WAF Fuzzing with Burp Intruder

Ever been beating your head against a WAF and wished there was a quick way to test every single character against it?

Well if you have Burp Intruder, you can do so with a couple of quick settings.

URL Encoded Characters — ASCII

  1. Put an % before your injection point

2. Payload Type: Brute forcer
Shorten your character set to a-f and 0–9
Set Min/Max to 2

Literal Characters — ASCII

  1. Demark your injection location, no leading characters required

2. Set the Brute forcer rules same as above, except we will now add 2 new Payload Processing rules.

Adding Prefix: % and
URL -decode

Fire it off to see all the wild characters be sent for WAF testing

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store