Ever been beating your head against a WAF and wished there was a quick way to test every single character against it?
Well if you have Burp Intruder, you can do so with a couple of quick settings.
URL Encoded Characters — ASCII
- Put an % before your injection point
2. Payload Type: Brute forcer
Shorten your character set to a-f and 0–9
Set Min/Max to 2
Literal Characters — ASCII
- Demark your injection location, no leading characters required
2. Set the Brute forcer rules same as above, except we will now add 2 new Payload Processing rules.
Adding Prefix: % and
URL -decode
Fire it off to see all the wild characters be sent for WAF testing
