GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → owtf → wafbypasser

owtf / wafbypasser

Licence: other
No description or website provided.

Programming Languages

python
139335 projects - #7 most used programming language

Labels

securitywafowasppentestowtf

Projects that are alternatives of or similar to wafbypasser

Owtf
Offensive Web Testing Framework (OWTF), is a framework which tries to unite great tools and make pen testing more efficient http://owtf.org https://twitter.com/owtfp
Stars: ✭ 1,516 (+1976.71%)
Mutual labels:  owasp, pentest, owtf
Opendoor
OWASP WEB Directory Scanner
Stars: ✭ 586 (+702.74%)
Mutual labels:  owasp, pentest
waf-brain
Machine Learning WAF Based
Stars: ✭ 74 (+1.37%)
Mutual labels:  waf, owasp
aws-firewall-factory
Deploy, update, and stage your WAFs while managing them centrally via FMS.
Stars: ✭ 72 (-1.37%)
Mutual labels:  waf, owasp
owtf-docker
Docker repository for OWTF (64-bit Kali)
Stars: ✭ 32 (-56.16%)
Mutual labels:  owasp, owtf
coraza-caddy
OWASP Coraza middleware for Caddy. It provides Web Application Firewall capabilities
Stars: ✭ 75 (+2.74%)
Mutual labels:  waf, owasp
Awesome Nodejs Security
Awesome Node.js Security resources
Stars: ✭ 1,294 (+1672.6%)
Mutual labels:  owasp, pentest
Whatweb
Next generation web scanner
Stars: ✭ 3,503 (+4698.63%)
Mutual labels:  owasp, pentest
Vxscan
python3写的综合扫描工具,主要用来存活验证,敏感文件探测(目录扫描/js泄露接口/html注释泄露),WAF/CDN识别,端口扫描,指纹/服务识别,操作系统识别,POC扫描,SQL注入,绕过CDN,查询旁站等功能,主要用来甲方自测或乙方授权测试,请勿用来搞破坏。
Stars: ✭ 1,244 (+1604.11%)
Mutual labels:  waf, pentest
Cloudbunny
CloudBunny is a tool to capture the real IP of the server that uses a WAF as a proxy or protection. In this tool we used three search engines to search domain information: Shodan, Censys and Zoomeye.
Stars: ✭ 273 (+273.97%)
Mutual labels:  waf, pentest
ftw
Framework for Testing WAFs (FTW!)
Stars: ✭ 106 (+45.21%)
Mutual labels:  waf, owasp
Go Agent
Sqreen's Application Security Management for the Go language
Stars: ✭ 134 (+83.56%)
Mutual labels:  waf, owasp
Collection Document
Collection of quality safety articles. Awesome articles.
Stars: ✭ 1,387 (+1800%)
Mutual labels:  waf, pentest
ptp
Pentester's Tools Parser (PTP) provides an unified way to retrieve the information from all (final goal) automated pentesting tools and assign an automated ranking for each finding.
Stars: ✭ 28 (-61.64%)
Mutual labels:  owasp, owtf
Industrial-Security-Auditing-Framework
ISAF aims to be a framework that provides the necessary tools for the correct security audit of industrial environments. This repo is a mirror of https://gitlab.com/d0ubl3g/industrial-security-auditing-framework.
Stars: ✭ 43 (-41.1%)
Mutual labels:  pentest
encode-me
Payload encoder for bypass WAF
Stars: ✭ 14 (-80.82%)
Mutual labels:  waf
www-project-zap
OWASP Zed Attack Proxy project landing page.
Stars: ✭ 52 (-28.77%)
Mutual labels:  owasp
Athena
Test your Security Skills, and Clean Code Development as a Pythonist, Hacker & Warrior 🥷🏻
Stars: ✭ 43 (-41.1%)
Mutual labels:  owasp
Secure-Coding-Handbook
Web Application Secure Coding Handbook resource.
Stars: ✭ 328 (+349.32%)
Mutual labels:  owasp
PeekABoo
PeekABoo tool can be used during internal penetration testing when a user needs to enable Remote Desktop on the targeted machine. It uses PowerShell remoting to perform this task. Note: Remote desktop is disabled by default on all Windows operating systems.
Stars: ✭ 120 (+64.38%)
Mutual labels:  pentest
View All Similar Projects ➔

WAF Bypasser module

It assists the penetration testers to diagnose WAF rules and bypass WAFs.

Run examples

  • Fuzzing using simple content placeholders. The response will be detected if the responce code is in range 300-599 or 100.
python wafbypasser.py -t 'http://127.0.0.1/xss.php?xss=@@@fuzzhere@@@' --mode fuzz -pl payloadlist.txt -rcd '300-599,100'
  • Fuzzing using simple content placeholders by adding cookies and post data

This example is fuzzing url using a payload list loaded from file, some post data, headers and a cookie. The response will be detected if contains the string 'permission'.

python wafbypasser.py -t 'http://127.0.0.1/xss.php?xss=@@@fuzzhere@@@' --mode fuzz -pl payloadlist.txt -X POST --contains' "permission" -H "Host: localhost" "Accept: */*" -d "var=1234" --cookie "name=tester"
  • Same example as above but fuzzing headers
python wafbypasser.py -t 'http://127.0.0.1/xss.php?xss=test' --mode fuzz -pl payloadlist.txt -X POST --contains' "permission" -H "Host: @@@fuzzhere@@@" "Accept: */*" -d "var=1234" --cookie "name=tester"
  • Same as above but reversing the detection functions (Negative testing).
python wafbypasser.py -t 'http://127.0.0.1/xss.php?xss=test' --mode fuzz -pl payloadlist.txt -X POST --contains' "permission" -H "Host: @@@fuzzhere@@@" "Accept: */*" -d "var=1234" --cookie "name=tester" -r
  • Testing usings CoNTains case_senvitice text
python wafbypasser.py -t 'http://127.0.0.1/xss.php?xss=test' --mode fuzz -pl payloadlist.txt -X POST --contains' "permission" cs -H "Host: @@@fuzzhere@@@" "Accept: */*" -d "var=1234" --cookie "name=tester" -r
  • Finding the fuzzing placeholder allowed length. The 'A' value is a white-listed character.
python wafbypasser.py -t http://demo.testfire.net?var=@@@length@@@ -cnt "long" --accepted_value A -m length
  • HTTP Parameter Pollution

ASP mode:
This mode is splitting the payload at the comma ',' character and it is sending it to a different variable

python wafbypasser.py -t http://127.0.0.1/xss.php -pl ./Backups/hpp.txt --contains 'whatever' --param_name xss --param_source URL  -m asp_hpp
  • Detecting Allowed sources
python wafbypasser.py -t http://127.0.0.1/xss.php --contains 'whatever' --detect_allowed_sources --accepted_method GET --param_name xss --accepted_param_value test --param_source URL
  • Fuzzing using templates and transforming payloads

The transformation functions are defined in the obfuscation_lib.py.

python wafbypasser.py -t 'http://127.0.0.1/xss.php' -pl xss2.txt -rcd '200-599,100' --data "xss=@@@<reverse><payload/></reverse>@@@" -m fuzz
python wafbypasser.py -t http://127.0.0.1/xss.php -rcd '200-599,100' --data "xss=@@@<utf8>Hello</utf8>@@@" -m fuzz
  • Testing for anomalies and bypasses by changing the Content-Type.
python wafbypasser.py -t http://127.0.0.1/xss.php?xss=test --mode content_type_tamper
  • Overchar testing. Sending the payload after a stream with valid characters.
python wafbypasser.py -t 'http://127.0.0.1/xss.php?xss=@@@fuzzhere@@@' -rcd 403 -X GET --headers "Accept: */*" "Host: localhost" -m overchar -pl ./Backups/xss.txt --accepted_value 1 --length 8196
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].