awesome-waf
github.com/0xinfection/awesome-waf βEverything about Web Application Firewalls (WAFs) from Security Standpoint! π₯
Use this list with your AI agent
Add the Context Awesome MCP server to Claude, Cursor, or any MCP client, then ask:
"Show me google dorks approach: resources from awesome-waf"
Installation instructions βWhat's inside
Evasion Techniques
- 0Day Inject0r DBGoogle Dorks Approach:
- Exploit DBGoogle Dorks Approach:
- Fuzz-DB/AttackFuzzing/Bruteforcing:
- JJEncodeUsing Atypical Equivalent Syntactic Structures
- JSFuckUsing Atypical Equivalent Syntactic Structures
- Other PayloadsFuzzing/Bruteforcing:
Known Bypasses:
- @0xInfectionWordfence
- @0xInfectionWebARX
- @Aatif KhanWebKnight
- @Ahmet ΓmitCloudflare
- @Anastasios MonachosF5 BIG-IP
- @AnonymousF5 FirePass
Awesome Tools
- abuse-ssl-bypass-wafEvasion:
A tool which finds out supported SSL/TLS ciphers and helps in evading WAFs.
- AWS Firewall FactoryManagement:
Deploy, update, and stage your WAFs while managing them centrally via FMS.
- bypass-firewalls-by-DNS-historyEvasion:
A tool which searches for old DNS records for finding actual site behind the WAF.
- Bypass WAF BurpSuite PluginEvasion:
A plugin for Burp Suite which adds some request headers so that the requests seem from the internal network.
- enumXFFEvasion:
Eumerating IPs in X-Forwarded-Headers to bypass 403 restrictions
- Framework for Testing WAFs (FTW)Testing:
A framework by the
Video Presentations
- Adventures with the WAF
- Building Your Own WAF as a Service and Forgetting about False Positives
- Bypassing Browser Security Policies for Fun & Profit
- Bypassing Intrusion Detection Systems
- Bypassing Modern WAF's Exemplified At XSS by Rafay Baloch
- Bypass OWASP CRS && CWAF (WAF Rule Testing - Unrestricted File Upload)
Unrestricted File Upload)
Presentations & Research Papers
- A Forgotten HTTP Invisibility CloakPresentations:
A presentation about techniques that can be used to bypass common WAFs from
- Analysing Attacking Detection Logic MechanismsPresentations:
A presentation about WAF logic applied to detecting attacks from
- Beyond SQLi - Obfuscate and Bypass WAFsResearch Papers:
A research paper from
- Building Your Own WAF as a Service and Forgetting about False PositivesPresentations:
A presentation about how to build a hybrid mode waf that can work both in an out-of-band manner as well as inline to reduce false positives and latency
- Bypassing all WAF XSS FiltersResearch Papers:
A paper about bypassing all XSS filter rules and evading WAFs for XSS.
- Bypassing WAF XSS Detection MechanismsResearch Papers:
A research paper about bypassing XSS detection mechanisms in WAFs.
Testing Methodology:
- blogpost hereDetection Techniques:
Examine the timing behaviour of the request and response content.
- HPing3Detection Techniques:
Send a raw crafted FIN/RST packet to server and identify response.
Blogs and Writeups
- Bypassing Web-Application Firewalls by abusing SSL/TLS
By
- How To Exploit PHP Remotely To Bypass Filters & WAF Rules
- How To Reverse Engineer A Web Application Firewall Using Regular Expression Reversing
By
- ModSecurity SQL Injection Challenge: Lessons Learned
By
- Request Encoding to Bypass WAFs
By
- SQL Injection Bypassing WAF
By
Showing a sample of 153 resources. View the full list on GitHub β