Security of Information, Threat Intelligence, Hacking, Offensive Security, Pentest, Open Source, Hackers Tools, Leaks, Pr1v8, Premium Courses Free, etc

Sunday, January 28, 2018

Detect And Bypass Web Application Firewalls And Protection Systems - WhatWaf



Features
  • Ability to run on a single URL with the -u/--url flag
  • Ability to run through a list of URL's with the -l/--list flag
  • Ability to detect over 40 different firewalls
  • Ability to try over 20 different tampering techniques
  • Ability to pass your own payloads either from a file or from the terminal
  • Payloads that are guaranteed to produce at least one WAF triggering
  • Ability to bypass firewalls using both SQLi techniques and cross site scripting techniques
  • Ability to run behind Tor
  • Ability to run behind multiple proxy types (socks4, socks5, http, https)
  • Ability to use a random user agent, personal user agent, or custom default user agent
  • More to come...

Installation
Installing whatwaf is super easy, all you have to do is the following:
Have Python 2.7, Python 3.x compatibility is being implemented soon:
sudo -s << EOF
git clone https://github.com/ekultek/whatwaf.git
cd whatwaf
chmod +x whatwaf.py
pip2 install -r requirements.txt
./whatwaf.py --help

Proof of concept
First we'll run the website through WhatWaf and figure out which firewall protects it (if any):



Next we'll go to that website and see what the page looks like:



Hmm.. that doesn't really look like Cloudflare does it? Let's check what the HTTP headers server and cookies say:



And finally, lets try one of the bypasses that it tells us to try:



Demo vĂ­deo






Share:

0 comentĂ¡rios:

Post a Comment

Note: Only a member of this blog may post a comment.

Copyright © Offensive Sec Blog | Powered by OffensiveSec
Design by OffSec | Theme by Nasa Records | Distributed By Pirate Edition