0

abuse-ssl-bypass-waf

Bypassing WAF by abusing SSL/TLS Ciphers

Github repo
Main metrics

Github stars Tracking Chart

abuse-ssl-bypass-waf

Helping you find the SSL/TLS Cipher that WAF cannot decrypt and Server can decrypt same time

Referer article: Bypassing Web-Application Firewalls by abusing SSL/TLS

Idea

Usage

python abuse-ssl-bypass-waf.py --help

If you can find keyword or regex when hit the WAF page, you can use:

python abuse-ssl-bypass-waf.py -regex "regex" -target https://target.com

or you cannot find keyword or regex when filter by WAF,you can use:

python abuse-ssl-bypass-waf.py -thread 4 -target https://target.com

Notice: If you are worry about WAF drop the connection, you have better not use -thread option.

Thirdparty

curl

sslcan

Notice: If your operation system is not Windows, you should be modify config.py ,adjust curl and sslscan path & command values.

Running

If you don't know what the type of the WAF, you can compare the html response content length and try to find the bypassing WAF ciphers

knowing the hit WAF page keyword or regex:

When using some SSL/TLS ciphers request the payload URL, If WAF keyword or regex not in html page, there is a way bypassing WAF using Cipher!

Main metrics

Overview
Name With OwnerLandGrey/abuse-ssl-bypass-waf
Primary LanguagePython
Program languagePython (Language Count: 1)
Platform
License:
所有者活动
Created At2018-07-05 17:53:37
Pushed At2021-07-27 03:38:27
Last Commit At2021-07-27 11:38:22
Release Count0
用户参与
Stargazers Count317
Watchers Count8
Fork Count73
Commits Count7
Has Issues Enabled
Issues Count3
Issue Open Count1
Pull Requests Count0
Pull Requests Open Count0
Pull Requests Close Count1
项目设置
Has Wiki Enabled
Is Archived
Is Fork
Is Locked
Is Mirror
Is Private