Advent of Cyber 2025

Daily festive challenges and 30% off annual subscriptions

14days
:
05hr
:
27min
:
26sec
Subscribe now
Back to all modules

Bypassing WAF

Bypassing WAF icon

Master techniques to understand, exploit, and bypass WAFs, covering signature and pattern bypasses, parsing and normalisation evasion, protocol manipulation, and exploiting weak/outdated configurations.

This module will focus on the exploitation of Web Application Firewalls (WAFs), a crucial component of modern web security. We will first cover WAF fundamentals, including architecture, detection methods, rule creation, and limitations. We will examine how WAFs detect malicious traffic, distinguish between signature and behavioural analysis, and enforce filtering rules. We will also cover hands-on exploitation, targeting outdated OWASP CRS versions, weak configurations, and various evasion techniques like signature manipulation, parsing and normalisation bypasses, and protocol-level exploits to evade detection. The module concludes with two real-world challenges where you can apply these techniques to analyse, bypass, and exploit WAF protections in realistic environments.

Bypassing WAF icon
image

0%

WAF: Introduction

Learn about Web Application Firewalls and what differentiates them from other types of firewalls.

image

0%

WAF: Exploitation Techniques

Learn to bypass Web Application Firewalls using practical evasion techniques.

image

0%

Padelify

Use red-teaming techniques to bypass the WAF and obtain admin access to the web application.

image

0%

Farewell

Use red-teaming techniques to bypass the WAF and obtain admin access to the web application.

Need to know

Need to know: Web Hacking Fundamentals

Web Hacking Fundamentals

Understand the core security issues with web applications, and learn how to exploit them using industry tools and techniques.

Need to know: Advanced Client-Side Attacks

Advanced Client-Side Attacks

Through real-world scenarios, you will gain a detailed understanding of client-side attacks, including XSS, CSRF, DOM-based vectors, SOP, and CORS vulnerabilities.

Need to know: Advanced Server-Side Attacks

Advanced Server-Side Attacks

Master the skills of advanced server-side attacks, covering SSRF, File Inclusions, Deserialization, Race Conditions, and Prototype Pollution.

Next steps

Next steps: Custom Tooling

Custom Tooling

Build and automate custom tools using Python, Burp Suite, and browser automation to exploit and test web applications efficiently.

Next steps: Attacking LLMs

Attacking LLMs

Learn to identify and exploit LLM vulnerabilities, covering prompt injection, insecure output handling, and model poisoning.

What are modules?

A learning pathway is made up of modules, and a module is made of bite-sized rooms (think of a room like a mini security lab).

Module tree diagram

We use cookies to ensure you get the best user experience. For more information contact us.

Read more