WAFPierce

<div align="center"> <img src="promotion1.png" alt="WAFPierce Logo" width="400"/> <h1>WAFPierce</h1> <b>CloudFront WAF Bypass & Penetration Testing Tool</b> <br><br> <a href="https://img.shields.io/badge/version-1.4-blue"><img src="https://img.shields.io/badge/version-1.4-blue"/></a> <a href="https://img.shields.io/badge/python-3.8+-green"><img src="https://img.shields.io/badge/python-3.8+-green"/></a> <a href="https://img.shields.io/badge/license-MIT-orange"><img src="https://img.shields.io/badge/license-MIT-orange"/></a> </div>

---

<details> <summary><b>Table of Contents</b></summary>

• What is WAFPierce?
• Key Features
• Changelog
• Installation
• Usage
• Bypass Techniques
• Future Roadmap
• Requirements
• Responsible Disclosure
• Educational Resources
• Authors
• Legal Disclaimer

</details>

---

What is WAFPierce?

WAFPierce is a powerful WAF/CDN assessment and bypass validation tool for penetration testing and security research.

It fingerprints 17+ WAF vendors and 12+ CDN providers, then tests <b>100+ bypass/evasion techniques</b> using baseline + heuristic comparisons (status codes, response size, hashes) to confirm real bypasses—even when defenses return OK.

It also supports rate-limit detection, API endpoint and directory discovery, protocol-level testing (request smuggling, HTTP/2 downgrade, WebSocket tunneling), comprehensive injection testing (SQLi, XSS, SSRF, NoSQL, LDAP, XXE, SSTI, Log4Shell), cloud-specific tests, a clean GUI, optimized parallel performance, and automated Markdown reporting.

<p align="center"> <b>▶️ <a href="https://youtu.be/O_iT_AuvczY">Watch the Trailer</a></b> </p>

---

Key Features

<details> <summary><b>Click to expand full feature list</b></summary>

• <b>WAF Detection & Fingerprinting</b> — Identifies 17+ WAF vendors (Cloudflare, AWS WAF, Akamai, Imperva, F5, Sucuri, ModSecurity, and more)
• <b>CDN Detection</b> — Detects 12+ CDN providers (CloudFront, Akamai, Fastly, Cloudflare, etc.)
• <b>WAF Bypass Detection</b> — Tests 100+ different bypass techniques
• <b>Smart WAF Bypass</b> — Uses baseline comparison and heuristic analysis (size, hash, status codes) to detect bypasses even when WAFs return 200 OK
• <b>Payload Evasion Testing</b> — SQLi, XSS, Command Injection, Path Traversal, SSRF bypass payloads
• <b>Advanced Injection Testing</b> — NoSQL, LDAP, SSTI, XXE, CRLF, Prototype Pollution, Deserialization, Log4Shell
• <b>Protocol-Level Attacks</b> — HTTP Request Smuggling, HTTP/2 Downgrade, H2C Smuggling, WebSocket CSWSH, HTTP Desync
• <b>Security Misconfiguration</b> — CORS, Open Redirect, Security Headers, Cookie Security, Clickjacking
• <b>Cloud Security Testing</b> — AWS S3, Azure Blob, GCP Buckets, Kubernetes API, Serverless Functions
• <b>Information Disclosure</b> — Git/SVN/Env files, Backups, Debug endpoints, Sensitive configs, API Key Exposure
• <b>Business Logic Testing</b> — IDOR, Mass Assignment, Race Conditions, File Upload Bypass, Integer Overflow
• <b>Advanced Attacks</b> — JWT Exploitation, GraphQL Attacks, Web Cache Deception, DNS Rebinding, CSS/XSLT Injection
• <b>Rate Limit Detection</b> — Identifies request thresholds and rate limiting behavior
• <b>API Endpoint Discovery</b> — Finds unprotected API routes and debug endpoints
• <b>Subdomain Takeover Detection</b> — Identifies vulnerable subdomains across 25+ services
• <b>Automated Reporting</b> — Generates detailed markdown reports
• <b>GUI system</b> — Clean and efficient GUI system made for the users comfort
• <b>Optimized Performance</b> — Connection pooling, response caching, and parallel batch testing

</details>

---

---

🚀 Quick Start

git clone https://github.com/K0NGR3SS/WAFPierce.git
cd WAFPierce
pip3 install -r requirements.txt
python3 run_gui.py

---

📦 Installation

# Clone repository
git clone https://github.com/K0NGR3SS/WAFPierce.git
cd WAFPierce

# Install dependencies
pip3 install -r requirements.txt

# (Optional) Install in development mode
pip3 install -e .

---

🖥️ Usage

Run UI

python3 run_gui.py  

---

🤝 Contributing

Contributions, bug reports, and feature requests are welcome! Please open an issue or pull request on GitHub.

---

Changelog

Version 1.4 (March 2026)

Bug Fixes & Stability

• Fixed fatal GUI crash on launch — Corrected a corrupted Signal(object) declaration in QtWorker that prevented the app from starting
• Fixed frozen-mode scan crash — Resolved ModuleNotFoundError: No module named 'charset_normalizer.md' when running in-process scans from the PyInstaller executable; added a runtime compatibility shim and updated .spec hidden imports
• Fixed Plugin Manager crash — cannot access free variable 'os' error when clicking "Open Plugins Folder" caused by a scoping issue in the nested closure; os and sys are now correctly imported at the method level
• Fixed URL data lookups — Progress bar resets, target detail panels, and queue removal were incorrectly using censored display text instead of the actual URL stored in Qt UserRole data; all corrected to use item.data(0, 256)
• Fixed self.output stale reference — _restore_scan_queue was calling self.output.append(...) on a non-existent widget; corrected to use self.append_log(...)

Feature Improvements

• Plugin template editor is now editable — The plugin template in the Plugin Manager "Create" tab was previously read-only; it can now be freely edited before saving
• Plugin filename input added — A filename field has been added to the Create tab so users can name the plugin file; saved directly to the plugins folder (%APPDATA%/wafpierce/plugins/)
• Plugin list auto-refreshes on save — After creating a plugin from the template, the plugin list reloads automatically without needing to reopen the dialog
• Custom Payloads dialog hardened — Add and Import buttons now validate input, show proper error dialogs on failure, and guard against missing database connection
• Scheduled Scans dialog hardened — Added database availability guard, fixed datetime parsing to use fromisoformat correctly, and added explicit error messages for all failure paths
• Hardened entry point — run_gui.py now falls back to importlib.util module loading if the standard from wafpierce.gui import main import fails in unusual path contexts

Removed

• Scan Templates — The Templates feature (📋 button, Ctrl+T shortcut, and save/load/delete dialog) has been removed as it was not providing enough value

Dependency Updates

• Added cryptography>=42.0.0 to requirements.txt and setup.py for SSL certificate analysis support
• Added urllib3, certifi, charset-normalizer, and idna as explicit install requirements

---

Version 1.3 (February 2025)

New Dangerous Attack Vectors (30+ New Tests)

Advanced Protocol Attacks:

• GraphQL Deep Testing - Introspection attacks, batching DoS, depth limit bypass, alias-based DoS, circular fragments
• JWT Attack Suite - Algorithm confusion (none/None/NONE), KID injection (SQLi, traversal, RCE), JKU/X5U SSRF, weak secret detection
• Web Cache Deception - Static extension tricks (.css, .js), cache key poisoning via unkeyed headers
• Log4Shell Detection - ${jndi:ldap://} patterns with 12+ obfuscation bypasses (nested lookups, env variables)
• SSRF Protocol Smuggling - gopher://, dict://, file://, ldap://, php://, jar://, netdoc:// handlers

Extended Security Tests:

• Host Header Attacks - Password reset poisoning, routing bypass, X-Forwarded-Host injection
• SSI Injection - Server-Side Includes (exec cmd, include file, printenv)
• API Key/Secret Exposure - 35+ patterns (AWS, GitHub, Stripe, Slack, Google, Firebase, etc.)
• DNS Zone Transfer - AXFR enumeration attempts
• Extended Verb Tampering - TRACE/TRACK (XST), DEBUG, WebDAV methods, custom methods
• Range Header Attacks - Overlapping ranges, many ranges DoS, invalid ranges
• Multipart Boundary Bypass - Long boundaries, special chars, quoted, CRLF variations

Advanced Discovery:

• DNS Rebinding - Bypass IP-based SSRF protections via rebinding domains
• Timing-Based Discovery - Blind resource discovery via response timing anomalies
• Error-Based Disclosure - Force verbose errors (type confusion, format strings, encoding)
• Path Normalization Extended - 30+ variations (dots, slashes, encoding, null bytes, semicolons, unicode)
• Content Sniffing - Polyglot file uploads (GIFAR, PDF+HTML, SVG+XSS)
• Buffer/Size Limits - Large URL, headers, POST body testing

Dangerous Attack Vectors:

• HTTP Desync - Advanced request smuggling (CL.CL, space in header, tab, vertical tab, obs-fold)
• Dangling Markup - Data exfiltration via unclosed HTML tags
• CSS Injection - Attribute selector exfiltration, @import, @font-face
• XSLT Injection - Code execution via document(), system-property(), php:function()
• PDF Injection - SSRF/LFI via PDF generators (wkhtmltopdf, PhantomJS)
• PostMessage Vulnerabilities - Insecure origin validation detection
• RPO (Relative Path Overwrite) - XSS via CSS injection with relative paths
• Integer Overflow - 32/64-bit boundary testing, signed/unsigned issues

New Security Tests (35+ New Tests)

• CORS Misconfiguration - Tests for overly permissive CORS policies, origin reflection, null origin
• Open Redirect Detection - 25+ redirect parameter tests with encoding bypasses
• CRLF Injection - HTTP response splitting via headers and parameters
• Prototype Pollution - Query string and JSON body pollution tests
• SSTI (Server-Side Template Injection) - Detection for Jinja2, Freemarker, Veloci