In this video from our Bypassing Web Application Firewall course your instructor, Thomas Sermpinis, shows how to install and use a popular WAFNinja tool. You can use it for automating web application bypass during your pentests. Let's go! 

Nowadays, the number of web application firewalls (or simply WAFs) is increasing, which results in a more difficult penetration test from our side. So, it becomes a necessity and really important to be able to bypass WAFs in a penetration test. In this course, we are going to examine practical approaches in bypassing WAFs as a part of our penetration test, and, of course, the theory behind WAFs and how they work.

What will you learn?

• WAF Bypassing
• How WAFs work
• How to implement WAF Bypassing to our penetration test

What skills will you gain?

• WAF Bypassing and Hacking
• WAF Hardening and Securing

Introduction WAFs, WAF Bypassing and techniques

In this module, we will quickly examine how WAFs work in a web server, and we will be introduced to WAF Bypassing and some interesting methods with practical examples, attacking web application firewalls with conventional methods.

• Introduction to WAFs, WAF types and WAF Bypassing
• WAF Fingerprinting
• Automating WAF Fingerprinting with Burp, Nmap and wafw00f
• WAF Bypassing, with tools like WAFninja

WAF Bypassing with SQL Injection

In module 2, we examine how we can bypass WAF by exploiting SQL Injection vulnerabilities, with various ways such as normalization and HTTP Parameter Pollution.

• HTTP Parameter Pollution – HPP
• Encoding Techniques for Bypassing WAF
• Bypassing WAF with SQL Injection
• HTTP Parameter Fragmentation – HPF
• Bypassing WAFs with SQL Injection Normalization
• Buffer Overflow + SQL Injection = Bypass WAF

WAF Bypassing with XSS and RFI

In module 3, we will examine more ways of WAF Bypassing, this time containing the Remote File Inclusion and the Cross-Site Scripting and more.

•  Cross Site Scripting - XSS
• Reflected Cross Site Scripting
• Stored Cross-site Scripting
• Path Traversal
• Remote and Local File Inclusion

Securing WAF and Conclusion

Finally, in module 4, we will see some final methods for bypassing WAFs, and prevention methods with practical examples for our WAF implementations.

• DOM Based XSS
• Bypassing Blacklists with JavaScript
• Automating WAF Bypassing
• Bypassing WAF Practical Examples (Imperva WAF, Aqtronix WebKnight WAF, ModSecurity WAF, and others)
• Conclusion and final exam

Related content:

Buffer Overflow Shellcode [FREE COURSE CONTENT]

Author

Marta Strzelec [STAFF]

Latest Articles

• Blog2022.03.28Footprinting Firewalls | Reconnaissance Tutorial [FREE COURSE CONTENT]
• Blog2022.03.17Process Hollowing Malware | Reverse Engineering Tutorial [FREE COURSE CONTENT]
• Blog2022.03.09Sniffing BLE packets | IoT Hacking Tutorial [FREE COURSE CONTENT]
• Blog2022.02.18Pass The Hash Attacks in Active Directory [FREE COURSE CONTENT]