• No products in the cart.

Bypassing Web Application Firewall (W30)


13 in stock



Nowadays, the number of web application firewalls (or simply WAFs) is increasing, which results in a more difficult penetration test from our side. So, it becomes a necessity and really important to be able to bypass WAFs in a penetration test. In this course, we are going to examine practical approaches in bypassing WAFs as a part of our penetration test, and, of course, the theory behind WAFs and how they work.

18 CPE Credits


Course format: 

    • The course is self-paced – you can visit the training whenever you want and your content will be there.

    • Once you’re in, you keep access forever, even when you finish the course. 

    • There are no deadlines, except for the ones you set for yourself. 

    • We designed the course so that a diligent student will need about 18 hours of work to complete the training.

    • Your time will be filled with reading, videos, and exercises. 

What will you learn?

    • WAF Bypassing

    • How WAFs work

    • How to implement WAF Bypassing to our penetration test

What skills will you gain?

    • WAF Bypassing and Hacking

    • WAF Hardening and Securing

What will you need?

    • PC with a preferred operating system (Mac OSX 10.5+, Windows 7+, Linux)

    • At least 4gb of RAM for the VMs to work properly

    • At least 10gb of free storage for VMs

What should you know before joining?

    • Basics and understanding of penetration testing

    • Basics and understanding of web applications and how they work

    • Basic understanding of programming (Python scripts will be examined, and HTML and SQL pieces, too)

Your instuctor: Thomas Sermpinis

tomsermpinis-310x3108 years of experience in the Security sector

Java, C++, Python

Editor of “Penetration Testing with Android Devices”, “Penetration Testing with Kali 2.0” courses of PenTest Magazine.

Editor of “Web Application Hacking: Data Store attacks and Advanced SQL Injection”, “Android Malware Analysis” courses on eForensics Magazine.

Editor on DeltaHacker Magazine

4 years of blogging on Penetration Testing topics (Cr0w’s Place)

Hacking and Android Enthusiast

Blog: https://cr0wsplace.wordpress.com

YouTube channel: https://www.youtube.com/user/Cr0wsPlace


Module 1

Introduction WAFs, WAF Bypassing and techniques

In this module, we will quickly examine how WAFs work in a web server, and we will be introduced to WAF Bypassing and some interesting methods with practical examples, attacking web application firewalls with conventional methods.

    • Introduction to WAFs, WAF types and WAF Bypassing

    • Introduction to web application servers, how they work and where WAFs live

    • Introduction to WAF Bypassing logic and techniques

    • WAF Fingerprinting Introduction and practical examples

    • Practical Introductory examples to WAF Bypassing

Module 2

WAF Bypassing with SQL Injection

In module 2, we examine how we can bypass WAF by exploiting SQL Injection vulnerabilities, with various ways such as normalization and HTTP Parameter Pollution.

    • Basics of SQL Injection

    • SQL Injection -Normalization

    • SQL Injection with HTTP Parameter Pollution

    • Advanced SQL Injection techniques for bypassing WAF (encoding, concatenation, etc.)

Module 3

WAF Bypassing with XSS and RFI

In module 3, we will examine more ways of WAF Bypassing, this time containing the Remote File Inclusion and the Cross-Site Scripting and more.

    • Introduction to XSS

    • Exploiting XSS for WAF Bypassing

    • Introduction to RFI

    • Exploiting RFI for WAF Bypassing

Module 4

Securing WAF and Conclusion

Finally, in module 4, we will see some final methods for bypassing WAFs, and prevention methods with practical examples for our WAF implementations.

    • Automated attacks

    • Selecting the best approach for your penetration test

    • Bypassing WAF finale

    • Securing WAF

    • Conclusion

    • Will the course discuss how to identify which technique is best suited for each identified firewall?


    • Will they be discussing the layers in the Application Server? The Web app? The database server?


    • Will the course discuss binary and Hex encoding to bypass?


    • Will the course discuss any of the CLI tools used by penetration testers to bypass WAFs?


    • Is the course demonstrating how to bypass commercial grade or open source WAF?

      Both, but I may not reveal each WAF that I will test, because of copyrights.

    • Is the course demonstrating how to bypass WAF with default or extensive configuration?

      If the time allows it, in each case.


If you have any questions, drop us a line: 


There are no reviews yet.

Be the first to review “Bypassing Web Application Firewall (W30)”

Your email address will not be published.

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013