Bypassing-Web-Application-Firewalls-And-XSS-Filters一系列python脚本,用于为BurpSuite Pro生成奇怪的字符组合和列表,以绕过Web应用程序防火墙(WAF)和XSS过滤器。这些python脚本已创建为模糊错误的组合:URL转义字符HTML转义字符二进制字符这些脚本是在评估期间创建的,同时试图绕过Web应用程序防火墙(WAF)以利用XSS漏洞。不同的Web服务器和浏览器以不同的方式解释URL和奇怪的字符,这可能导致绕过安全控件。当我尝试发送>或<字符时,WAF会阻止请求。我注意到的以下URL转义被基于Apache2的Web服务器转换为<>':%(N%(n%)S%)U%)^%)s%)u%* C%* E%* c% * e%,。%。#%1N%1n%2S%2U%2 ^%2s%2u%3C%3E%3c%3e%5.%7#%:C%:E%:c%:e% HN%Hn的%的%IU%I ^%是%的Iu%JC%JE%的Jc%济%L.%N#%XN%XN%YS%YU%Y ^%伊苏%俞%ZC%ZE%ZC% Ze%。%^#%hN%hn%iS%iU%i ^%是%iu%jC%jE%jc%je%l。%n#%xN%xn%yS%yU%y ^%ys%yu %zC循环%ZE%ZC%仄%|
Bypassing-Web-Application-Firewalls-And-XSS-Filters A series of python scripts for generating weird character combinations and lists for BurpSuite Pro for bypassing web application firewalls (WAF) and XSS filters. These python scripts have been created to fuzz wierd combinations: URL Escape Characters HTML Escape Characters Binary Characters These scripts were created during an assessment, while trying to bypass a Web Application Firewall (WAF) in order to exploit a XSS vulnerability. Differnt webservers and browsers interpret URL and strange characters differently which could lead to the bypassing of security controls. When I tried to send a > or < character the WAF would block the request. The following URL escapes I have noticed are traslated to < > ‘ by Apache2 based web servers: %(N%(n%)S%)U%)^%)s%)u%C%E%c%e%,.%.#%1N%1n%2S%2U%2^%2s%2u%3C%3E%3c%3e%5.%7#%:C%:E %:c%:e%HN%Hn%IS%IU%I^%Is%Iu%JC%JE%Jc%Je%L.%N#%XN%Xn%YS%YU%Y^%Ys%Yu%ZC%ZE%Zc%Ze%.%^# %hN%hn%iS%iU%i^%is%iu%jC%jE%jc%je%l.%n#%xN%xn%yS%yU%y^%ys%yu%zC%zE%zc%ze%|