### Install and Run WAF Bypass Tool using pipx Source: https://github.com/nemesida-waf/waf-bypass/blob/master/README.md Install the WAF Bypass Tool globally using pipx and run it from the pipx bin directory. ```bash # pipx install git+https://github.com/nemesida-waf/waf-bypass.git # /waf-bypass ``` -------------------------------- ### Run WAF Bypass Tool from Source Code Source: https://github.com/nemesida-waf/waf-bypass/blob/master/README.md Clone the repository, install dependencies, and run the tool directly from the source code using Python 3. ```bash # git clone https://github.com/nemesida-waf/waf_bypass.git /opt/waf-bypass/ # python3 -m pip install -r /opt/waf-bypass/requirements.txt # python3 /opt/waf-bypass/main.py --host='example.com' ``` -------------------------------- ### Initialize and Start WAF Bypass Scan Source: https://context7.com/nemesida-waf/waf-bypass/llms.txt Configure WAF Bypass parameters and start a scan. The scan blocks until completion and prints JSON output to stdout. Handles KeyboardInterrupt for graceful termination. ```python host = 'https://example.com' proxy = 'http://proxy.corp.local:3128' headers = {'User-Agent': 'Mozilla/5.0', 'X-Auth': 'token123'} block_code = {403: True, 222: True} # HTTP codes that mean "WAF blocked" timeout = 30 threads = 10 wb_result = {} # result dict populated in-place json_mode = True # True = JSON output, False = table output details = False no_progress = True replay = False exclude_dir = ['FP', 'GraphQL'] # skip these payload directories waf = WAFBypass( host, proxy, headers, block_code, timeout, threads, wb_result, json_mode, details, no_progress, replay, exclude_dir ) try: waf.start() # blocks until all payloads are processed; prints JSON to stdout except KeyboardInterrupt: print("Scan interrupted") # After start(), wb_result contains: # wb_result['PASSED'] -> list of [payload_path, zone, "200 RESPONSE CODE"] # wb_result['BYPASSED'] -> list of [payload_path, zone, "200 RESPONSE CODE"] (FN) # wb_result['FALSED'] -> list of [payload_path, zone, "403 RESPONSE CODE"] (FP) # wb_result['FAILED'] -> list of [payload_path, zone, error_message] ``` -------------------------------- ### Nemesida WAF Payload Structure Example Source: https://github.com/nemesida-waf/waf-bypass/blob/master/README.md This example demonstrates the structure for defining custom payloads in JSON format. It shows how to specify the target zone (e.g., BODY, ARGS), method, and encoding options. ```json { "URL": "request's path", "ARGS": "request's query", "BODY": "request's body", "COOKIE": "request's cookie", "USER-AGENT": "request's user-agent", "REFERER": "request's referer", "HEADER": "request's header", "METHOD": "request's method", "BOUNDARY": "specifies the contents of the request's boundary. Applicable only to payloads in the MFD directory.", "ENCODE": "specifies the type of payload encoding (Base64, HTML-ENTITY, UTF-16) in addition to the encoding for the payload. Multiple values are indicated with a space (e.g. Base64 UTF-16). Applicable only to for ARGS, BODY, COOKIE and HEADER zone. Not applicable to payloads in API and MFD directories. Not compatible with option JSON.", "JSON": "specifies that the request's body should be in JSON format", "BLOCKED": "specifies that the request should be blocked (FN testing) or not (FP)" } ``` -------------------------------- ### Parse WAF Bypass Results for CI/CD Integration Source: https://context7.com/nemesida-waf/waf-bypass/llms.txt Use `jq` to process the JSON output of the WAF Bypass Tool for CI/CD integration. This example shows how to count bypassed payloads and fail a pipeline if any bypasses are detected. ```bash # Run scan and capture JSON python3 main.py --host='https://staging.example.com' \ --block-code=403 \ --threads=20 \ --json-format > waf-results.json # Count bypassed (False Negative) payloads with jq BYPASSED=$(jq '.BYPASSED | length'waf-results.json) echo "False Negatives: $BYPASSED" # Fail the pipeline if any attack traffic was not blocked if [ "$BYPASSED" -gt 0 ]; then echo "WAF QUALITY GATE FAILED: $BYPASSED payloads bypassed the WAF" jq '.BYPASSED' waf-results.json exit 1 fi # Show cURL replay commands for all bypassed payloads jq -r '.cURL.BYPASSED | to_entries[] | "\(.key): \(.value | to_entries[].value)"' waf-results.json # Expected output: XSS/1.json: curl -X GET -H 'User-Agent: ...' 'https://staging.example.com/%3Csvg...' SQLi/1.json: curl -X POST -H 'Content-Type: ...' --data 'param=...' 'https://...' ``` -------------------------------- ### Custom HTTP Method Payload Source: https://context7.com/nemesida-waf/waf-bypass/llms.txt Allows overriding the default HTTP method (GET or POST) using the `METHOD` field. Supported values include 'get', 'post', 'put', 'delete', 'patch', 'head', and 'options'. ```json // utils/payload/CM/custom.json — SSRF via PUT request body { "payload": [ { "BODY": "url=http://169.254.169.254/latest/meta-data/", "METHOD": "PUT", "BLOCKED": true } ] } // Supported values: "get", "post", "put", "delete", "patch", "head", "options" // METHOD applies to all zones in the same payload entry ``` -------------------------------- ### Basic WAF Scan with Python Source: https://context7.com/nemesida-waf/waf-bypass/llms.txt Run a minimal WAF scan against a target host. The tool automatically prepends 'http://' if no scheme is provided. ```bash python3 main.py --host='https://example.com' ``` -------------------------------- ### Programmatic Usage of WAFBypass Class Source: https://context7.com/nemesida-waf/waf-bypass/llms.txt Demonstrates how to import and instantiate the `WAFBypass` class from `utils/bypass.py` for direct integration into Python code. ```python from utils.bypass import WAFBypass ``` -------------------------------- ### Run WAF Bypass Tool using Docker Source: https://github.com/nemesida-waf/waf-bypass/blob/master/README.md Pull the latest WAF Bypass Tool image from Docker Hub and run it with a specified host. ```bash # docker pull nemesida/waf-bypass # docker run nemesida/waf-bypass --host='example.com' ``` -------------------------------- ### Specify Proxy for WAF Bypass Tool Source: https://github.com/nemesida-waf/waf-bypass/blob/master/README.md Use the --proxy option to specify an HTTP proxy for the tool to connect through. ```bash --proxy='http://proxy.example.com:3128' ``` -------------------------------- ### Full-Featured WAF Scan with Python Source: https://context7.com/nemesida-waf/waf-bypass/llms.txt Perform a comprehensive WAF scan including proxy, authentication headers, custom block codes, multiple threads, and JSON output. Specify multiple --header and --block-code arguments as needed. ```bash python3 main.py \ --host='https://example.com' \ --proxy='http://proxy.corp.local:3128' \ --header='Authorization: Bearer eyJhbGciOiJSUzI1NiJ9...' \ --header='X-Internal-Token: ABCDEF' \ --user-agent='SecurityScanner/1.0' \ --block-code=403 \ --block-code=222 \ --threads=20 \ --timeout=15 \ --json-format ``` -------------------------------- ### Docker WAF Scan with JSON Output and jq Filtering Source: https://context7.com/nemesida-waf/waf-bypass/llms.txt Run a WAF scan using Docker and pipe the JSON output to 'jq' to filter for bypassed payloads. This allows for focused analysis of specific results. ```bash docker run nemesida/waf-bypass --host='https://example.com' --json-format \ | jq '.BYPASSED' ``` -------------------------------- ### Docker WAF Scan with Proxy and JSON Output Source: https://context7.com/nemesida-waf/waf-bypass/llms.txt Execute a WAF scan via Docker, specifying a proxy, custom block codes, thread count, and enabling JSON output for structured results. ```bash docker run nemesida/waf-bypass \ --host='https://example.com' \ --proxy='http://10.0.0.1:8080' \ --block-code=403 \ --threads=15 \ --json-format ``` -------------------------------- ### Specify HTTP Headers for WAF Bypass Tool Source: https://github.com/nemesida-waf/waf-bypass/blob/master/README.md Use the --header option to specify HTTP headers, such as for authentication. Multiple headers can be provided. ```bash --header 'Authorization: Basic YWRtaW46YWRtaW4=' --header 'X-TOKEN: ABCDEF' ``` -------------------------------- ### Detailed Scan with Exclusions and Replay Options Source: https://context7.com/nemesida-waf/waf-bypass/llms.txt Perform a detailed WAF scan, excluding specified directories, enabling detailed output for False Positives/Negatives, and including cURL replay commands. The --no-progress flag disables the progress indicator. ```bash python3 main.py \ --host='https://example.com' \ --exclude-dir='FP,MFD,GraphQL' \ --details \ --curl-replay \ --no-progress ``` -------------------------------- ### Enable cURL Replay in WAF Bypass Tool Source: https://github.com/nemesida-waf/waf-bypass/blob/master/README.md Use the --curl-replay option to display the cURL command for reproducing requests. This option is not compatible with --json-format. ```bash --curl-replay ``` -------------------------------- ### Display Details in WAF Bypass Tool Source: https://github.com/nemesida-waf/waf-bypass/blob/master/README.md Use the --details option to display False Positive and False Negative payloads. This option is not compatible with --json-format. ```bash --details ``` -------------------------------- ### Specify User-Agent for WAF Bypass Tool Source: https://github.com/nemesida-waf/waf-bypass/blob/master/README.md Use the --user-agent option to specify a custom HTTP User-Agent string for requests. ```bash --user-agent 'MyUserAgent 1/1' ``` -------------------------------- ### Docker WAF Scan Execution Source: https://context7.com/nemesida-waf/waf-bypass/llms.txt Run the WAF Bypass Tool using its official Docker image. All standard CLI options can be passed directly after the image name. ```bash docker pull nemesida/waf-bypass docker run nemesida/waf-bypass --host='https://example.com' ``` -------------------------------- ### Load and Parse a Payload File Source: https://context7.com/nemesida-waf/waf-bypass/llms.txt Use `get_payload` to load a JSON payload file, resolve %RND% tokens, and return a normalized dictionary. Check the returned dictionary for emptiness to ensure successful loading. ```python from utils.payloads import get_payload payload = get_payload('/opt/waf-bypass/utils/payload/SQLi/1.json') print(payload['URL']) # e.g. "%27%20or%20...%27--" (%RND% resolved) print(payload['ARGS']) # e.g. "param3f9a1b=%27%20or%20..." print(payload['BLOCKED']) # True — WAF should block this request print(payload['ENCODE']) # ['Base64', 'UTF-16'] print(payload['JSON']) # False print(payload['METHOD']) # None (use default GET/POST) print(payload['BOUNDARY']) # None (not an MFD payload) # Returns {} on parse error, so always check: if not payload: print("Failed to load payload file") ``` -------------------------------- ### JSON Output Format for WAF Bypass Tool Source: https://github.com/nemesida-waf/waf-bypass/blob/master/README.md Use the --json-format option to display scan results in JSON format, suitable for integration with security platforms. ```bash --json-format ``` -------------------------------- ### Specify Block Codes for WAF Bypass Tool Source: https://github.com/nemesida-waf/waf-bypass/blob/master/README.md Use the --block-code option to define HTTP status codes that indicate a WAF block. Multiple codes can be specified. ```bash --block-code='403' --block-code='222' ``` -------------------------------- ### Specify Timeout for WAF Bypass Tool Source: https://github.com/nemesida-waf/waf-bypass/blob/master/README.md Use the --timeout option to set the request processing timeout in seconds. The default is 30. ```bash --timeout=10 ``` -------------------------------- ### Specify Threads for WAF Bypass Tool Source: https://github.com/nemesida-waf/waf-bypass/blob/master/README.md Use the --threads option to set the number of parallel scan threads. The default is 10. ```bash --threads=15 ``` -------------------------------- ### JSON Body Payload Format for APIs Source: https://context7.com/nemesida-waf/waf-bypass/llms.txt Payloads in the `API/` directory automatically receive a `Content-Type: application/json` header, suitable for API testing. The `JSON: true` flag can enforce this in other directories. ENCODE is ignored for API payloads. ```json // utils/payload/API/custom.json — SQL injection in JSON body { "payload": [ { "URL": "/api/v1/users/1 union select user from password", "ARGS": "id=1 union select user from password", "BODY": "{\"id\": \"1 union select user from password\"}", "COOKIE": "1 union select user from password", "USER-AGENT": "1 union select user from password", "REFERER": "1 union select user from password", "HEADER": "1 union select user from password", "BLOCKED": true } ] } // API directory: Content-Type: application/json is added automatically // ENCODE is silently ignored for API payloads // JSON: true in other directories also sets Content-Type: application/json ``` -------------------------------- ### Nemesida WAF JSON Output Specification Source: https://github.com/nemesida-waf/waf-bypass/blob/master/README.md This JSON structure details the output format of the Nemesida WAF, including target information, proxy settings, headers, blocked codes, threads, timeouts, excluded directories, and categorized request results (FAILED, PASSED, FALSED, BYPASSED). It also includes a section for reproducing requests using cURL. ```json { "TARGET": "https://example.com", // defined by --host option "PROXY": {}, // defined by --proxy option "HEADERS": { // defined by --header option "User-Agent": "" }, "BLOCK-CODE": [ // defined by --block-code option ... ], "THREADS": 50, // defined by --threads option "TIMEOUT": 30, // defined by --timeout option "EXCLUDE-DIR": [ ... ], "FAILED": { // requests with failed processing status "MFD/7.json": { "BODY": "WBHTTPSConnectionPool(host='example.com', port=443): Read timed out. (read timeout=1)" }, ... }, "PASSED": { // passed requests "UWA/3.json": { "URL": "403 RESPONSE CODE" }, ... }, "FALSED": { // requests with false positive processing status ... }, "BYPASSED": { // requests with false negative processing status "UWA/26.json": { "URL": "200 RESPONSE CODE" }, ... }, "TestRequest": { // test requests with processing status, exclude passed "FAILED": {}, "FALSED": { "UWA/3.json": { "URL": "403 RESPONSE CODE" }, ... } }, "CURL": { // cURL command to reproduce false positive and false negative requests "FALSED": {}, "BYPASSED": { "UWA/26.json": { "URL": "curl -X GET -H 'Accept: */*' -H 'Accept-Encoding: gzip, deflate' -H 'Connection: keep-alive' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36' 'https://example.com/do.php#.png'" }, ... } } } ``` -------------------------------- ### Multipart/Form-Data Payload Format Source: https://context7.com/nemesida-waf/waf-bypass/llms.txt Used for testing multipart/form-data uploads. The `BODY` field is required. If `BOUNDARY` is omitted, the tool generates a random boundary; otherwise, the `BODY` must be fully RFC-formatted. ```json // utils/payload/MFD/custom.json — XSS in multipart upload with explicit boundary { "payload": [ { "BODY": "--myboundary1234\r\nContent-Disposition: form-data; name=\"field1\" \n\r\n%27%3E%3Csvg%2Fonload%3Dalert%60xss%60%3E\r\n--myboundary1234--\r\n", "BOUNDARY": "myboundary1234", "BLOCKED": true } ] } // When BOUNDARY is set, BODY must be fully RFC-formatted // When BOUNDARY is omitted, set only the raw payload value in BODY: // { "BODY": "%27%3E%3Csvg%2Fonload%3Dalert%60xss%60%3E", "BLOCKED": true } // The tool wraps it in a proper multipart envelope with a random boundary ``` -------------------------------- ### Standard Attack Payload JSON Format Source: https://context7.com/nemesida-waf/waf-bypass/llms.txt Defines zones to inject into, encoding options, and WAF blocking behavior for standard attack payloads. Use for testing XSS across various zones with encoding variants. '%RND%' is replaced at runtime with a random alphanumeric string. ENCODE triggers additional requests for Base64 and UTF-16 encoding. BLOCKED: true indicates the WAF should block the request; a 200 response signifies a bypass. ```json // utils/payload/XSS/custom.json — tests XSS across all zones with encoding variants { "payload": [ { "URL": "%3Csvg%2Fonload%3Dalert%28%RND%%29%2F%2F", "ARGS": "param%RND%=%3Csvg%2Fonload%3Dalert%28%RND%%29%2F%2F", "BODY": "param%RND%=%3Csvg%2Fonload%3Dalert%28%RND%%29%2F%2F", "COOKIE": "%3Csvg%2Fonload%3Dalert%28%RND%%29%2F%2F", "USER-AGENT": "%3Csvg%2Fonload%3Dalert%28%RND%%29%2F%2F", "REFERER": "%3Csvg%2Fonload%3Dalert%28%RND%%29%2F%2F", "HEADER": "%3Csvg%2Fonload%3Dalert%28%RND%%29%2F%2F", "ENCODE": "Base64 UTF-16", "BLOCKED": true } ] } // %RND% is replaced at runtime with a random 6-char alphanumeric string // ENCODE causes two additional requests: one Base64-encoded, one UTF-16-encoded // BLOCKED: true means the WAF SHOULD block this — a 200 response is a False Negative (BYPASSED) ``` -------------------------------- ### Exclude Directories in WAF Bypass Tool Source: https://github.com/nemesida-waf/waf-bypass/blob/master/README.md Use the --exclude-dir option to exclude specific payload directories from the scan. ```bash --exclude-dir='SQLi,XSS' ``` -------------------------------- ### False Positive Payload JSON Format Source: https://context7.com/nemesida-waf/waf-bypass/llms.txt Uses `BLOCKED: false` to verify that legitimate traffic is not incorrectly blocked by the WAF. A 403 response indicates a false positive, while a 200 response means the test passed. ```json // utils/payload/FP/custom.json — legitimate PNG asset request must NOT be blocked { "payload": [ { "URL": "/assets/images/logo.png", "BLOCKED": false } ] } // BLOCKED: false means the WAF should NOT block this request // If the WAF returns 403, the result is FALSED (False Positive detected) // If the WAF returns 200, the result is PASSED ``` -------------------------------- ### Apply Payload Encoding Transformations Source: https://context7.com/nemesida-waf/waf-bypass/llms.txt The `payload_encoding` function applies a specified encoding (Base64, UTF-16, HTML-ENTITY) to a payload string for a given zone. Unsupported zone/encoding combinations return the payload unchanged. ```python from utils.bypass import payload_encoding raw = "param=" b64 = payload_encoding('BODY', raw, 'Base64') # => "cGFyYW09PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==" utf16 = payload_encoding('ARGS', raw, 'UTF-16') # => "param=\u003c\u0073\u0063\u0072\u0069\u0070\u0074\u003e..." htmlent = payload_encoding('COOKIE', raw, 'HTML-ENTITY') # => "param%3D%26lt%3Bscript%26gt%3Balert%281%29%26lt%3B%2Fscript%26gt%3B" # Unsupported zone+encode combos (URL, USER-AGENT, REFERER) return payload unchanged: unchanged = payload_encoding('URL', "/path/payload", 'Base64') # => "/path/payload" (encoding skipped for URL zone) ``` -------------------------------- ### Disable Progress Bar in WAF Bypass Tool Source: https://github.com/nemesida-waf/waf-bypass/blob/master/README.md Use the --no-progress option to disable the display of the progress bar during scans. ```bash --no-progress ``` -------------------------------- ### Exclude Payload Directories from Scan Source: https://context7.com/nemesida-waf/waf-bypass/llms.txt Shorten scan times or focus on specific attack types by excluding certain payload directories using the --exclude-dir option. Multiple directories can be specified as a comma-separated or space-separated list. ```bash python3 main.py --host='https://example.com' --exclude-dir='SQLi,XSS' ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.