WAFNinja – A Tool To Bypass WAF

WAFNinja is a CLI tool written in Python. It is the best tool for penetration testers to bypass a WAF by automating steps necessary for bypassing input validation. The tool was created with the objective to be easily extendable, simple to use and usable in a team environment. Many payloads and fuzzing strings, which are stored in a local database file come shipped with the tool.

WAFNinja supports HTTP connections, GET and POST requests and the use of Cookies in order to access pages restricted to authenticated users. Also, an intercepting proxy can be set up.

 

Using Command:

wafninja.py [-h] [-v] {fuzz, bypass, insert-fuzz, insert-bypass, set-db} ...

 

Example:

Fuzz:

python wafninja.py fuzz -u "http://www.target.com/index.php?id=FUZZ" 
-c "phpsessid=value" -t xss -o output.html

 

Bypass:

python wafninja.py bypass -u "http://www.target.com/index.php"  -p "Name=PAYLOAD&Submit=Submit"         
-c "phpsessid=value" -t xss -o output.html

Insert-Fuzz:

python wafninja.py insert-fuzz -i select -e select -t sql

positional arguments: {fuzz, bypass, insert-fuzz, insert-bypass, set-db}

Which function do you want to use?

fuzz                check which symbols and keywords are allowed by the WAF.
bypass              sends payloads from the database to the target.
insert-fuzz         add a fuzzing string
insert-bypass       add a payload to the bypass list
set-db              use another database file. Useful to share the same database with others.

optional arguments:
-h, --help            show this help message and exit
-v, --version         show program's version number and exit

 

Download now: WAFNinja

Related posts

Cracking the Code: Investigating Emerging Trends on Hacker Forums

Top Cybersecurity Threats Of This Year And How To Defend Against Them

The Rise of Open-Source AI: How Companies like Mistral AI are Shaping the Future