Information Security News

Ghost in the Firewall: Mastering Stealth Audits with EvilWAF’s Transparent MITM and Multi-Layer Scanner

by ·

EvilWAF is an advanced transparent MITM Firewall bypass proxy and deep WAF vulnerability scanner designed for authorized security testing. It operates at the transport layer — it does not touch payloads, cookies, or headers from your tools. Works with any tool like(ffuzsqlmapnuclei and etc) that supports --proxy.

Features

Proxy & Bypass

  • Transparent MITM Proxy — Works with any tool that supports --proxy. Zero configuration on tool side.
  • TCP Fingerprint Rotation — Rotates TCP stack options per request to avoid behavioral detection.
  • TLS Fingerprint Rotation — Rotates TLS fingerprint (JA3/JA4 style) paired with TCP profiles.
  • HTTP/2 Fingerprint Rotation — Per-request H2 SETTINGS and HEADERS frame profile rotation cycling through Chrome, Firefox, Safari, and Edge profiles to prevent WAF behavioral fingerprinting.
  • Source Port Manipulation — Rotates source port per request, breaking WAF session tracking and rate-limit counters that rely on source port consistency.
  • Cloudflare Header Injection — Injects Cloudflare-specific internal headers (CF-Connecting-IPCF-RayTrue-Client-IP) with crafted values to test WAF header trust and attempt IP allowlist bypass.
  • Tor IP Rotation — Routes traffic through Tor and rotates exit IP every request automatically.
  • Proxy Pool IP Rotation — Rotates IP every request through external proxy pool.
  • Origin IP Hunter — Discovers the real server IP behind the WAF using 10 parallel scanners:
    • DNS history, SSL certificate analysis, subdomain enumeration
    • DNS misconfiguration, cloud leak detection, GitHub leak search
    • HTTP header leak, favicon hash, ASN range scan, Censys
  • Auto WAF Detection — Detects WAF vendor automatically before bypass starts.
  • Direct Origin Bypass — Once real IP is found, routes all traffic directly to the server, skipping the WAF entirely.
  • Full HTTPS MITM — Intercepts and inspects HTTPS traffic with dynamic certificate generation per host.
  • HTTP/2 & HTTP/1.1 Support — Negotiates ALPN automatically and handles both protocols.
  • Response Advisor — Automatically retries on WAF blocks (403, 429, 503) with different techniques.

WAF Vulnerability Scanner

  • Deep Multi-Layer WAF Scanner — Treats the firewall itself as the target. Analyses all WAF defensive layers simultaneously across 10 independent scanning layers:
    • Layer 1 Network — Virtual host bypass, sensitive path probing, Host header manipulation
    • Layer 2 RuleEngine — Payload-based rule-gap detection: SQLi, XSS, RCE, LFI
    • Layer 3 RateLimit — Burst and sustained rate-limit enforcement testing
    • Layer 4 Evasion — Encoding and normalisation bypass with 10 encoding variants per payload
    • Layer 5 Behavioural — Timing analysis: tarpit, JS challenge delay, back-off detection
    • Layer 6 Header — HTTP header injection and IP spoofing bypass
    • Layer 7 TLS — TLS version probing, SNI bypass, certificate fingerprinting
    • Layer 8 MethodVerb — HTTP method bypass including WebDAV methods
    • Layer 9 Session — Cookie manipulation, auth bypass, session fixation probes
    • Layer 10 Misconfig — WAF misconfiguration and information leak detection
  • Persistent Session — Each scan merges with historical JSON data from previous scans. Confidence grows over time — the longer you scan, the more accurate the results.
  • Statistical Confidence Engine — Per-layer confidence scores computed using mean, standard deviation, and stability analysis. A finding at 86% confidence after 15 verified passes is a real vulnerability, not noise.
  • False Positive Verification — Every finding is replayed against a clean baseline before reporting. Findings that do not reproduce are automatically excluded.
  • C Extension (_fast_scanner.c) — High-performance Python C extension for classification, entropy analysis, timing anomaly detection, and statistics hot paths.

Interface

  • TUI Dashboard — Real-time terminal UI showing live traffic, active techniques, Tor IPs, source ports, proxy pool, and scanner findings per layer.
  • Headless Mode — --no-tui flag for scripting and CI/CD pipelines.
  • Scan-Only Mode — --scan-only to run the WAF vulnerability scanner standalone without starting the proxy.

Install & Use

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Tags: