#!/bin/bash # WAF bypass probe - tests common evasion techniques against pqcrypta-proxy SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" source "$SCRIPT_DIR/../config.sh" OUT="$OUT/waf_bypass" mkdir -p "$OUT" echo '=== WAF BYPASS TESTS ===' | tee "$OUT/summary.txt" # Safe URL encoder — pipes payload via stdin, handles all special chars including quotes url_encode() { printf '%s' "$1" | python3 -c "import sys,urllib.parse; print(urllib.parse.quote(sys.stdin.read().strip()))"; } # 1. SQL injection patterns (should be blocked) SQL_PAYLOADS=( "' OR 1=1--" "1; DROP TABLE users--" "' UNION SELECT * FROM information_schema.tables--" "admin'--" "1' AND SLEEP(5)--" "1 OR 1=1" "'; EXEC xp_cmdshell('dir')--" ) echo '' | tee -a "$OUT/summary.txt" echo '--- SQL Injection Probes ---' | tee -a "$OUT/summary.txt" for payload in "${SQL_PAYLOADS[@]}"; do encoded=$(url_encode "$payload") resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 10 "$TARGET/?id=$encoded") echo "[$resp] SQL: $payload" | tee -a "$OUT/summary.txt" done # 2. XSS payloads (should be blocked) XSS_PAYLOADS=( '' '' 'javascript:alert(1)' '' '">' ) echo '' | tee -a "$OUT/summary.txt" echo '--- XSS Probes ---' | tee -a "$OUT/summary.txt" for payload in "${XSS_PAYLOADS[@]}"; do encoded=$(url_encode "$payload") resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 10 "$TARGET/?q=$encoded") echo "[$resp] XSS: $payload" | tee -a "$OUT/summary.txt" done # 3. Path traversal (should be blocked) TRAVERSAL_PAYLOADS=( '../../../etc/passwd' '..%2F..%2F..%2Fetc%2Fpasswd' '%2e%2e/%2e%2e/%2e%2e/etc/passwd' '....//....//etc/passwd' '%252e%252e%252fetc%252fpasswd' ) echo '' | tee -a "$OUT/summary.txt" echo '--- Path Traversal Probes ---' | tee -a "$OUT/summary.txt" for payload in "${TRAVERSAL_PAYLOADS[@]}"; do resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 10 "$TARGET/$payload") echo "[$resp] Traversal: $payload" | tee -a "$OUT/summary.txt" done # 4. Command injection (should be blocked) CMD_PAYLOADS=( '; cat /etc/passwd' '| whoami' '`id`' '$(id)' '; ls -la /' ) echo '' | tee -a "$OUT/summary.txt" echo '--- Command Injection Probes ---' | tee -a "$OUT/summary.txt" for payload in "${CMD_PAYLOADS[@]}"; do encoded=$(url_encode "$payload") resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 10 "$TARGET/?cmd=$encoded") echo "[$resp] CMD: $payload" | tee -a "$OUT/summary.txt" done cat "$OUT/summary.txt"