Skip to content



Welcome to this workshop on WAF bypass! In this 2 hour hands-on session, you will learn multiple ways to bypass Web Application Firewall (WAF). No specific knowledge is required other than some high-level understanding of common web vulnerabilities (XSS, SQL injection and XXE).

I decided to build this workshop to summarize the types of bypasses that can be used in security assessments. Remember that there are no silver bullets. Even with the most complete checklist, it is likely that you will encounter a case where you can't find a bypass. Hopefully, with that information, you will be more methodical and more efficient the next time you encounter a WAF.

Where to start

All exercises and the source of these pages are available on Github.

Clone h3xstream/waf-workshop

Feel free to contribute to the content of this workshop.


In order to do the exercises, you will need:

  • Docker
  • Burp Suite Pro / OWASP ZAP
  • Python