Most web application firewalls (WAFs) have limitations for how much data they can process when a request body is sent. This means for HTTP requests that contain a request body (i.e. POST, PUT, PATCH etc), it is usually possible to bypass the WAF by simply prepending junk data.
When the request is padded with this junk data, the WAF will process up to X kb of the request and analyze it, but everything after the limits of the WAF will pass straight through.
nowafpls is a simple Burp plugin which will contextually insert this junk data into your HTTP request inside the repeater tab. You can select from a preset amount of junk data you want inserted, or you can insert an arbitrary amount of junk data by selecting the "Custom" option.
This tool is just 80 or so lines of Python, it's incredibly simple but works for most WAFs lol.
| WAF Provider | Maximum Request Body Inspection Size Limit |
|---|---|
| Cloudflare | 128 KB for ruleset engine, up to 500 MB for enterprise |
| AWS WAF | 8 KB - 64 KB (configurable depending on service) |
| Akamai | 8 KB - 128 KB |
| Azure WAF | 128 KB |
| Fortiweb by Fortinet | 100 MB |
| Barracuda WAF | 64 KB |
| Sucuri | 10 MB |
| Radware AppWall | up to 1 GB for cloud WAF |
| F5 BIG-IP WAAP | 20 MB (configurable) |
| Palo Alto | 10 MB |
| Cloud Armor by Google | 8 KB (can be increased to 128 KB) |
nowafpls is a Jython based Burp Plugin.
- Clone or download this repo.
- Go to the extensions tab in Burp Suite.
- Click "Add"
- Select Extension Type - Python
- Select "nowafpls.py" that you downloaded in Step 1
nowafpls-small.mp4
- Send any request to the repeater tab that you'd like to bypass WAF for.
- Put your cursor in a place you would like to insert junk data.
- Right click -> Extensions -> nowafpls
- Select how much junk data you want to insert
- Click "OK"
nowafpls will insert junk data as per the type of request (URLEncoded/XML/JSON) automatically.
- Shubham Shah - Initial work - github
MIT