Table of Contents
WAFPierce is a powerful WAF/CDN assessment and bypass validation tool for penetration testing and security research.
It fingerprints 17+ WAF vendors and 12+ CDN providers, then tests 100+ bypass/evasion techniques using baseline + heuristic comparisons (status codes, response size, hashes) to confirm real bypasses—even when defenses return OK.
It also supports rate-limit detection, API endpoint and directory discovery, protocol-level testing (request smuggling, HTTP/2 downgrade, WebSocket tunneling), comprehensive injection testing (SQLi, XSS, SSRF, NoSQL, LDAP, XXE, SSTI, Log4Shell), cloud-specific tests, a clean GUI, optimized parallel performance, and automated Markdown reporting.
Click to expand full feature list
- WAF Detection & Fingerprinting — Identifies 17+ WAF vendors (Cloudflare, AWS WAF, Akamai, Imperva, F5, Sucuri, ModSecurity, and more)
- CDN Detection — Detects 12+ CDN providers (CloudFront, Akamai, Fastly, Cloudflare, etc.)
- WAF Bypass Detection — Tests 100+ different bypass techniques
- Smart WAF Bypass — Uses baseline comparison and heuristic analysis (size, hash, status codes) to detect bypasses even when WAFs return 200 OK
- Payload Evasion Testing — SQLi, XSS, Command Injection, Path Traversal, SSRF bypass payloads
- Advanced Injection Testing — NoSQL, LDAP, SSTI, XXE, CRLF, Prototype Pollution, Deserialization, Log4Shell
- Protocol-Level Attacks — HTTP Request Smuggling, HTTP/2 Downgrade, H2C Smuggling, WebSocket CSWSH, HTTP Desync
- Security Misconfiguration — CORS, Open Redirect, Security Headers, Cookie Security, Clickjacking
- Cloud Security Testing — AWS S3, Azure Blob, GCP Buckets, Kubernetes API, Serverless Functions
- Information Disclosure — Git/SVN/Env files, Backups, Debug endpoints, Sensitive configs, API Key Exposure
- Business Logic Testing — IDOR, Mass Assignment, Race Conditions, File Upload Bypass, Integer Overflow
- Advanced Attacks — JWT Exploitation, GraphQL Attacks, Web Cache Deception, DNS Rebinding, CSS/XSLT Injection
- Rate Limit Detection — Identifies request thresholds and rate limiting behavior
- API Endpoint Discovery — Finds unprotected API routes and debug endpoints
- Subdomain Takeover Detection — Identifies vulnerable subdomains across 25+ services
- Automated Reporting — Generates detailed markdown reports
- GUI system — Clean and efficient GUI system made for the users comfort
- Optimized Performance — Connection pooling, response caching, and parallel batch testing
git clone https://github.com/K0NGR3SS/WAFPierce.git
cd WAFPierce
pip3 install -r requirements.txt
python3 run_gui.py# Clone repository
git clone https://github.com/K0NGR3SS/WAFPierce.git
cd WAFPierce
# Install dependencies
pip3 install -r requirements.txt
# (Optional) Install in development mode
pip3 install -e .python3 run_gui.py Contributions, bug reports, and feature requests are welcome! Please open an issue or pull request on GitHub.
- Out-of-band (OOB) confirmation engine — blind SSRF / Log4Shell-JNDI / blind XXE now prove themselves. A pluggable OOB layer (
--oob interactsh|selfhosted) sprays uniquely-correlated callbacks early in the scan and collects interactions at the end; any received callback becomes a CONFIRMED CRITICAL finding carrying the inbound request as proof. Two backends: an Interactsh client (publicoast.*or self-hosted, purecryptography) and a built-in self-hosted listener (HTTP + best-effort DNS). Opt-in. - Bypass re-confirmation pass — every flagged bypass is replayed (cache off) and demoted to low confidence if it doesn't reproduce. Findings now carry
confidence(high/medium/low) andconfirmations(n/m). Toggle with--no-reconfirm. - Reproduction
curlper finding — each result carries the exact copy-pastecurlbuilt from the request as it went on the wire; surfaced in the HTML report.
- TLS (JA3/JA4) + HTTP/2 fingerprint impersonation —
--impersonate [chrome|chrome124|safari17_0|…]routes probes throughcurl_cffito mimic a real browser and slip past JS/bot WAFs (DataDome, PerimeterX, Kasada). Degrades gracefully to therequestsstack if unavailable.
- CSP analyzer (unsafe-inline / wildcard / JSONP-able allowlist), JWT embedded-
jwkself-signing, GraphQL CSRF (GET / form-urlencoded), CL.0 / 0.CL request smuggling, SAML/XSW surface detection, password-reset host-poisoning, LLM prompt-injection (new AI / LLM Attacks category), and gRPC + HTTP/3 (QUIC) detection.
- CVSS v3.1 base score + vector + CWE on every finding; scope rules (
--scope-include/--scope-exclude);--safe-mode(skips noisy/DoS/state-changing tests);--jitterrandom per-request delay; proxy rotation (--proxy-pool) and--tor. - WAF feedback loop — learns which techniques bypass which WAF vendor and runs the effective ones first next time.
- Resumable scans (
--resume) via per-target checkpoints; auto re-login when an authenticated session expires mid-scan.
- Traffic import — seed the scan from HAR / Postman / Burp captures (
--import-har/--import-postman/--import-burp). - Integrations — Slack push (
--slack-webhook), generic webhook, DefectDojo finding mapping. - PDF report export (
--export-format pdf, via reportlab; falls back to HTML).
- Scan dialog exposes Re-confirm / Safe-mode / Impersonate / OOB toggles (persisted), and the new AI / LLM Attacks category.
- First automated test suite —
pytestagainst an in-process mock-WAF server (88 tests) covering repro, bypass detection, re-confirmation, exporters/PDF, OOB crypto/listener, impersonation, new attack modules, engine controls, importers, integrations, feedback/checkpoint, and the sample plugin. Added atests+ advisoryruffCI workflow (requirements-dev.txt,[dev]extra), a sample plugin +PLUGIN_SDK.md.
Deliberately not done: a full async-engine rewrite — the bounded adaptive thread pool already controls concurrency, and replacing the request path under 150 tested techniques is high-risk for low gain.
- Single bounded thread pool — Replaced the nested
ThreadPoolExecutor-per-technique design (which could spawn ~threads²concurrent sockets and trigger WAF throttling) with one shared, bounded pool. The configured thread count is now a real ceiling on in-flight requests. Techniques run sequentially and fan their requests across the shared pool. - Adaptive concurrency — A token-style limiter shrinks parallelism on
429/503pushback and recovers after sustained clean responses. - Response cache actually works — The cache key no longer includes the per-technique
X-Techniquemarker, so identical probes are now deduplicated. X-Techniqueno longer leaks — The technique label is tracked out-of-band and is never sent to the target (previously it fingerprinted the scanner and could trip custom-header WAF rules).- Multi-sample baseline + similarity scoring — The baseline is sampled multiple times to learn the page's natural jitter band; dynamic tokens (CSRF/nonce/timestamps/UUIDs) are normalized out and content is compared with a similarity ratio instead of a raw MD5. Dramatically reduces false-positive "different content" findings on dynamic pages.
- Crawler / spider — Same-host BFS plus
robots.txtandsitemap.xmlparsing discovers real endpoints, forms, and parameters. Injection tests (SQLi, XSS, command injection, path traversal, SSRF) now fuzz live discovered parameters, not just/. - Schema ingestion — Pulls OpenAPI/Swagger (
/swagger.json,/openapi.json,/v3/api-docs, …) and runs GraphQL introspection to drive schema-aware fuzzing.
- JSON-based SQLi WAF bypass (PortSwigger 2022 technique)
- Charset / overlong-UTF-8 confusion bypasses
- Deep cache poisoning — fat GET, parameter cloaking, additional unkeyed headers
- OAuth/OIDC —
redirect_uribypass variants + OIDC config exposure - Secrets in JS bundles — downloads referenced
.jsfiles and scans them for keys/tokens - CVE fingerprinting — maps detected server/tech versions to known CVEs (Heartbleed, CVE-2021-41773/42013, Log4Shell, Ghostcat, …)
- HTTP/2 single-packet race (optional, via
httpx[http2]) — far more reliable than concurrent-thread race testing - Extended cloud metadata SSRF — AWS/GCP/Azure/DigitalOcean/Oracle/Alibaba/OpenStack IMDS + ready-to-use gopher payload generation for Redis/MySQL
- DOM XSS + Client-Side Path Traversal (optional, via Playwright headless browser)
- Custom payloads from the database are merged into injection tests
- User plugins are executed as a scan phase
- Evasion profiles apply header/UA tweaks and can contribute curated techniques
- A
create_scanner()factory pre-wires all of the above from the DB/plugin manager (used by the CLI, GUI subprocess, and frozen--scan-worker)
- AI triage (
--ai-triage) flags likely false positives and adjusts severity - AI report (
--ai-report) drafts a professional markdown assessment - Payload mutation helper generates novel evasion variants
- Off by default; requires
pip install anthropicand an Anthropic API key (--ai-keyorANTHROPIC_API_KEY)
- Exports — SARIF (CI/CD code scanning), Nuclei templates, and a standalone HTML report (
--export,--export-format) - Pipeline mode —
--jsonemits clean machine-readable results to stdout - Continuous monitoring —
--monitordiffs against the previous scan of a target and reports only new findings, with optional--webhookalerts - New CLI toggles:
--no-crawl,--no-schema,--no-db-extras
- Added
httpx[http2](core, for HTTP/2 tests). Optional extras:playwright(browser tests) andanthropic(AI) — install viapip install -e .[browser,ai]or.[full].
- Fixed fatal GUI crash on launch — Corrected a corrupted
Signal(object)declaration inQtWorkerthat prevented the app from starting - Fixed frozen-mode scan crash — Resolved
ModuleNotFoundError: No module named 'charset_normalizer.md'when running in-process scans from the PyInstaller executable; added a runtime compatibility shim and updated.spechidden imports - Fixed Plugin Manager crash —
cannot access free variable 'os'error when clicking "Open Plugins Folder" caused by a scoping issue in the nested closure;osandsysare now correctly imported at the method level - Fixed URL data lookups — Progress bar resets, target detail panels, and queue removal were incorrectly using censored display text instead of the actual URL stored in Qt
UserRoledata; all corrected to useitem.data(0, 256) - Fixed
self.outputstale reference —_restore_scan_queuewas callingself.output.append(...)on a non-existent widget; corrected to useself.append_log(...)
- Plugin template editor is now editable — The plugin template in the Plugin Manager "Create" tab was previously read-only; it can now be freely edited before saving
- Plugin filename input added — A filename field has been added to the Create tab so users can name the plugin file; saved directly to the plugins folder (
%APPDATA%/wafpierce/plugins/) - Plugin list auto-refreshes on save — After creating a plugin from the template, the plugin list reloads automatically without needing to reopen the dialog
- Custom Payloads dialog hardened — Add and Import buttons now validate input, show proper error dialogs on failure, and guard against missing database connection
- Scheduled Scans dialog hardened — Added database availability guard, fixed
datetimeparsing to usefromisoformatcorrectly, and added explicit error messages for all failure paths - Hardened entry point —
run_gui.pynow falls back toimportlib.utilmodule loading if the standardfrom wafpierce.gui import mainimport fails in unusual path contexts
- Scan Templates — The Templates feature (📋 button,
Ctrl+Tshortcut, and save/load/delete dialog) has been removed as it was not providing enough value
- Added
cryptography>=42.0.0torequirements.txtandsetup.pyfor SSL certificate analysis support - Added
urllib3,certifi,charset-normalizer, andidnaas explicit install requirements
Advanced Protocol Attacks:
- GraphQL Deep Testing - Introspection attacks, batching DoS, depth limit bypass, alias-based DoS, circular fragments
- JWT Attack Suite - Algorithm confusion (none/None/NONE), KID injection (SQLi, traversal, RCE), JKU/X5U SSRF, weak secret detection
- Web Cache Deception - Static extension tricks (.css, .js), cache key poisoning via unkeyed headers
- Log4Shell Detection - ${jndi:ldap://} patterns with 12+ obfuscation bypasses (nested lookups, env variables)
- SSRF Protocol Smuggling - gopher://, dict://, file://, ldap://, php://, jar://, netdoc:// handlers
Extended Security Tests:
- Host Header Attacks - Password reset poisoning, routing bypass, X-Forwarded-Host injection
- SSI Injection - Server-Side Includes (exec cmd, include file, printenv)
- API Key/Secret Exposure - 35+ patterns (AWS, GitHub, Stripe, Slack, Google, Firebase, etc.)
- DNS Zone Transfer - AXFR enumeration attempts
- Extended Verb Tampering - TRACE/TRACK (XST), DEBUG, WebDAV methods, custom methods
- Range Header Attacks - Overlapping ranges, many ranges DoS, invalid ranges
- Multipart Boundary Bypass - Long boundaries, special chars, quoted, CRLF variations
Advanced Discovery:
- DNS Rebinding - Bypass IP-based SSRF protections via rebinding domains
- Timing-Based Discovery - Blind resource discovery via response timing anomalies
- Error-Based Disclosure - Force verbose errors (type confusion, format strings, encoding)
- Path Normalization Extended - 30+ variations (dots, slashes, encoding, null bytes, semicolons, unicode)
- Content Sniffing - Polyglot file uploads (GIFAR, PDF+HTML, SVG+XSS)
- Buffer/Size Limits - Large URL, headers, POST body testing
Dangerous Attack Vectors:
- HTTP Desync - Advanced request smuggling (CL.CL, space in header, tab, vertical tab, obs-fold)
- Dangling Markup - Data exfiltration via unclosed HTML tags
- CSS Injection - Attribute selector exfiltration, @import, @font-face
- XSLT Injection - Code execution via document(), system-property(), php:function()
- PDF Injection - SSRF/LFI via PDF generators (wkhtmltopdf, PhantomJS)
- PostMessage Vulnerabilities - Insecure origin validation detection
- RPO (Relative Path Overwrite) - XSS via CSS injection with relative paths
- Integer Overflow - 32/64-bit boundary testing, signed/unsigned issues
- CORS Misconfiguration - Tests for overly permissive CORS policies, origin reflection, null origin
- Open Redirect Detection - 25+ redirect parameter tests with encoding bypasses
- CRLF Injection - HTTP response splitting via headers and parameters
- Prototype Pollution - Query string and JSON body pollution tests
- SSTI (Server-Side Template Injection) - Detection for Jinja2, Freemarker, Velocity, ERB, Twig, and more
- XXE (XML External Entity) - File read, SSRF, and SOAP endpoint testing
- Insecure Deserialization - Java, PHP, Python pickle, ASP.NET ViewState
- HTTP/2 Specific Attacks - H2C smuggling, CONTINUATION frame detection
- WebSocket Security - CSWSH (Cross-Site WebSocket Hijacking) testing
- Subdomain Takeover - Detection for 25+ vulnerable services (GitHub, Heroku, AWS, Azure, etc.)
- Security Headers Audit - CSP, HSTS, X-Frame-Options, Permissions-Policy analysis
- Cookie Security - HttpOnly, Secure, SameSite flag verification
- Information Disclosure - 50+ paths for sensitive files (.git, .env, backups, configs)
- NoSQL Injection - MongoDB operator injection ($ne, $gt, $regex, $where)
- LDAP Injection - Filter injection and authentication bypass tests
- Unicode Normalization - WAF bypass via homoglyphs and encoding tricks
- JSON Injection - Parser differential attacks, duplicate keys, type confusion
- Extended IP Spoofing - 17+ header variations for IP-based access controls
- Azure Blob Enumeration - Public container discovery
- GCP Bucket Discovery - Google Cloud Storage misconfiguration
- Serverless Function Detection - AWS Lambda, Vercel, Netlify endpoints
- Kubernetes API Exposure - K8s API, dashboard, and secret enumeration
- Cloud Provider Detection - Enhanced fingerprinting for 10+ cloud providers
- API Versioning Bypass - Unprotected legacy API version endpoints
- Mass Assignment - Dangerous parameter acceptance testing
- IDOR Detection - Insecure Direct Object Reference pattern detection
- Business Logic Flaws - Negative values, boundary testing, type confusion
- Email Header Injection - Contact form SMTP injection
- File Upload Bypass - Extension, MIME type, and magic byte bypasses
- HTTP Response Splitting - Header injection via parameters
- Clickjacking - Frame-busting bypass verification
-
Results Explorer - New comprehensive results viewer with:
- Left panel showing all scanned sites with finding counts and severity indicators (🔴🟠🟡)
- "All Sites" option to view combined results across all targets
- Results grouped by category (API_DISCOVERY, DNS_HISTORY, etc.)
- Detailed view panel showing full result information when clicked
- Sorting options: Severity (High→Low, Low→High), Technique (A-Z, Z-A), Category, Bypass Status
- Filtering options: All Results, CRITICAL/HIGH/MEDIUM/LOW/INFO only, Bypasses only, Non-bypasses only
- Expand All / Collapse All buttons for quick navigation
- Export View button to save filtered results to JSON
-
Pulsating Results Button - The Results button now:
- Located at the bottom of the output area for better visibility
- Larger size (40px height) with 📊 icon
- Turns green and gently pulsates when scan completes with results
- Changes color on hover (darkens) for better interactivity
- Resets to default gray when results are cleared
-
INFO-Level Results - All scan results now appear in output, not just bypasses:
- LOW and INFO severity findings are now displayed
- Shows reason for blocked requests (e.g., "Blocked: 404")
- Complete visibility into all scan activity
-
Target Tracking - Results Explorer now shows actual target site names instead of "Unknown Target"
- Fixed result filtering to include all findings (CRITICAL, HIGH, MEDIUM, LOW, INFO)
- Added target URL injection into result objects for proper grouping
- Improved URL parsing to extract clean domain names for display
- Added QPropertyAnimation for smooth pulsating effects
- Better stylesheet management with hover states
# Clone repository
git clone https://github.com/K0NGR3SS/WAFPierce.git
cd WAFPierce
# Install dependencies
pip3 install -r requirements.txt
# Install in development mode
pip3 install -e .python3 run_gui.py WAFPierce tests 100+ bypass methods across multiple categories:
- Host Header Injection - Manipulates Host header values
- X-Forwarded-For - IP spoofing via proxy headers (127.0.0.1, 10.x, 192.168.x, AWS metadata IP)
- X-Forwarded-Host - Alternative host header injection
- X-Original-URL / X-Rewrite-URL - Path override attempts
- Origin/Referer Manipulation - CORS and origin header bypass
- Custom Header Fuzzing - X-Debug, X-Internal, X-Skip-WAF headers
- True-Client-IP / CF-Connecting-IP - CDN-specific header spoofing
- Extended IP Spoofing - 17+ header variations (X-Real-IP, X-Client-IP, X-Cluster-Client-IP, etc.)
- Host Header Attacks - Password reset poisoning, routing bypass, cache poisoning
- Path Encoding - URL encoding bypasses (%2e, %252e, etc.)
- Double/Triple Encoding - Advanced encoding evasion
- Case Manipulation - Mixed case payloads (/AdMiN, /WP-ADMIN)
- Comment Injection - SQL/HTML comment insertion
- Whitespace Manipulation - Tabs, newlines, null bytes to break signatures
- Unicode Normalization - Homoglyphs, fullwidth characters, RTL override, zero-width spaces
- Path Normalization Extended - 30+ variations (dots, slashes, encoding, null bytes, semicolons, unicode)
- Transfer-Encoding Smuggling - CL.TE/TE.TE request smuggling
- HTTP/2 Downgrade - Protocol downgrade attacks
- H2C Smuggling - HTTP/2 Cleartext upgrade smuggling
- WebSocket Upgrade - Tunnel through WAFs via WebSocket
- WebSocket CSWSH - Cross-Site WebSocket Hijacking
- HTTP Pipelining - Connection keep-alive abuse
- Chunked Transfer - Split payloads across chunks
- HTTP Method Bypass - Tests non-standard methods (TRACE, OPTIONS, PUT, DELETE)
- HTTP Method Override - X-HTTP-Method-Override header manipulation
- Advanced Request Smuggling - H2.CL, H2.TE, TE.TE variations, HTTP/3 downgrade attempts
- HTTP Desync - CL.CL, space/tab/vertical-tab in headers, obs-fold line wrapping
- Extended Verb Tampering - TRACE/TRACK (XST), DEBUG, WebDAV methods, custom methods
- Range Header Attacks - Overlapping ranges, many ranges DoS, invalid ranges, suffix ranges
- Multipart Boundary Bypass - Long boundaries, special chars, quoted, CRLF, extra headers
- Cache-Control - Cache directive manipulation
- Cache Poisoning - Unkeyed header injection (X-Forwarded-Host, X-Original-URL)
- Range Header - Partial content bypasses
- Web Cache Deception - Static extension tricks (.css, .js), cache key poisoning
- SQLi Bypass - WAF-evading SQL injection payloads
- XSS Bypass - Cross-site scripting evasion
- Command Injection Bypass - OS command injection evasion
- Path Traversal Bypass - Directory traversal evasion
- SSRF Bypass - Server-side request forgery evasion
- NoSQL Injection - MongoDB operator injection ($ne, $gt, $regex, $where)
- LDAP Injection - Filter injection and auth bypass
- SSTI Detection - Server-Side Template Injection (Jinja2, Freemarker, Velocity, ERB, Twig, Pebble, Mako)
- XXE Detection - XML External Entity injection (file read, SSRF, SOAP)
- CRLF Injection - HTTP response splitting
- Prototype Pollution - JavaScript prototype chain pollution
- JSON Injection - Parser differentials, duplicate keys, type confusion
- Insecure Deserialization - Java, PHP, Python pickle, ASP.NET ViewState
- SSI Injection - Server-Side Includes (exec cmd, include file, printenv)
- Log4Shell Detection - ${jndi:ldap://} patterns with 12+ obfuscation bypasses
- XSLT Injection - Code execution via document(), system-property(), php:function()
- CSS Injection - Attribute selector exfiltration, @import, @font-face
- Dangling Markup - Data exfiltration via unclosed HTML tags
- CORS Misconfiguration - Wildcard, null origin, origin reflection, credential exposure
- Open Redirect - 25+ redirect parameters with encoding bypasses
- Security Headers Audit - CSP, HSTS, X-Frame-Options, Permissions-Policy, COOP, CORP, COEP
- Cookie Security - HttpOnly, Secure, SameSite flag verification
- Clickjacking - X-Frame-Options and CSP frame-ancestors verification
- Content Sniffing - X-Content-Type-Options, polyglot file uploads
- HTTP Parameter Pollution - Duplicate parameters to confuse parsing
- API Versioning Bypass - Unprotected legacy API versions (/v1/, /v2/, /api/internal/)
- Mass Assignment - Dangerous parameter acceptance (admin, role, privilege)
- IDOR Detection - Insecure Direct Object Reference patterns
- Business Logic Flaws - Negative values, boundaries, type confusion
- Race Condition Testing - Concurrent requests to exploit timing windows
- File Upload Bypass - Extension, MIME type, magic byte bypasses
- Email Header Injection - Contact form SMTP injection
- HTTP Response Splitting - Header injection via parameters
- Integer Overflow - 32/64-bit boundary testing, signed/unsigned issues
- JWT Algorithm Confusion - none/None/NONE algorithm bypass
- JWT KID Injection - SQL injection, path traversal, RCE via
kidparameter - JWT JKU/X5U SSRF - SSRF via JSON Web Key URL
- JWT Weak Secrets - Common password brute-force
- JWT Token Discovery - Find exposed JWTs in responses
- GraphQL Introspection - Full schema dump via __schema query
- GraphQL Batching DoS - Multiple operations in single request
- GraphQL Depth Bypass - Nested query DoS, no depth limit
- GraphQL Alias DoS - Thousands of aliases in single query
- GraphQL Field Suggestion - Type enumeration
- SSRF Protocol Smuggling - gopher://, dict://, file://, ldap:// handlers
- SSRF PHP Wrappers - php://filter, php://input, data://, expect://
- SSRF IP Bypass - Hex, octal, decimal, IPv6 mapped, short forms
- DNS Rebinding - Bypass IP-based SSRF protections
- Polyglot Payloads - Multi-context payloads (XSS+SQLi, SSTI+XSS)
- Payload Mutation Engine - Automated payload variations
- Time-Based Blind Detection - Response timing analysis
- Timing-Based Discovery - Blind resource discovery via timing anomalies
- Error-Based Disclosure - Force verbose errors (type confusion, format strings)
- PDF Injection - SSRF/LFI via PDF generators (wkhtmltopdf, PhantomJS)
- PostMessage Vulnerabilities - Insecure origin validation
- RPO (Relative Path Overwrite) - XSS via CSS injection with relative paths
- AWS S3 Bucket Enumeration - Public bucket discovery
- Azure Blob Enumeration - Public container discovery
- GCP Bucket Discovery - Google Cloud Storage misconfiguration
- Kubernetes API Exposure - K8s API, dashboard, secrets enumeration
- Serverless Function Detection - AWS Lambda, Vercel, Netlify endpoints
- Cloud Metadata Enumeration - SSRF to IMDS endpoints (169.254.169.254)
- Cloud Provider Detection - Fingerprinting for 10+ cloud providers
- Sensitive File Discovery - 50+ paths (.git, .env, backups, configs, debug endpoints)
- API Key/Secret Exposure - 35+ patterns (AWS, GitHub, Stripe, Slack, Google, Firebase, etc.)
- Subdomain Takeover - Detection for 25+ vulnerable services
- Subdomain Enumeration - DNS resolution for common prefixes
- Certificate Transparency - Domain extraction from SSL certificates
- Historical DNS Lookup - Origin IP discovery via DNS history
- Technology Stack Fingerprinting - Frameworks, CMS, servers, languages
- DNS Zone Transfer - AXFR enumeration attempts
- Buffer/Size Limits - Large URL, headers, POST body testing
- WAF Fingerprinting - 20+ WAF vendors (Cloudflare, AWS, Akamai, Imperva, F5, etc.)
- WAF Rule Version Detection - OWASP CRS version and rule IDs
- JavaScript WAF Detection - PerimeterX, DataDome, HUMAN, Kasada, Shape, Distil
- CDN Detection - 12+ CDN providers
- Rate Limit Detection - Request thresholds and rate limiting headers
- Bot Detection Evasion - User-Agent rotation, browser fingerprint simulation
Features planned for future releases:
AI triage, payload mutation, and auto-report are now available via the Anthropic API. Future work: in-scan adaptive payload generation and LLM-guided crawling.
- Out-of-band (OOB) blind-vuln confirmation (Interactsh + self-hosted listener)
- Bypass re-confirmation pass (confidence scoring)
- Reproduction
curlper finding - TLS (JA3/JA4) + HTTP/2 fingerprint impersonation
- Automated test suite + CI
- Full async engine (currently a bounded adaptive thread pool)
- gRPC/protobuf fuzzing (detection shipped) and HTTP/3 bypass testing over QUIC
- GUI: built-in Repeater, request/response inspector, trend dashboard
- Deeper SAML XSW exploitation and live JWT-jwk replay confirmation
Have ideas for new tests? Message either Marwan or Nazariy
- Python 3.8+
- PySide6 6.10.1+
- requests library
If you discover vulnerabilities using this tool:
- DO report to the affected organization immediately
- DO give reasonable time for fixes (typically 90 days)
- DO follow coordinated disclosure practices
- DON'T publicly disclose until patched
- DON'T exploit findings for personal gain
This tool is designed for learning. Recommended resources:
- OWASP WAF Testing Guide
- PortSwigger Web Security Academy
- Bug Bounty Platforms (for authorized testing)
FOR AUTHORIZED SECURITY TESTING ONLY
This tool is intended exclusively for authorized penetration testing and security research. You must obtain explicit written permission before testing any system you do not own.
Unauthorized access to computer systems is illegal. Violators may face prosecution under the Computer Fraud and Abuse Act (CFAA), Computer Misuse Act, or equivalent laws in your jurisdiction.
By using this tool, you agree to:
- Only test systems you own or have written authorization to test
- Comply with all applicable laws and regulations
- Accept full responsibility for your actions
The authors assume NO LIABILITY for misuse. This software is provided "AS IS" without warranty of any kind.
If you don't have permission, don't use it.