WAFNinja is a CLI tool written in Python. It shall help penetration testers to bypass a WAF by automating steps necessary for bypassing input validation. The tool was created with the objective to be easily extendible, simple to use and usable in a team environment. Many payloads and fuzzing strings, which are stored in a local database file come shipped with the tool. WAFNinja supports HTTP connections, GET and POST requests and the use of Cookies in order to access pages restricted to authenticated users. Also an intercepting proxy can be set up.
wafninja
with function:
+ fuzz check which symbols and keywords are allowed by the WAF.
+ bypass sends payloads from the database to the target.
+ insert-fuzz add a fuzzing string
+ insert-bypass add a payload to the bypass list
+ set-db use another database file. Useful to share the same database with others.
use and download from git:
git clone https://github.com/khalilbijjou/WAFNinja && cd WAFNinja pip install progressbar pip install prettytable python wafninja.py -h
Source: https://github.com/khalilbijjou
