Ready to Start Your Career?

Chapter 5 - Practical Web Application Penetration Testing Series - Bypass Web Applications Firewalls

Babak Esmaeili's profile image

By: Babak Esmaeili

December 28, 2016


Chapter 5 - practical web pentesting - Bypass Web Applications Firewalls


As it is illegal to test a website without permission, and I could not find a test site with WAF(web application firewall) enabled I decided to carry on this section theoretically. A WAF filters all web application accesses, inspecting both the traffic towards the web application and the response traffic from the application. By securing both the application infrastructure as well as the application user, a WAF complements traditional network firewalls, which are not designed to protect at this level.A WAF can be either network-based or host-based and is typically deployed through a proxy and placed in front of one or more Web applications. When pen testing web applications in the real world, we should consider if the website has WAF and ask ourselves what kind of WAF we are dealing with in this website?

I usually use a handy script in Kali Linux called wafw00f (pre-installed in Kali Linux) to detect the kind of WAF before starting Blackbox web pen testing.


The usage instruction is very easy. Just copy the URL of the target website and paste it in front of the command, then press "enter":


Wafw00f tries to detect web application firewall and gives us useful information about it. In chapter 3a of this series we saw how to set and config Bypass WAF plugin for burp it’s time to use it. If you want more information on how this plugin works in the background take a look at this link:

We are going to rescan website with Bypass WAF plugin enabled in Burpsuite.

Open up Burp and set your browser to use it as its proxy. Now browse the site and capture the request. Forward the request in Burp and click the target menu. In the left pane, right click on and click on "Add to scope".

We have this:


Everything is ready now for bypassing WAF and automated testing.We can now test website for vulnerabilities with WAF bypassing. Right click on  in target menu ->site map and click on Actively scan this host to start scanning.That was it.

Now let’s talk about Sqlmap and bypassing WAF when injecting the payloads.

You may know about tamper parameter in sqlmap.we can use custom python script for many aims with --tamper parameter. One of the uses is WAF bypassing. We can simply use these kinds of scripts with tamper parameter:

To use tamper script on sqlmap, you use --tamper flag.To test mysql, you can use all tamper below or just one of them alone :

# no spaces should be between the commas/words. The spaces below were added for the formatting purposes of this article.

--tamper=between, bluecoat, charencode, charunicodeencode, concat2concatws, equaltolike, greatest, halfversionedmorekeywords, ifnull2ifisnull, modsecurityversioned, modsecurityzeroversioned, multiplespaces, nonrecursivereplacement, percentage, randomcase, securesphere, space2comment, space2hash, space2morehash, space2mysqldash, space2plus, space2randomblank, unionalltounion, unmagicquotes, versionedkeywords, versionedmorekeywords, xforwardedfor


To test mssql, you can use all tamper below or just one of them alone :

tamper=between, charencode, charunicodeencode, equaltolike, greatest, multiplespaces, nonrecursivereplacement, percentage, randomcase, securesphere, sp_password, space2comment, space2dash, space2mssqlblank, space2mysqldash, space2plus, space2randomblank, unionalltounion, unmagicquotes

Below is tamper list that support both mssql and mysql:tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes

Examples :

1. Use just one tamper script


2. Use multi tamper script to bypass WAF:





Thanks for reading.

Read the other parts of this series -

Chapter 4: Practical Web Application Pentesting Series

Chapter 3b: Practical Web Application Pentesting Series

Chapter 3a: Practical Web Application Pentesting Series

Chapter 2: Practical Web Application Pentesting Series

Chapter 1: Practical Web Application Pentesting Series

Schedule Demo