• Stars
    star
    272
  • Rank 151,235 (Top 3 %)
  • Language
    Python
  • License
    BSD 3-Clause "New...
  • Created over 7 years ago
  • Updated about 6 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A series of python scripts for generating weird character combinations for bypassing web application firewalls (WAF) and XSS blockers

Bypassing-Web-Application-Firewalls-And-XSS-Filters

This repository contains some documented WAF bypass exploits and a series of python scripts for generating weird character combinations and lists for BurpSuite Pro for bypassing web application firewalls (WAF) and XSS filters.

Nginx/LUA 100 Request Limitation Exploit

Update October 2018 As detiled in the recently disclosed Cloudflare vulnerability, several Nginx/LUA based WAF implementations have a limitation where only 100 requests (GET/POST requests) can be processed before the WAF is no longer able to see them.

“Nginx is a web server that is responsible for processing web requests. It is a stable and versatile tool that allows developers to focus on the implementation of WAF through different scripts written in LUA. Most of these open source WAF’s have the same problem: they don’t take into account that the module responsible for the integration of LUA in Nginx (lua-nginx-module) doesn’t allow access to all the information of a request.”

ngx.req.get_uri_args() some note from https://github.com/openresty/lua-nginx-module#ngxreqget_uri_args “Note that a maximum of 100 request arguments are parsed by default (including those with the same name) and that additional request arguments are silently discarded to guard against potential denial of service attacks.”

Proof of concept 100 request parameters for WAF bypass exploit:

/test.php?&a0=0&a1=1&a2=2&a3=3&a4=4&a5=5&a6=6&a7=7&a8=8&a9=9&a10=10&a11=11&a12=12&a13=13&a14=14&a15=15&a16=16&a17=17&a18=18&a19=19&a20=20&a21=21&a22=22&a23=23&a24=24&a25=25&a26=26&a27=27&a28=28&a29=29&a30=30&a31=31&a32=32&a33=33&a34=34&a35=35&a36=36&a37=37&a38=38&a39=39&a40=40&a41=41&a42=42&a43=43&a44=44&a45=45&a46=46&a47=47&a48=48&a49=49&a50=50&a51=51&a52=52&a53=53&a54=54&a55=55&a56=56&a57=57&a58=58&a59=59&a60=60&a61=61&a62=62&a63=63&a64=64&a65=65&a66=66&a67=67&a68=68&a69=69&a70=70&a71=71&a72=72&a73=73&a74=74&a75=75&a76=76&a77=77&a78=78&a79=79&a80=80&a81=81&a82=82&a83=83&a84=84&a85=85&a86=86&a87=87&a88=88&a89=89&a90=90&a91=91&a92=92&a93=93&a94=94&a95=95&a96=96&a97=97&a98=98&a=information_schemas

References:
p0pr0ck5/lua-resty-waf#280
https://latesthackingnews.com/2018/10/26/cloudflare-waf-bypass-vulnerability-discovered/

WAF Funky Characters Testing

These python scripts have been created to fuzz wierd combinations:

  • URL Escape Characters
  • HTML Escape Characters
  • Binary Characters

These scripts were created during an assessment, while trying to bypass a Web Application Firewall (WAF) in order to exploit a XSS vulnerability. Differnt webservers and browsers interpret URL and strange characters differently which could lead to the bypassing of security controls. When I tried to send a > or < character the WAF would block the request.

The following URL escapes I have noticed are traslated to < > ' by Apache2 based web servers / WAF applications:

%(N%(n%)S%)U%)^%)s%)u%*C%*E%*c%*e%,.%.#%1N%1n%2S%2U%2^%2s%2u%3C%3E%3c%3e%5.%7#%:C%:E %:c%:e%HN%Hn%IS%IU%I^%Is%Iu%JC%JE%Jc%Je%L.%N#%XN%Xn%YS%YU%Y^%Ys%Yu%ZC%ZE%Zc%Ze%.%^# %hN%hn%iS%iU%i^%is%iu%jC%jE%jc%je%l.%n#%xN%xn%yS%yU%y^%ys%yu%zC%zE%zc%ze%|.

More Repositories

1

Windows-Privilege-Escalation

Windows Privilege Escalation Techniques and Scripts
Batchfile
762
star
2

Hashcat-Cheatsheet

Hashcat Cheatsheet for OSCP
588
star
3

Vanquish

Vanquish is Kali Linux based Enumeration Orchestrator. Vanquish leverages the opensource enumeration tools on Kali to perform multiple active information gathering phases.
Python
500
star
4

Hydra-Cheatsheet

Hydra Password Cracking Cheetsheet
365
star
5

MSF-Venom-Cheatsheet

Single Page Cheatsheet for common MSF Venom One Liners
235
star
6

Linux-Privilege-Escalation

Tips and Tricks for Linux Priv Escalation
217
star
7

PasswordDecrypts

Handy Stored Password Decryption Techniques
128
star
8

FirmwareReverseEngineering

Notes and tools from my experiences reverse engineering firmware
Python
104
star
9

HackingWithCurl

A list of examples and references of hacking with Bash and the Curl command
50
star
10

WordListGen

Super Simple Python Word List Generator for Fuzzing and Brute Forcing in Python
Python
48
star
11

WindowsShells

Information Repository on Various Methods of getting shell access into a Windows machine
16
star
12

BloodHoundCustomQueries

List of Bloodhound Python Custom Queries which I have found to be handy on engagements
Python
16
star
13

Powershell-Cheatsheet

Hand list of Powershell commands frequently used during penetration tests
14
star
14

Active-Directory-Fun

Notes on Active Directory analysis and exploitation
11
star
15

WindowsMeterpreterSessionDied

Some exploits are unstable in nature and only allow for a very short shell command window. These scripts can help extend your remote shell session by quickly spawning a new reverse shell.
Batchfile
8
star
16

SQLMapExamples

A list of sample SQL Map Injection Commands
Python
7
star
17

Wordlust

Wordlust is a Password Base Wordlist for Hashcat Mutator Rules
7
star
18

Python_DES_Decryptor

A simple python script for decrypting DES that has been generated by a .NET application
Python
6
star
19

Directory-Traversal-Toolbox

A few handy scripts for pulling important files off remote machines using a directory traversal or local file include vulnerability.
Python
6
star
20

DirtyStringInjectOneLiner

A one liner dirty string with many common injection techniques
4
star
21

CTF-Walkthroughs

A collection of CTF Walkthroughs
4
star
22

OpenSSL-Enc-By-Example

Examples of how to use openssl-enc for symmetric cipher encryption and decryption
3
star
23

MouseJacking

MouseJacking on Kali Linux with CrazyRadio PA
3
star
24

SSH_Sample_Keys

A collection of Public and Private SSH keys for reference purposes
3
star
25

SiteMapMaker

Creates an HTML site map based on a specified base URL and a folder path. Handy for exploring for hidden content in Burp Suite if you have the application’s source code.
Python
2
star
26

MagicPing

Python 2.7 raw socket ICMP ping to send a embedded message or a magic ping to an endpoint
Python
2
star
27

KaliTroubleshooting

Handy Tricks for Troubleshooting Kali
2
star
28

XOR_MOAR

Simple Python Utilities Developed During CTF Events For XORing Data
Python
2
star
29

c2

C2
1
star
30

CLISerialFuzzer

Serial Connection CLI Command Jail Break Fuzzer
Python
1
star
31

VR-Industrial-Control-Room

Virtual Reality experience that transports people into an industrial control room environment.
ASP
1
star