Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
Awesome-WAF
π₯ A curated list of awesome web-app firewall (WAF) stuff.
https://github.com/wisdark/Awesome-WAF
Last synced: 1 day ago
JSON representation
-
Known Bypasses:
-
AWS
-
Airlock Ergon
-
Barracuda
- @Global-Evolution
- Barracuda WAF 8.0.1 - Remote Command Execution (Metasploit) - db.com/?author=479#)
- Barracuda Spam & Virus Firewall 5.1.3 - Remote Command Execution (Metasploit) - db.com/?author=479)
-
Cerber (WordPress)
-
Citrix NetScaler
- @BGA Security
- `generic_api_call.pl` XSS - db.com/?author=6654)
-
Cloudflare
-
Imperva
- XSS Bypass
- Imperva SecureSphere 13 - Remote Command Execution - db.com/?author=9396)
- @David Y
- XSS Bypass
- XSS Bypass
- XSS Bypass
- @Emad Shanab
- @i_bo0om
- @c0d3g33k
- @DRK1WI
- @Giuseppe D'Amore
- Imperva SecureSphere <= v13 - Privilege Escalation - db.com/?author=8991)
- XSS Bypass
-
WebKnight
- @WAFNinja
- @WAFNinja
- SQLi Bypass - db.com/author/?a=1275)
- @Aatif Khan
- @WAFNinja
-
DotDefender
-
Fortinet Fortiweb
-
Wordfence
- HTML Injection - db.com/?author=8505)
- Other XSS Bypasses
- @brute Logic
- XSS Exploit - db.com/?author=1293) (>= v3.3.5)
-
F5 BIG-IP
- `report_type` XSS - db.com/?author=6654)
- @Anastasios Monachos
-
StackPath
-
Kona SiteDefender
-
Profense
- GET Type CSRF Attack - db.com/?author=628) (>= v.2.6.2)
- @Michael Brooks
- XSS Bypass
-
Sucuri
-
WebARX
-
F5 FirePass
-
-
Testing Methodology:
-
Detection Techniques:
-
-
Evasion Techniques
-
Fuzzing/Bruteforcing:
-
Obfuscation:
-
HTTP Parameter Fragmentation
-
Browser Bugs:
-
Using Atypical Equivalent Syntactic Structures
-
Abuse WAF limit on HTTP Responses
-
Abusing DNS History:
- IP History - trails) come to the rescue during the recon process.
- IP History - trails) come to the rescue during the recon process.
-
Google Dorks Approach:
-
-
Awesome Tools
-
Testing:
- WAF Testing Framework - A WAF testing tool by [Imperva](https://imperva.com).
- WAF Testing Framework - A WAF testing tool by [Imperva](https://imperva.com).
-
Evasion:
- Bypass WAF BurpSuite Plugin - A plugin for Burp Suite which adds some request headers so that the requests seem from the internal network.
-
-
Blogs and Writeups
-
Management:
- How To Exploit PHP Remotely To Bypass Filters & WAF Rules - By [@Secjuice](https://secjuice.com)
- XXE that can Bypass WAF - By [@WallArm](https://labs.wallarm.com).
- SQL Injection Bypassing WAF - By [@OWASP](https://owasp.com).
- How To Reverse Engineer A Web Application Firewall Using Regular Expression Reversing - By [@SunnyHoi](https://twitter.com/sunnyhoi).
- Bypassing Web-Application Firewalls by abusing SSL/TLS - By [@0x09AL](https://twitter.com/0x09al).
- Request Encoding to Bypass WAFs - By [@Soroush Dalili](https://twitter.com/irsdl)
- XXE that can Bypass WAF - By [@WallArm](https://labs.wallarm.com).
- SQL Injection Bypassing WAF - By [@OWASP](https://owasp.com).
- Bypassing Web-Application Firewalls by abusing SSL/TLS - By [@0x09AL](https://twitter.com/0x09al).
- Web Application Firewall (WAF) Evasion Techniques #3 - By [@Secjuice](https://www.secjuice.com).
- Web Application Firewall (WAF) Evasion Techniques #1 - By [@Secjuice](https://www.secjuice.com).
- How To Reverse Engineer A Web Application Firewall Using Regular Expression Reversing - By [@SunnyHoi](https://twitter.com/sunnyhoi).
- Web Application Firewall (WAF) Evasion Techniques #2 - By [@Secjuice](https://www.secjuice.com).
- ModSecurity SQL Injection Challenge: Lessons Learned - By [@SpiderLabs](https://trustwave.com).
-
-
Video Presentations
-
Management:
- WAF Bypass Techniques Using HTTP Standard and Web Servers Behavior
- Confessions of a WAF Developer: Protocol-Level Evasion of Web App Firewalls - us-12).
- Web Application Firewall - Analysis of Detection Logic
- Bypassing Browser Security Policies for Fun & Profit
- Web Application Firewall Bypassing
- Fingerprinting Filter Rules of Web Application Firewalls - Side Channeling Attacks
- Evading Deep Inspection Systems for Fun and Shell - us-13).
- Bypass OWASP CRS && CWAF (WAF Rule Testing - Unrestricted File Upload) - VQ).
- WAFs FTW! A modern devops approach to security testing your WAF
- Web Application Firewall Bypassing WorkShop
- Bypassing Modern WAF's Exemplified At XSS by Rafay Baloch
- WTF - WAF Testing Framework
- The Death of a Web App Firewall - N2sHnXFwi0XjDIMTPg).
- Adventures with the WAF
- Bypassing Intrusion Detection Systems
- Building Your Own WAF as a Service and Forgetting about False Positives
- Web Application Firewall Bypassing WorkShop
- Bypassing Modern WAF's Exemplified At XSS by Rafay Baloch
- WTF - WAF Testing Framework
- The Death of a Web App Firewall - N2sHnXFwi0XjDIMTPg).
- Bypassing Browser Security Policies for Fun & Profit
- Web Application Firewall Bypassing
- Fingerprinting Filter Rules of Web Application Firewalls - Side Channeling Attacks
- Evading Deep Inspection Systems for Fun and Shell - us-13).
- Bypass OWASP CRS && CWAF (WAF Rule Testing - Unrestricted File Upload) - VQ).
- WAFs FTW! A modern devops approach to security testing your WAF
- Adventures with the WAF
- Bypassing Intrusion Detection Systems
- Building Your Own WAF as a Service and Forgetting about False Positives
-
-
Credits & License:
-
Presentations:
- Pinaki - WAF is licensed under the [Apache 2.0 License](LICENSE).
-
Categories
Sub Categories
Management:
43
Imperva
13
Cloudflare
9
Google Dorks Approach:
8
Kona SiteDefender
7
DotDefender
6
WebKnight
5
Using Atypical Equivalent Syntactic Structures
5
Wordfence
4
Profense
3
Browser Bugs:
3
Fuzzing/Bruteforcing:
3
Sucuri
3
Barracuda
3
Obfuscation:
3
Abusing DNS History:
2
Abuse WAF limit on HTTP Responses
2
Citrix NetScaler
2
F5 BIG-IP
2
Detection Techniques:
2
Testing:
2
Fortinet Fortiweb
2
HTTP Parameter Fragmentation
1
StackPath
1
WebARX
1
Cerber (WordPress)
1
Presentations:
1
Airlock Ergon
1
Evasion:
1
F5 FirePass
1
AWS
1