- Joined
- Jan 8, 2019
- Messages
- 56,602
- Solutions
- 2
- Reputation
- 32
- Reaction score
- 100,445
- Points
- 2,313
- Credits
- 32,540
6 Years of Service
76%
WAF bypass Tool is an open-source tool to analyze the security of any WAF for False Positives and False Negatives using predefined and customizable payloads. Check your WAF before an attacker does. WAF Bypass Tool is developed by the Nemesida WAF team with the participation of the community.
Payloads
Depending on the purpose, payloads are located in the appropriate folders:
FP – False Positive payloads
API – API testing payloads
CM – Custom HTTP Method payloads
GraphQL – GraphQL testing payloads
LDAP – LDAP Injection etc. payloads
LFI – Local File Include payloads
MFD – multipart/form-data payloads
NoSQLi – NoSQL injection payloads
OR – Open Redirect payloads
RCE – Remote Code Execution payloads
RFI – Remote File Inclusion payloads
SQLi – SQL injection payloads
SSI – Server-Side Includes payloads
SSRF – Server-side request forgery payloads
SSTI – Server-Side Template Injection payloads
UWA – Unwanted Access payloads
XSS – Cross-Site Scripting payloads
Write your own payloads
When compiling a payload, the following zones, methods, and options are used:
URL – request’s path
ARGS – request’s query
BODY – request’s body
COOKIE – request’s cookie
USER-AGENT – request’s user-agent
REFERER – request’s referer
HEADER – request’s header
METHOD – request’s method
BOUNDARY – specifies the contents of the request’s boundary. Applicable only to payloads in the MFD directory.
ENCODE – specifies the type of payload encoding (Base64, HTML-ENTITY, UTF-16) in addition to the encoding for the payload. Multiple values are indicated with a space (e.g. Base64 UTF-16). Applicable only to for ARGS, BODY, COOKIE and HEADER zone. Not applicable to payloads in API and MFD directories. Not compatible with option JSON.
JSON – specifies that the request’s body should be in JSON format
BLOCKED – specifies that the request should be blocked (FN testing) or not (FP)