moderator describes WAF bypassing techniques together with offers a systematic together with practical approach on how to bypass spider web application firewalls based on these techniques. This video introduces WAFNinja, a tool that helps to honour multiple vulnerabilities inward firewalls.
Complete slides tin hold out constitute here.
