• nowafpls
  • Documented WAF limitations
  • Installing nowafpls
  • Using nowafpls
  • Authors
  • License

Most web application firewalls (WAFs) have limitations for how much data they can process when a request body is sent. This means for HTTP requests that contain a request body (i.e. POST, PUT, PATCH etc), it is usually possible to bypass the WAF by simply prepending junk data.

When the request is padded with this junk data, the WAF will process up to X kb of the request and analyze it, but everything after the limits of the WAF will pass straight through.

nowafpls is a simple Burp plugin which will contextually insert this junk data into your HTTP request inside the repeater tab. You can select from a preset amount of junk data you want inserted, or you can insert an arbitrary amount of junk data by selecting the "Custom" option.

This tool is just 80 or so lines of Python, it's incredibly simple but works for most WAFs lol.

nowafpls is a Jython based Burp Plugin.

1. Clone or download this repo.
2. Go to the extensions tab in Burp Suite.
3. Click "Add"
4. Select Extension Type - Python
5. Select "nowafpls.py" that you downloaded in Step 1

1. Send any request to the repeater tab that you'd like to bypass WAF for.
2. Put your cursor in a place you would like to insert junk data.
3. Right click -> Extensions -> nowafpls
4. Select how much junk data you want to insert
5. Click "OK"

nowafpls will insert junk data as per the type of request (URLEncoded/XML/JSON) automatically.

The Caido version of this plugin is maintained by @Rhynorater and can be found at the below gist:

https://gist.github.com/Rhynorater/ace68d4976357ca0937cb4669f303306

or in the EvenBetter Workflow Library.

• Shubham Shah - Initial work - github

MIT