In the early years of WAF protection, I studied various techniques for WAF bypassing and breaking through various WAF defenses. Recently, I decided to reorganize my knowledge base, so I combined all the articles I wrote on WAF offense and defense into one document, forming a complete table of contents.
This document is divided into skills and practice, skills introduced a variety of server, database, application layer, WAF layer characteristics, in practice, we will flexibly use a variety of skills to bypass WAF protection. Some of the gestures may have long since worn out, but more important are the lines of thought, some of which I still find very interesting.
Once you have mastered some offensive and defensive skills, you will find it very interesting to constantly break through the defenses and get around the limitations.
If you haven’t yet circumvented WAF by following the various tips and ideas outlined in this document, you need to discover the unexplored features.
In the world of offense and defense, you are always breaking through, never having limits, Hacks For Everything!
Article Contents:
- The preface
- Chapter 1: WAF Bypass Techniques
-
- Section 1: Server features
- Section 2: Application layer features
- Section 3: WAF layer characteristics
- Section 4: Database features
-
- Mysql database features
- SQL Server Database features
- Article 3: Oracle Database features
- Chapter four: Access database features
- Chapter two: WAF Bypass combat
-
-
- SQL Injection defense for IIS Firewall
- Bypass 360 Host Guard SQL Injection Defense
- Bypass NGx_LUA_waf SQL Injection Defense
- Bypass X-WAf SQL Injection Defense
- SQL Injection Defense Bypass Oracle SQL Injection defense
- Breaking OpenResty-based WEB security
-
- Appendix: WAF automated FUZZ scripts
PDF document:
Method 1: the official account provides a PDF version of the project, and you can download it by replying to “WAF Attack and Defense “.
Method 2: For those who like research and communication, please add my wechat friends to discuss technical issues together. Wechat directly to me to explain the purpose of acquisition.