Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/khalilbijjou/wafninja
WAFNinja is a tool which contains two functions to attack Web Application Firewalls.
https://github.com/khalilbijjou/wafninja
Last synced: 3 months ago
JSON representation
WAFNinja is a tool which contains two functions to attack Web Application Firewalls.
- Host: GitHub
- URL: https://github.com/khalilbijjou/wafninja
- Owner: khalilbijjou
- Created: 2016-05-18T13:52:09.000Z (about 8 years ago)
- Default Branch: master
- Last Pushed: 2017-12-06T10:55:26.000Z (over 6 years ago)
- Last Synced: 2024-01-20T18:16:43.875Z (5 months ago)
- Language: Python
- Size: 45.9 KB
- Stars: 776
- Watchers: 43
- Forks: 267
- Open Issues: 9
-
Metadata Files:
- Readme: README.md
Lists
- Awesome-WAF - WAFNinja - A smart tool which fuzzes and can suggest bypasses for a given WAF by [@khalilbijjou](https://github.com/khalilbijjou/). (Awesome Tools / Evasion:)
- Awesome-WAF - WAFNinja - A smart tool which fuzzes and can suggest bypasses for a given WAF by [@khalilbijjou](https://github.com/khalilbijjou/). (Awesome Tools / Evasion:)
README
# WAFNinja
WAFNinja - Penetration testers favorite for WAF Bypassing
WAFNinja is a CLI tool written in Python. It shall help penetration testers to bypass a WAF by
automating steps necessary for bypassing input validation. The tool was created with the objective
to be easily extendible, simple to use and usable in a team environment. Many payloads and
fuzzing strings, which are stored in a local database file come shipped with the tool. WAFNinja
supports HTTP connections, GET and POST requests and the use of Cookies in order to access
pages restricted to authenticated users. Also, an intercepting proxy can be set up.Installation:
git clone https://github.com/khalilbijjou/WAFNinja && cd WAFNinja
pip install -r requirements.txt
Usage:wafninja.py [-h] [-v] {fuzz, bypass, insert-fuzz, insert-bypass, set-db} ...
EXAMPLE:fuzz:
python wafninja.py fuzz -u "http://www.target.com/index.php?id=FUZZ"
-c "phpsessid=value" -t xss -o output.htmlbypass:
python wafninja.py bypass -u "http://www.target.com/index.php" -p "Name=PAYLOAD&Submit=Submit"
-c "phpsessid=value" -t xss -o output.htmlinsert-fuzz:
python wafninja.py insert-fuzz -i select -e select -t sql
positional arguments:
{fuzz, bypass, insert-fuzz, insert-bypass, set-db}
Which function do you want to use?
fuzz check which symbols and keywords are allowed by the WAF.
bypass sends payloads from the database to the target.
insert-fuzz add a fuzzing string
insert-bypass add a payload to the bypass list
set-db use another database file. Useful to share the same database with others.optional arguments:
-h, --help show this help message and exit
-v, --version show program's version number and exitI would appreciate any feedback! Cheers, Khalil.