https://github.com/khalilbijjou/wafninja

WAFNinja is a tool which contains two functions to attack Web Application Firewalls.
https://github.com/khalilbijjou/wafninja

Last synced: 3 months ago
JSON representation

WAFNinja is a tool which contains two functions to attack Web Application Firewalls.

• Host: GitHub
• URL: https://github.com/khalilbijjou/wafninja
• Owner: khalilbijjou
• Created: 2016-05-18T13:52:09.000Z (about 8 years ago)
• Default Branch: master
• Last Pushed: 2017-12-06T10:55:26.000Z (over 6 years ago)
• Last Synced: 2024-01-20T18:16:43.875Z (5 months ago)
• Language: Python
• Size: 45.9 KB
• Stars: 776
• Watchers: 43
• Forks: 267
• Open Issues: 9
• Metadata Files:
  • Readme: README.md

Lists

• Awesome-WAF - WAFNinja - A smart tool which fuzzes and can suggest bypasses for a given WAF by [@khalilbijjou](https://github.com/khalilbijjou/). (Awesome Tools / Evasion:)
• Awesome-WAF - WAFNinja - A smart tool which fuzzes and can suggest bypasses for a given WAF by [@khalilbijjou](https://github.com/khalilbijjou/). (Awesome Tools / Evasion:)

README

        
# WAFNinja

	    WAFNinja - Penetration testers favorite for WAF Bypassing

WAFNinja is a CLI tool written in Python. It shall help penetration testers to bypass a WAF by

automating steps necessary for bypassing input validation. The tool was created with the objective

to be easily extendible, simple to use and usable in a team environment. Many payloads and

fuzzing strings, which are stored in a local database file come shipped with the tool. WAFNinja

supports HTTP connections, GET and POST requests and the use of Cookies in order to access

pages restricted to authenticated users. Also, an intercepting proxy can be set up.

Installation:

	git clone https://github.com/khalilbijjou/WAFNinja && cd WAFNinja

	pip install -r requirements.txt

	

Usage: 

	wafninja.py [-h] [-v] {fuzz, bypass, insert-fuzz, insert-bypass, set-db} ...

    

EXAMPLE:

fuzz:

	

	python wafninja.py fuzz -u "http://www.target.com/index.php?id=FUZZ" 

	-c "phpsessid=value" -t xss -o output.html 

bypass:

	

	python wafninja.py bypass -u "http://www.target.com/index.php"  -p "Name=PAYLOAD&Submit=Submit"         

	-c "phpsessid=value" -t xss -o output.html

insert-fuzz:

	python wafninja.py insert-fuzz -i select -e select -t sql

positional arguments:

  {fuzz, bypass, insert-fuzz, insert-bypass, set-db}

                        

    Which function do you want to use?

                        

    fuzz                check which symbols and keywords are allowed by the WAF.

    bypass              sends payloads from the database to the target.

    insert-fuzz         add a fuzzing string

    insert-bypass       add a payload to the bypass list

    set-db              use another database file. Useful to share the same database with others.

    optional arguments:

    -h, --help            show this help message and exit

    -v, --version         show program's version number and exit

I would appreciate any feedback! Cheers, Khalil.