Bypassing WAF

Master techniques to understand, exploit, and bypass WAFs, covering signature and pattern bypasses, parsing and normalisation evasion, protocol manipulation, and exploiting weak/outdated configurations.

This module will focus on the exploitation of Web Application Firewalls (WAFs), a crucial component of modern web security. We will first cover WAF fundamentals, including architecture, detection methods, rule creation, and limitations. We will examine how WAFs detect malicious traffic, distinguish between signature and behavioural analysis, and enforce filtering rules. We will also cover hands-on exploitation, targeting outdated OWASP CRS versions, weak configurations, and various evasion techniques like signature manipulation, parsing and normalisation bypasses, and protocol-level exploits to evade detection. The module concludes with two real-world challenges where you can apply these techniques to analyse, bypass, and exploit WAF protections in realistic environments.

WAF: Introduction

Learn about Web Application Firewalls and what differentiates them from other types of firewalls.

WAF: Exploitation Techniques

Learn to bypass Web Application Firewalls using practical evasion techniques.

Padelify

Use red-teaming techniques to bypass the WAF and obtain admin access to the web application.

Farewell

Use red-teaming techniques to bypass the WAF and obtain admin access to the web application.

Topic Rewind Recap

Lock in what you learned with a recap. Earn points and keep your streak.

Need to know

Web Hacking Fundamentals

Understand the core security issues with web applications, and learn how to exploit them using industry tools and techniques.

Advanced Client-Side Attacks

Through real-world scenarios, you will gain a detailed understanding of client-side attacks, including XSS, CSRF, DOM-based vectors, SOP, and CORS vulnerabilities.

Advanced Server-Side Attacks

Master the skills of advanced server-side attacks, covering SSRF, File Inclusions, Deserialization, Race Conditions, and Prototype Pollution.

Next steps

Custom Tooling

Build and automate custom tools using Python, Burp Suite, and browser automation to exploit and test web applications efficiently.

Attacking LLMs

Learn to identify and exploit LLM vulnerabilities, covering prompt injection, insecure output handling, and model poisoning.

What are modules?

A learning pathway is made up of modules, and a module is made of bite-sized rooms (think of a room like a mini security lab).

Hierarchical diagram showing how learning pathways contain modules, which contain individual rooms.