From ae6f5a42f509fbed163e719f4cbd092c7ec043b3 Mon Sep 17 00:00:00 2001 From: Houssam Miliani <149241633+SecHoussam@users.noreply.github.com> Date: Fri, 23 Jan 2026 19:08:07 +0100 Subject: [PATCH 1/7] Update README.md --- README.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/README.md b/README.md index 6a3fbcd..7b5c2ea 100644 --- a/README.md +++ b/README.md @@ -15,6 +15,7 @@ - [Parameters](#Parameters) - [Fuzzing](#Fuzzing) - [Monitoring](#Monitoring) + - [Waf Evasion ](#Waf-Evasion) - [Exploitation](#Exploitation) - [Command Injection](#Command-Injection) @@ -390,6 +391,14 @@ ### Web-Cache-Poisoning - [toxicache](https://github.com/xhzeem/toxicache) - Go scanner to find web cache poisoning vulnerabilities in a list of URLs . +### Waf Evasion + +- [nomore403](https://github.com/devploit/nomore403) - 🚫 Advanced tool for security researchers to bypass 403/40X restrictions . + +#burpSuite Plugin : +- [toxicache](https://github.com/assetnote/nowafpls/) - Burp Plugin to Bypass WAFs through the insertion of Junk Data . + + ## Miscellaneous From 5b1ce640b269fe038d8bc9fd6e1d2e28fd709371 Mon Sep 17 00:00:00 2001 From: Houssam Miliani <149241633+SecHoussam@users.noreply.github.com> Date: Fri, 23 Jan 2026 19:09:29 +0100 Subject: [PATCH 2/7] Refactor Waf Evasion section header Updated section headers for clarity and consistency. --- README.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 7b5c2ea..60d36be 100644 --- a/README.md +++ b/README.md @@ -390,15 +390,16 @@ ### Web-Cache-Poisoning - [toxicache](https://github.com/xhzeem/toxicache) - Go scanner to find web cache poisoning vulnerabilities in a list of URLs . +--- -### Waf Evasion - +## Waf Evasion +#cli : - [nomore403](https://github.com/devploit/nomore403) - 🚫 Advanced tool for security researchers to bypass 403/40X restrictions . #burpSuite Plugin : - [toxicache](https://github.com/assetnote/nowafpls/) - Burp Plugin to Bypass WAFs through the insertion of Junk Data . - +--- ## Miscellaneous From 4d8a74c222c075d6bc7fd533abae787f9b6f94c3 Mon Sep 17 00:00:00 2001 From: Houssam Miliani <149241633+SecHoussam@users.noreply.github.com> Date: Fri, 23 Jan 2026 19:22:56 +0100 Subject: [PATCH 3/7] Update README.md --- README.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 60d36be..c74fc7b 100644 --- a/README.md +++ b/README.md @@ -394,11 +394,16 @@ ## Waf Evasion #cli : + - [nomore403](https://github.com/devploit/nomore403) - 🚫 Advanced tool for security researchers to bypass 403/40X restrictions . -#burpSuite Plugin : -- [toxicache](https://github.com/assetnote/nowafpls/) - Burp Plugin to Bypass WAFs through the insertion of Junk Data . +- [XFFenum](https://github.com/vavkamil/XFFenum) - A simple tool to bypass 403 forbidden end-points behind load balancers (Cloudflare) based on X-Forwarded-For header. + +- [Forbidden Buster](https://github.com/Sn1r/Forbidden-Buster) - A tool designed to automate various techniques in order to bypass HTTP 401 and 403 response codes and gain access to unauthorized areas in the system. +#burpSuite Plugin : +- [nowafpls](https://github.com/assetnote/nowafpls/) - Burp Plugin to Bypass WAFs through the insertion of Junk Data . + --- ## Miscellaneous @@ -539,11 +544,6 @@ - [SSTImap](https://github.com/vladko312/SSTImap) - SSTImap is a penetration testing software that can check websites for Code Injection and Server-Side Template Injection vulnerabilities and exploit them, giving access to the operating system itself. - [Lonkero](https://github.com/bountyyfi/lonkero) - Enterprise-grade web vulnerability scanner with 60+ attack modules, built in Rust for penetration testing and security assessments. -### Forbidden Bypass - -- [XFFenum](https://github.com/vavkamil/XFFenum) - A simple tool to bypass 403 forbidden end-points behind load balancers (Cloudflare) based on X-Forwarded-For header. -- [NoMore403](https://github.com/devploit/nomore403) - Advanced tool for security researchers to bypass 403/40X restrictions through smart techniques and adaptive request manipulation. -- [Forbidden Buster](https://github.com/Sn1r/Forbidden-Buster) - A tool designed to automate various techniques in order to bypass HTTP 401 and 403 response codes and gain access to unauthorized areas in the system. ### Permutation From 2c314da5a151c899730ff272808c17273068b7e9 Mon Sep 17 00:00:00 2001 From: Houssam Miliani <149241633+SecHoussam@users.noreply.github.com> Date: Fri, 23 Jan 2026 19:24:33 +0100 Subject: [PATCH 4/7] Update README.md --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index c74fc7b..842da28 100644 --- a/README.md +++ b/README.md @@ -392,8 +392,8 @@ - [toxicache](https://github.com/xhzeem/toxicache) - Go scanner to find web cache poisoning vulnerabilities in a list of URLs . --- -## Waf Evasion -#cli : +### Waf Evasion +- cli : - [nomore403](https://github.com/devploit/nomore403) - 🚫 Advanced tool for security researchers to bypass 403/40X restrictions . @@ -401,7 +401,7 @@ - [Forbidden Buster](https://github.com/Sn1r/Forbidden-Buster) - A tool designed to automate various techniques in order to bypass HTTP 401 and 403 response codes and gain access to unauthorized areas in the system. -#burpSuite Plugin : +- burpSuite Plugin : - [nowafpls](https://github.com/assetnote/nowafpls/) - Burp Plugin to Bypass WAFs through the insertion of Junk Data . --- From 3fc9809ad1182c8bfa9c0ee6ba993065e6faf2df Mon Sep 17 00:00:00 2001 From: Kamil Vavra <47953210+vavkamil@users.noreply.github.com> Date: Sun, 1 Feb 2026 12:24:12 +0100 Subject: [PATCH 5/7] chore(list): Update fmt --- README.md | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 4cabe48..780b1b1 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,7 @@ - [Parameters](#Parameters) - [Fuzzing](#Fuzzing) - [Monitoring](#Monitoring) - - [Waf Evasion ](#Waf-Evasion) + - [Waf Evasion](#Waf-Evasion) - [Exploitation](#Exploitation) - [Command Injection](#Command-Injection) @@ -394,25 +394,20 @@ - [metahttp](https://github.com/vp777/metahttp) - A bash script that automates the scanning of a target network for HTTP resources through XXE ### SSTI Injection + - [tplmap](https://github.com/epinna/tplmap) - Server-Side Template Injection and Code Injection Detection and Exploitation Tool - [SSTImap](https://github.com/vladko312/SSTImap) - Automatic SSTI detection tool with interactive interface - ### Web-Cache-Poisoning + - [toxicache](https://github.com/xhzeem/toxicache) - Go scanner to find web cache poisoning vulnerabilities in a list of URLs . ---- ### Waf Evasion -- cli : - -- [nomore403](https://github.com/devploit/nomore403) - 🚫 Advanced tool for security researchers to bypass 403/40X restrictions . +- [nomore403](https://github.com/devploit/nomore403) - Advanced tool for security researchers to bypass 403/40X restrictions . - [XFFenum](https://github.com/vavkamil/XFFenum) - A simple tool to bypass 403 forbidden end-points behind load balancers (Cloudflare) based on X-Forwarded-For header. - - [Forbidden Buster](https://github.com/Sn1r/Forbidden-Buster) - A tool designed to automate various techniques in order to bypass HTTP 401 and 403 response codes and gain access to unauthorized areas in the system. - -- burpSuite Plugin : -- [nowafpls](https://github.com/assetnote/nowafpls/) - Burp Plugin to Bypass WAFs through the insertion of Junk Data . +- [nowafpls](https://github.com/assetnote/nowafpls/) - Burp Plugin to Bypass WAFs through the insertion of Junk Data. --- From f9708982567239225a668393178442bb8f5f9025 Mon Sep 17 00:00:00 2001 From: Kamil Vavra <47953210+vavkamil@users.noreply.github.com> Date: Sun, 1 Feb 2026 12:25:31 +0100 Subject: [PATCH 6/7] chore(ci): Update dependencies --- .github/workflows/security-zizmor.yml | 4 ++-- .github/workflows/stargazers.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/security-zizmor.yml b/.github/workflows/security-zizmor.yml index 12a5703..4ccbb48 100644 --- a/.github/workflows/security-zizmor.yml +++ b/.github/workflows/security-zizmor.yml @@ -21,12 +21,12 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6.0.1 + uses: actions/checkout@v6.0.2 # zizmor: ignore[unpinned-uses] with: persist-credentials: false - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@v6 # zizmor: ignore[unpinned-uses] with: python-version: '3.10.4' diff --git a/.github/workflows/stargazers.yml b/.github/workflows/stargazers.yml index 7c37b20..8ab46aa 100644 --- a/.github/workflows/stargazers.yml +++ b/.github/workflows/stargazers.yml @@ -15,7 +15,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6.0.1 + uses: actions/checkout@v6.0.2 # zizmor: ignore[unpinned-uses] with: fetch-depth: 0 persist-credentials: false From d04fcd47e5c0081082b42a88b0e05571299661d5 Mon Sep 17 00:00:00 2001 From: Kamil Vavra <47953210+vavkamil@users.noreply.github.com> Date: Sun, 1 Feb 2026 12:25:58 +0100 Subject: [PATCH 7/7] chore(pip): Update dependencies --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 7984430..bdc7be3 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1 +1 @@ -zizmor==1.19.0 +zizmor==1.22.0