WAFNinja – Tool to Bypass Web Application Firewalls

WAFNinja is a CLI tool written in Python. It shall help penetration testers to bypass a WAF by automating steps necessary for bypassing input validation. The tool was created with the objective to be easily extendible, simple to use and usable in a team environment.

Many payloads and fuzzing strings, which are stored in a local database file come shipped with the tool. WAFNinja supports HTTP connections, GET and POST requests and the use of Cookies in order to access pages restricted to authenticated users. Also, an intercepting proxy can be set up.

WAFNinja - Tool to Bypass Web Application Firewalls
WAFNinja – Tool to Bypass Web Application Firewalls

The tool include the following options:

  • fuzz – check which symbols and keywords are allowed by the WAF.
  • bypass – sends payloads from the database to the target.
  • insert-fuzz – add a fuzzing string
  • insert-bypass – add a payload to the bypass list
  • set-db – use another database file. Useful to share the same database with others.

Web application firewalls can be a good addition to your defense especially when there is an exposed web server to internet. WAF may slowdown the scan and hide/change the web response to slowdown the web enumeration.

You can read more and download this tool over here: https://github.com/khalilbijjou/wafninja

Share