WAFNinja – Web Application Firewall Attack Tool – WAF Bypass


WAFNinja is a Python-based Web Application Firewall Attack Tool designed to help penetration testers execute WAF bypass by automating the steps necessary to bypass input validation.

WAFNinja - Web Application Firewall Attack Tool - WAF Bypass


The tool was created with the objective to be easily extendible, simple to use and usable in a team environment.

What can WAFNinja Web Application Firewall Attack Tool Do?

Many payloads and fuzzing strings, which are stored in a local database file come shipped with the tool.

WAFNinja supports:

  • HTTP connections
  • GET requests
  • POST requests
  • Using Cookies (for pages behind auth)
  • Intercepting proxy

Using WAFNinja for WAF Bypass

Examples of Web Application Firewall Attacks

Fuzz:

Bypass:

Insert-fuzz:

You can also check out:

WAFW00F – Fingerprint & Identify Web Application Firewall (WAF) Products

You can download WAFNinja here:

WAFNinja-master.zip

Or read more here.

Posted in: Hacking Tools

, ,


Latest Posts:


Memhunter - Automated Memory Resident Malware Detection Memhunter – Automated Memory Resident Malware Detection
Memhunter is an Automated Memory Resident Malware Detection tool for the hunting of memory resident malware at scale, improving threat hunter analysis process.
Sandcastle - AWS S3 Bucket Enumeration Tool Sandcastle – AWS S3 Bucket Enumeration Tool
Astra - API Automated Security Testing For REST Astra – API Automated Security Testing For REST
Astra is a Python-based tool for API Automated Security Testing, REST API penetration testing is complex due to continuous changes in existing APIs.
Judas DNS - Nameserver DNS Poisoning Attack Tool Judas DNS – Nameserver DNS Poisoning Attack Tool
Judas DNS is a Nameserver DNS Poisoning Attack Tool which functions as a DNS proxy server built to be deployed in place of a taken over nameserver to perform targeted exploitation.
dsniff Download - Tools for Network Auditing & Password Sniffing dsniff Download – Tools for Network Auditing & Password Sniffing
Dsniff download is a collection of tools for network auditing & penetration testing. Dsniff, filesnarf, mailsnarf, msgsnarf, URLsnarf, and WebSpy passively monitor a network
OWASP Amass - DNS Enumeration, Attack Surface Mapping & External Asset Discovery OWASP Amass – DNS Enumeration, Attack Surface Mapping & External Asset Discovery
The OWASP Amass Project is a DNS Enumeration, Attack Surface Mapping & External Asset Discovery tool to help information security professionals perform network mapping of attack surfaces.


3 Responses to WAFNinja – Web Application Firewall Attack Tool – WAF Bypass

  1. madtester November 2, 2017 at 8:26 am #

    This does not work against F5 ASM despite the claims in the review article here:

    https://waf.ninja/review-wafninja/

    • Darknet November 2, 2017 at 2:59 pm #

      Worked on an earlier version maybe?

    • mishka November 7, 2017 at 1:54 pm #

      The tool wasn’t changed for a year and according to article it has only one XSS payload related to F5 ASM. Probably, it was just mitigated with additional rules and guess the same applies to the rest of vendor-specific payloads.