Skip to content
/ waf-stressor Public

Production-grade Web Application Firewall testing tool. Detects Cloudflare, AWS WAF, Akamai & more. Identifies bypass vectors via URL normalization. Perfect for bug bounty & pentesting.

41 stars 9 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

theghostshinobi/waf-stressor

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

8 Commits
README.md
README.md
Β 
Β 
analysis.py
analysis.py
Β 
Β 
cli.py
cli.py
Β 
Β 
core.py
core.py
Β 
Β 
engine.py
engine.py
Β 
Β 
httpclientexec.py
httpclientexec.py
Β 
Β 
payingest.py
payingest.py
Β 
Β 
reposys.py
reposys.py
Β 
Β 
run.py
run.py
Β 
Β 
urlops.py
urlops.py
Β 
Β 
waf-stressor-engine.py
waf-stressor-engine.py
Β 
Β 
xss-payloads.txt
xss-payloads.txt
Β 
Β 

Repository files navigation

# πŸ›‘οΈ WAF Stressor  

WAF Stressor is a production-grade assessment engine designed for ethical security research, penetration testing, and bug bounty operations.  
It provides advanced URL normalization fuzzing, payload mutation, and multi-signal WAF fingerprinting to identify bypass vectors and inconsistent filtering behaviors.

---

# πŸ“˜ Table of Contents

- [✨ Features]
- [πŸ“¦ Installation]
- [πŸš€ Quick Start]
- [πŸ“– Usage Examples]
- [πŸŽ›οΈ Command-Line Options]
- [πŸ“Š Understanding Output]
- [πŸ“ Report Formats]
- [🎯 Use Cases]
- [πŸ”¬ Payload Files]
- [πŸ› οΈ Advanced Configuration]
- [πŸ“ˆ Performance Tips]
- [πŸ” Result Analysis]
- [⚠️ Legal & Ethical Use]
- [πŸ“ Contributing]
- [πŸ“„ License]
- [πŸ”— Links]
- [πŸ™ Acknowledgments]

---

# ✨ Features



- πŸ” **WAF Detection & Fingerprinting**  
  Detects 15+ major WAF vendors (Cloudflare, Akamai, AWS, Imperva, F5, ModSecurity, etc.)

- 🎯 **URL Normalization Testing**  
  15+ URL mangling techniques to detect bypass vectors

- πŸ’£ **Payload Mutation Engine**  
  Encodings, obfuscation layers, variant generation

- πŸ“Š **Advanced Metrics**  
  Includes UI, NF, MP, PP, CC, SC

- 🚨 **Automated Finding Generation**  
  Bypass identification, inconsistencies, normalization flaws

- πŸ“ **Multi-Format Reports**  
  JSON, Markdown, HTML, CSV, SARIF (CI/CD compatible)

- ⚑ **Rate Limiting & Backoff**  
  429-aware with exponential backoff

- πŸ”„ **Batch Scanning**  
  Multi-target support, error recovery, progress tracking


---

# πŸ“¦ Installation

## Requirements
- Python **3.8+**
- pip

## Quick Install
```bash
git clone https://github.com/theghostshinobi/waf-stressor.git
cd waf-stressor

Manual Dependencies

pip install httpx rich

πŸš€ Quick Start

Single Target

python run.py https://example.com --budget 50

With Custom Payloads

python run.py https://example.com \
  --payload-file xss-payloads.txt \
  --profile light \
  --budget 50

Deep Scan + Rate Limiting

python run.py https://example.com \
  --payload-file xss-payloads.txt \
  --profile deep \
  --budget 100 \
  --rate 0.5 \
  --no-verify-tls

πŸ“– Usage Examples

1) Quick Assessment

python run.py https://target.com --profile light --budget 30

2) Comprehensive WAF Analysis

python run.py https://target.com \
  --payload-file xss-payloads.txt \
  --profile deep \
  --budget 200 \
  --rate 1.0 \
  --output-dir target_scan

3) Cloudflare Targets

python run.py https://cloudflare-protected.com \
  --payload-file xss-payloads.txt \
  --budget 50 \
  --rate 0.5 \
  --no-verify-tls

4) Batch Scanning

python waf-stressor-engine.py \
  -t targets.txt \
  -f xss-payloads.txt \
  --budget 30 \
  --rate 1.0 \
  --format json

5) Advanced Batch

python cli.py \
  -t targets.txt \
  -f payloads.txt \
  --profile deep \
  --budget 100 \
  --rate 0.5 \
  --delay 10 \
  --format md \
  --verbose

πŸŽ›οΈ Command-Line Options

Show Single Target (run.py)
Option Description Default
--profile light / deep light
--budget Max requests 50
--rate Requests/sec 1.0
--payload-file Payload file payloads.txt
--output-dir Results dir scan_results
--no-verify-tls Disable TLS checks False
--timeout Request timeout 30
--max-redirects Redirect limit 5
Option Description Default
-t Targets file Required
-f Payload file xss-payloads.txt
-o Output dir results
-p Profile light
-b Budget 50
-r Rate 0.5
--format json, md, csv, sarif, html json
-v Verbose False
Option Description Default
-d Delay between targets 10
--timeout Scan timeout 300
--tls-verify Enable TLS verify False
--stop-on-error Halt on errors False

πŸ“Š Understanding Output

============================================================
βœ… SCAN COMPLETE

Target: https://example.com
Profile: LIGHT
Total Requests: 48
Elapsed: 49.35s
Success Rate: 100%

WAF DETECTED: cloudflare

Metrics Explained

Metric Meaning
UI Uniformity Index
NF Normalization Factor
MP Mutation Potency
PP Payload Penetration
CC Consistency Coefficient
SC Status Code Variance

πŸ“ Report Formats

  • JSON β€” structured data
  • Markdown β€” human readable
  • HTML β€” color-coded UI
  • CSV β€” quick parsing
  • SARIF β€” GitHub/CI integration

🎯 Use Cases

Bug Bounty

python run.py https://target.hackerone.com/api \
  --payload-file xss-payloads.txt \
  --budget 100 \
  --rate 0.3 \
  --no-verify-tls \
  --output-dir bounty_results

Pentesting

python cli.py -t client-targets.txt -f payloads.txt --profile deep --budget 200 --format md --verbose

WAF Effectiveness

CI/CD SARIF Integration

πŸ”¬ Payload Files

Format:

payload | category | description

Example:

<script>alert(1)</script> | xss_benign | Basic XSS test
' OR '1'='1             | sql_benign | SQL injection probe
../../../etc/passwd     | path_traversal | Traversal test

πŸ› οΈ Advanced Configuration

Show Advanced Configuration

Virtual Environment

python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt

Rate Limiting

python run.py https://target.com --rate 0.2 --budget 20 --delay 5

Custom Headers

config = TestConfig(
  target_url="https://example.com",
  custom_headers={
    'User-Agent': 'Custom-Agent/1.0',
    'X-Custom-Header': 'value'
  }
)

πŸ“ˆ Performance Tips

  • Quick scans: budget 20–30
  • Standard scans: 50–100
  • Deep scans: 150–300
  • Aggressive WAF β†’ rate: 0.2–0.5

πŸ” Result Analysis

jq '.waf_fingerprint'
jq '.findings[]'
jq '(.metrics.blocked_requests / .metrics.total_requests * 100)'
jq '.results[] | select(.blocked==false)'

⚠️ Legal & Ethical Use

Only test systems you own or have explicit authorization for. Unauthorized testing may be illegal.

πŸ“ Contributing

Fork β†’ Branch β†’ PR (with full description).

πŸ“„ License

MIT License.

πŸ”— Links

πŸ™ Acknowledgments

Built for security researchers, red teams, and bug bounty professionals. Happy hunting! 🎯

About

Production-grade Web Application Firewall testing tool. Detects Cloudflare, AWS WAF, Akamai & more. Identifies bypass vectors via URL normalization. Perfect for bug bounty & pentesting.

Topics

waf pentesting bugbounty ethical-hacking waf-detection waf-bypass ethical-hacking-tools waf-testing

Resources

Readme
Activity

Stars

41 stars

Watchers

0 watching

Forks

9 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages