Waf-Bypass: Check Your WAF Before Hackers

WAF bypass Tool is an open source tool to analyze the security of any WAF (Web Application Firewall) for false positives and false negatives using predefined and customizable payloads.

Check your WAF before an attacker does. WAF Bypass Tool is developed by the Nemesida WAF team with community input.

waf bypass

Both as a defender and as an attacker, using this tool, you can know in advance which attacks can pass the respective firewall so that no time is wasted in further testing.



# docker pull nemesida/waf-bypass # docker run nemesida/waf-bypass --host='example.com'


# git clone https://github.com/nemesida-waf/waf_bypass.git /opt/waf-bypass/ # python3 -m pip install -r /opt/waf-bypass/requirements.txt # python3 /opt/waf-bypass/ bypass/main.py --host='example.com'


Depending on the purpose, the payloads are located in the appropriate folders:

  • FP – False Positive payloads
  • API – API testing payloads
  • CM – Custom HTTP Method payloads
  • GraphQL – GraphQL testing payloads
  • LDAP – LDAP Injection etc. payloads
  • LFI – Local File Include payloads
  • MFDs – multipart/form-data payloads
  • NoSQLi – NoSQL injection payloads
  • OR – Open Redirect payloads
  • RCE – Remote Code Execution payloads
  • RFI – Remote File Inclusion payloads
  • SQLi – SQL injection payloads
  • SSI – Server-Side Includes payloads
  • SSRF – Server-side request forgery payloads
  • SSTI – Server-Side Template Injection payloads
  • UWA – Unwanted Access payloads
  • XSS – Cross-Site Scripting payloads

Write your own payloads

When compiling a payload, the following zones, methods and options are used:

  • URL – request's path
  • ARGS – request's query
  • BODY – request's body
  • COOKIE – request's cookies
  • USER-AGENT – request's user-agent
  • REFER – request's referrer
  • HEADER – request's header
  • METHOD – request's method
  • BOUNDARY – defines the contents of the application boundary. Applies only to payloads in the MFD directory.
  • ENCODE – payload implementation (Base64, HTML-ENTITY, UTF-16) in addition to payload encoding. Multiple values ​​are indicated by a space (eg Base64 UTF-16). Applies to ARGS, BODY, COOKIE and HEADER zones only. It does not apply to payloads in the API and MFD directories. Not compatible with the JSON option.
  • JSON – specifies that the body of the request must be in JSON format
  • BLOCKED – determines whether the request should be blocked (FN test) or not (FP)


You can download the program from here.

iGuRu.gr The Best Technology Site in Greecegns

every publication, directly to your inbox

Join the 2.107 registrants.
Web Application Firewall, Waf-Bypass

Written by Anastasis Vasileiadis

Translations are like women. When they are beautiful they are not faithful and when they are faithful they are not beautiful.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).