nemesida-waf / waf-bypass Goto Github PK
View Code? Open in Web Editor NEWCheck your WAF before an attacker does
Home Page: https://nemesida-waf.com
License: MIT License
Check your WAF before an attacker does
Home Page: https://nemesida-waf.com
License: MIT License
root@ubuntu20:/opt/waf-bypass# docker run nemesida/waf-bypass --host='www.dingjunkj.com'
^C
An incorrect response was received while processing request from file /opt/waf-bypass/payload/SSI/1.json in URL: 0
An incorrect response was received while processing request from file /opt/waf-bypass/payload/API/3.json in URL: 0
An incorrect response was received while processing request from file /opt/waf-bypass/payload/RCE/5.json in URL: 0
An incorrect response was received while processing request from file /opt/waf-bypass/payload/API/1.json in URL: 0
An incorrect response was received while processing request from file /opt/waf-bypass/payload/SSI/2.json in URL: 0
An error occurred while processing file /opt/waf-bypass/payload/RCE/5.json in BODY: WBHTTPConnectionPool(host='www.dingjunkj.com', port=80): Max retries exceeded with url: / (Caused by ConnectTimeoutError(<urllib3.connection.HTTPConnection object at 0x7f5ffce55070>, 'Connection to www.dingjunkj.com timed out. (connect timeout=30)'))
An incorrect response was received while processing request from file /opt/waf-bypass/payload/API/2.json in URL: 0
An incorrect response was received while processing request from file /opt/waf-bypass/payload/SSI/5.json in URL: 0
An incorrect response was received while processing request from file /opt/waf-bypass/payload/RCE/22.json in URL: 0
An incorrect response was received while processing request from file /opt/waf-bypass/payload/NoSQLi/6.json in URL: 0
An error occurred while processing file /opt/waf-bypass/payload/RCE/22.json in COOKIE: WBHTTPConnectionPool(host='www.dingjunkj.com', port=80): Read timed out.
An incorrect response was received while processing request from file /opt/waf-bypass/payload/RCE/15.json in URL: 0
An incorrect response was received while processing request from file /opt/waf-bypass/payload/NoSQLi/2.json in URL: 0
An error occurred while processing file /opt/waf-bypass/payload/RCE/15.json in ARGS: WBHTTPConnectionPool(host='www.dingjunkj.com', port=80): Read timed out.
An incorrect response was received while processing request from file /opt/waf-bypass/payload/RFI/4.json in ARGS: 0
An incorrect response was received while processing request from file /opt/waf-bypass/payload/RFI/4.json in ARGS: 0
An incorrect response was received while processing request from file /opt/waf-bypass/payload/RFI/4.json in ARGS: 0
Keyboard Interrupt
Hi,it was used normally a few days ago, but now it reports an error when it is used。
Error message :
error occurred while processing payload from file path\xxx.json: list index out of range�
tnx
Hi guys, I'm curious what is BYPASSED, PASSED etc. means in the results of the program? Can you provide a little description, please? I'm a little confused about how to interpret the results...
For the False Negative test:
For the False Positive test:
By the way, your program is awesome, thanks <3
The --json-format option is nice, and does give some indication of the details of what went wrong, but
it replaces the original text format, so there's no way to get both.
waf-bypass/payload/SQLi/1.json
Line 4 in ea9d8ee
' or /!u%6eion/ /!se%6cect/ 1,2,3,4,5,6,7,8,9,0,11 '--
After using waf-bypass, often one wants to zero in on individual failures and replay them, but it seems hard to do.
waf-bypass could make this easier in many ways.
For instance, it could output curl commands (a la https://github.com/ofw/curlify) or a json equivalent (a la https://curlconverter.com/json) for each failure case to a log file.
Alternately, it could provide a --replay option that accepts an identifier from log file and replays just that one request.
The portion of URLs after #
is for client-side processing and does not get sent to the server in HTTP requests. Therefore, there is no way for a WAF to block this request, as it would only receive /do.php
instead of the full /do.php#.png
/do.php
is not malicious in and of itself and therefore the UWA/26.json payload should not be expected to be blocked by a WAF.
I run the script and get result but have no idea how to find the payload detail. I need look into each payloads resulting to false negative to verify the test result.
Thanks
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.