WAFNinja – Penetration testers favorite for WAF Bypassing

WAFNinja is a CLI tool written in Python. It shall help penetration testers to bypass a WAF by automating steps necessary for bypassing input validation. The tool was created with the objective to be easily extendible, simple to use and usable in a team environment. Many payloads and fuzzing strings, which are stored in a local database file come shipped with the tool. WAFNinja supports HTTP connections, GET and POST requests and the use of Cookies in order to access pages restricted to authenticated users. Also, an intercepting proxy can be set up.

wafninja.py [-h] [-v] {fuzz, bypass, insert-fuzz, insert-bypass, set-db} …


python wafninja.py fuzz -u “http://ift.tt/23ewupr” -c “phpsessid=value” -t xss -o output.html


python wafninja.py bypass -u “http://ift.tt/1VRz1CG” -p “Name=PAYLOAD&Submit=Submit” -c “phpsessid=value” -t xss -o output.html


python wafninja.py insert-fuzz -i select -e select -t sql

positional arguments: {fuzz, bypass, insert-fuzz, insert-bypass, set-db}

Which function do you want to use?fuzz check which symbols and keywords are allowed by the WAF.bypass sends payloads from the database to the target.insert-fuzz add a fuzzing stringinsert-bypass add a payload to the bypass listset-db use another database file. Useful to share the same database with others.optional arguments:-h, –help show this help message and exit-v, –version show program’s version number and exit

I would appreciate any feedback! Cheers, Khalil.
Download WAFNinja http://ift.tt/2fk7oD4 http://ift.tt/2aM8QhC


Deixe um comentário

Preencha os seus dados abaixo ou clique em um ícone para log in:

Logotipo do WordPress.com

Você está comentando utilizando sua conta WordPress.com. Sair / Alterar )

Imagem do Twitter

Você está comentando utilizando sua conta Twitter. Sair / Alterar )

Foto do Facebook

Você está comentando utilizando sua conta Facebook. Sair / Alterar )

Foto do Google+

Você está comentando utilizando sua conta Google+. Sair / Alterar )

Conectando a %s