Most web application firewalls (WAFs) have limits on the amount of data they can process when sending a request body.This means that for HTTP requests that include a request body (i.e. POST, PUT, PATCH, etc.),Often a WAF can be bypassed simply by prepending junk data to the request body.
When the request is filled with this garbage data, the WAF will process the request up to X kb and analyze it, but everything after the WAF limit will just pass through.
nowafpls is a simple Burp plugin that will insert this junk data into the HTTP request inside the repeater tab. You can choose from a preset number of junk data or insert any amount of junk data by selecting the "Custom" option.
When the request is filled with this garbage data, the WAF will process the request up to X kb and analyze it, but everything after the WAF limit will just pass through.
nowafpls is a simple Burp plugin that will insert this junk data into the HTTP request inside the repeater tab. You can choose from a preset number of junk data or insert any amount of junk data by selecting the "Custom" option.
Install nowafpls
nowafpls is a Jython-based Burp plugin.- Clone or download this repo.
- Go to the Extensions tab in Burp Suite.
- Click "Add"
- Select Extension Type – Python
- Select the "nowafpls.py" you downloaded in step 1
How to use nowafpls
- Send any requests that you want to bypass the WAF to the Repeater tab.
- Place the cursor where you want to insert the junk data.
- Right click -> Extensions -> nowafpls
- Choose how much garbage data to insert
- Click "OK"
