theghostshinobi/waf-stressor

``` # 🛡️ WAF Stressor WAF Stressor is a production-grade assessment engine designed for ethical security research, penetration testing, and bug bounty operations. It provides advanced URL normalization fuzzing, payload mutation, and multi-signal WAF fingerprinting to identify bypass vectors and inconsistent filtering behaviors. --- # 📘 目录 - [✨ Features] - [📦 Installation] - [🚀 Quick Start] - [📖 Usage Examples] - [🎛️ Command-Line Options] - [📊 Understanding Output] - [📁 Report Formats] - [🎯 Use Cases] - [🔬 Payload Files] - [🛠️ Advanced Configuration] - [📈 Performance Tips] - [🔍 Result Analysis] - [⚠️ Legal & Ethical Use] - [📝 Contributing] - [📄 License] - [🔗 Links] - [🙏 Acknowledgments] --- # ✨ 特性 - 🔍 **WAF Detection & Fingerprinting** Detects 15+ major WAF vendors (Cloudflare, Akamai, AWS, Imperva, F5, ModSecurity, etc.) - 🎯 **URL Normalization Testing** 15+ URL mangling techniques to detect bypass vectors - 💣 **Payload Mutation Engine** Encodings, obfuscation layers, variant generation - 📊 **Advanced Metrics** Includes UI, NF, MP, PP, CC, SC - 🚨 **Automated Finding Generation** Bypass identification, inconsistencies, normalization flaws - 📁 **Multi-Format Reports** JSON, Markdown, HTML, CSV, SARIF (CI/CD compatible) - ⚡ **Rate Limiting & Backoff** 429-aware with exponential backoff - 🔄 **Batch Scanning** Multi-target support, error recovery, progress tracking --- # 📦 安装 ## Requirements - Python **3.8+** - pip ## Quick Install ```bash git clone https://github.com/theghostshinobi/waf-stressor.git cd waf-stressor ``` ## 手动依赖 ``` pip install httpx rich ``` # 🚀 快速开始 ### 单个目标 ``` python run.py https://example.com --budget 50 ``` ### 使用自定义载荷 ``` python run.py https://example.com \ --payload-file xss-payloads.txt \ --profile light \ --budget 50 ``` ### 深度扫描 + 速率限制 ``` python run.py https://example.com \ --payload-file xss-payloads.txt \ --profile deep \ --budget 100 \ --rate 0.5 \ --no-verify-tls ``` # 📖 使用示例 ### 1) 快速评估 ``` python run.py https://target.com --profile light --budget 30 ``` ### 2) 综合 WAF 分析 ``` python run.py https://target.com \ --payload-file xss-payloads.txt \ --profile deep \ --budget 200 \ --rate 1.0 \ --output-dir target_scan ``` ### 3) Cloudflare 目标 ``` python run.py https://cloudflare-protected.com \ --payload-file xss-payloads.txt \ --budget 50 \ --rate 0.5 \ --no-verify-tls ``` ### 4) 批量扫描 ``` python waf-stressor-engine.py \ -t targets.txt \ -f xss-payloads.txt \ --budget 30 \ --rate 1.0 \ --format json ``` ### 5) 高级批量 ``` python cli.py \ -t targets.txt \ -f payloads.txt \ --profile deep \ --budget 100 \ --rate 0.5 \ --delay 10 \ --format md \ --verbose ``` # 🎛️ 命令行选项

显示单个目标（run.py）

| 选项 | 描述 | 默认 | | ----------------- | ------------------ | ------------ | | `--profile` | light / deep | light | | `--budget` | 最大请求数 | 50 | | `--rate` | 每秒请求数 | 1.0 | | `--payload-file` | 载荷文件 | payloads.txt | | `--output-dir` | 结果目录 | scan_results | | `--no-verify-tls` | 禁用 TLS 检查 | False | | `--timeout` | 请求超时 | 30 | | `--max-redirects` | 重定向限制 | 5 |

| 选项 | 描述 | 默认 | | ---------- | -------------------------- | ---------------- | | `-t` | 目标文件 | Required | | `-f` | 载荷文件 | xss-payloads.txt | | `-o` | 输出目录 | results | | `-p` | 配置文件 | light | | `-b` | 预算 | 50 | | `-r` | 速率 | 0.5 | | `--format` | json, md, csv, sarif, html | json | | `-v` | 详细输出 | False | | 选项 | 描述 | 默认 | | ----------------- | --------------------- | ------- | | `-d` | 目标之间延迟 | 10 | | `--timeout` | 扫描超时 | 300 | | `--tls-verify` | 启用 TLS 验证 | False | | `--stop-on-error` | 错误时停止 | False | # 📊 理解输出 ``` ============================================================ ✅ SCAN COMPLETE Target: https://example.com Profile: LIGHT Total Requests: 48 Elapsed: 49.35s Success Rate: 100% WAF DETECTED: cloudflare ``` ### 指标说明 | 指标 | 含义 | | ------ | ----------------------- | | **UI** | 均匀性指数 | | **NF** | 归一化因子 | | **MP** | 变异潜力 | | **PP** | 载荷穿透 | | **CC** | 一致性系数 | | **SC** | 状态码方差 | # 📁 报告格式 * **JSON** — 结构化数据 * **Markdown** — 人类可读 * **HTML** — 颜色编码 UI * **CSV** — 快速解析 * **SARIF** — GitHub/CI 集成 # 🎯 使用场景 ### 漏洞赏金 ``` python run.py https://target.hackerone.com/api \ --payload-file xss-payloads.txt \ --budget 100 \ --rate 0.3 \ --no-verify-tls \ --output-dir bounty_results ``` ### 渗透测试 ``` python cli.py -t client-targets.txt -f payloads.txt --profile deep --budget 200 --format md --verbose ``` ### WAF 有效性 ### CI/CD SARIF 集成 # 🔬 载荷文件 格式： ``` payload | category | description ``` 示例： ``` | xss_benign | Basic XSS test ' OR '1'='1 | sql_benign | SQL injection probe ../../../etc/passwd | path_traversal | Traversal test ``` # 🛠️ 高级配置

显示高级配置

### 虚拟环境 ``` python3 -m venv venv source venv/bin/activate pip install -r requirements.txt ``` ### 速率限制 ``` python run.py https://target.com --rate 0.2 --budget 20 --delay 5 ``` ### 自定义请求头 ``` config = TestConfig( target_url="https://example.com", custom_headers={ 'User-Agent': 'Custom-Agent/1.0', 'X-Custom-Header': 'value' } ) ``` # 📈 性能提示 * **快速扫描：** 预算 **20–30** * **标准扫描：** **50–100** * **深度扫描：** **150–300** * 激进 WAF → 速率： **0.2–0.5** # 🔍 结果分析 ``` jq '.waf_fingerprint' jq '.findings[]' jq '(.metrics.blocked_requests / .metrics.total_requests * 100)' jq '.results[] | select(.blocked==false)' ``` # ⚠️ 法律与道德使用 **仅测试您拥有或明确授权的系统。** 未经授权的测试可能违法。 # 📄 许可证 MIT 许可证。 # 🔗 链接 * **仓库** [https://github.com/theghostshinobi/waf-stressor](https://github.com/theghostshinobi/waf-stressor) * **问题** [https://github.com/theghostshinobi/waf-stressor/issues](https://github.com/theghostshinobi/waf-stressor/issues) # 🙏 感谢 为安全研究人员、红队人员和漏洞赏金专业人士构建。 **愉快狩猎！🎯**

标签：429处理, AppImage, Bug赏金, C2日志可视化, CSV报告, HTML报告, httpx, HTTP请求, JSON报告, Linux取证, Markdown报告, Python, SARIF, SEO, URL规范化, WAF, Web应用防火墙, 多目标扫描, 安全测试, 异常恢复, 性能优化, 指数退避, 指纹识别, 攻击性安全, 无后门, 无服务器架构, 检测绕过, 绕过检测, 编码混淆, 负载变异, 运行时操纵, 逆向工具, 高级特性