• No products in the cart.

Bypassing Web Application Firewall (W30)


14 in stock


Product Description

Nowadays, the number of web application firewalls (or simply WAFs) is increasing, which results in a more difficult penetration test from our side. So, it becomes a necessity and really important to be able to bypass WAFs in a penetration test. In this course, we are going to examine practical approaches in bypassing WAFs as a part of our penetration test, and, of course, the theory behind WAFs and how they work.

18 CPE Credits


Course format: 

  • The course is self-paced – you can visit the training whenever you want and your content will be there.

  • Once you’re in, you keep access forever, even when you finish the course. 

  • There are no deadlines, except for the ones you set for yourself. 

  • We designed the course so that a diligent student will need about 18 hours of work to complete the training.

  • Your time will be filled with reading, videos, and exercises. 

What will you learn?

  • WAF Bypassing

  • How WAFs work

  • How to implement WAF Bypassing to our penetration test

What skills will you gain?

  • WAF Bypassing and Hacking

  • WAF Hardening and Securing

What will you need?

  • PC with a preferred operating system (Mac OSX 10.5+, Windows 7+, Linux)

  • At least 4gb of RAM for the VMs to work properly

  • At least 10gb of free storage for VMs

What should you know before joining?

  • Basics and understanding of penetration testing

  • Basics and understanding of web applications and how they work

  • Basic understanding of programming (Python scripts will be examined, and HTML and SQL pieces, too)

Your instuctor: Thomas Sermpinis

tomsermpinis-310x3108 years of experience in the Security sector

Java, C++, Python

Editor of “Penetration Testing with Android Devices”, “Penetration Testing with Kali 2.0” courses of PenTest Magazine.

Editor of “Web Application Hacking: Data Store attacks and Advanced SQL Injection”, “Android Malware Analysis” courses on eForensics Magazine.

Editor on DeltaHacker Magazine

4 years of blogging on Penetration Testing topics (Cr0w’s Place)

Hacking and Android Enthusiast

Blog: https://cr0wsplace.wordpress.com

YouTube channel: https://www.youtube.com/user/Cr0wsPlace


Module 1

Introduction WAFs, WAF Bypassing and techniques

In this module, we will quickly examine how WAFs work in a web server, and we will be introduced to WAF Bypassing and some interesting methods with practical examples, attacking web application firewalls with conventional methods.

  • Introduction to WAFs, WAF types and WAF Bypassing

  • Introduction to web application servers, how they work and where WAFs live

  • Introduction to WAF Bypassing logic and techniques

  • WAF Fingerprinting Introduction and practical examples

  • Practical Introductory examples to WAF Bypassing

Module 2

WAF Bypassing with SQL Injection

In module 2, we examine how we can bypass WAF by exploiting SQL Injection vulnerabilities, with various ways such as normalization and HTTP Parameter Pollution.

  • Basics of SQL Injection

  • SQL Injection -Normalization

  • SQL Injection with HTTP Parameter Pollution

  • Advanced SQL Injection techniques for bypassing WAF (encoding, concatenation, etc.)

Module 3

WAF Bypassing with XSS and RFI

In module 3, we will examine more ways of WAF Bypassing, this time containing the Remote File Inclusion and the Cross-Site Scripting and more.

  • Introduction to XSS

  • Exploiting XSS for WAF Bypassing

  • Introduction to RFI

  • Exploiting RFI for WAF Bypassing

Module 4

Securing WAF and Conclusion

Finally, in module 4, we will see some final methods for bypassing WAFs, and prevention methods with practical examples for our WAF implementations.

  • Automated attacks

  • Selecting the best approach for your penetration test

  • Bypassing WAF finale

  • Securing WAF

  • Conclusion

  • Will the course discuss how to identify which technique is best suited for each identified firewall?


  • Will they be discussing the layers in the Application Server? The Web app? The database server?


  • Will the course discuss binary and Hex encoding to bypass?


  • Will the course discuss any of the CLI tools used by penetration testers to bypass WAFs?


  • Is the course demonstrating how to bypass commercial grade or open source WAF?

    Both, but I may not reveal each WAF that I will test, because of copyrights.

  • Is the course demonstrating how to bypass WAF with default or extensive configuration?

    If the time allows it, in each case.


If you have any questions, drop us a line: 


There are no reviews yet.

Be the first to review “Bypassing Web Application Firewall (W30)”

Your email address will not be published.