abuse-ssl-bypass-waf

Helping you find the SSL/TLS Cipher that WAF cannot decrypt and Server can decrypt same time

Referer article: Bypassing Web-Application Firewalls by abusing SSL/TLS

Idea

Usage

python abuse-ssl-bypass-waf.py --help

If you can find keyword or regex when hit the WAF page, you can use:

python abuse-ssl-bypass-waf.py -regex "regex" -target https://target.com

or you cannot find keyword or regex when filter by WAF,you can use:

python abuse-ssl-bypass-waf.py -thread 4 -target https://target.com

Notice: If you are worry about WAF drop the connection, you have better not use -thread option.

Thirdparty

curl

sslcan

Notice: If your operation system is not Windows, you should be modify config.py ，adjust curl and sslscan path & command values.

Running

If you don't know what the type of the WAF, you can compare the html response content length and try to find the bypassing WAF ciphers

knowing the hit WAF page keyword or regex:

When using some SSL/TLS ciphers request the payload URL, If WAF keyword or regex not in html page, there is a way bypassing WAF using Cipher!

名稱與所有者	LandGrey/abuse-ssl-bypass-waf
主編程語言	Python
編程語言	Python (語言數: 1)
平台
許可證

名稱與所有者

LandGrey/abuse-ssl-bypass-waf

主編程語言

Python

編程語言

Python (語言數: 1)

平台

許可證

創建於	2018-07-05 17:53:37
推送於	2021-07-27 03:38:27
最后一次提交	2021-07-27 11:38:22
發布數	0

創建於

2018-07-05 17:53:37

推送於

2021-07-27 03:38:27

最后一次提交

2021-07-27 11:38:22

發布數

星數	317
關注者數	8
派生數	73
提交數	7
已啟用問題?
問題數	3
打開的問題數	1
拉請求數	0
打開的拉請求數	0
關閉的拉請求數	1

星數

317

關注者數

派生數

提交數

已啟用問題?

問題數

打開的問題數

拉請求數

打開的拉請求數

關閉的拉請求數

已啟用Wiki?
已存檔?
是復刻?
已鎖定?
是鏡像?
是私有?

已啟用Wiki?

已存檔?

是復刻?

已鎖定?

是鏡像?

是私有?

abuse-ssl-bypass-waf

Github星跟蹤圖

abuse-ssl-bypass-waf

Idea

Usage

Thirdparty

Running

主要指標