Ghost in the Firewall: Mastering Stealth Audits with EvilWAF’s Transparent MITM and Multi-Layer Scanner

EvilWAF is an advanced transparent MITM Firewall bypass proxy and deep WAF vulnerability scanner designed for authorized security testing. It operates at the transport layer — it does not touch payloads, cookies, or headers from your tools. Works with any tool like(ffuz, sqlmap, nuclei and etc) that supports --proxy.

Features

• Transparent MITM Proxy — Works with any tool that supports --proxy. Zero configuration on tool side.
• TCP Fingerprint Rotation — Rotates TCP stack options per request to avoid behavioral detection.
• TLS Fingerprint Rotation — Rotates TLS fingerprint (JA3/JA4 style) paired with TCP profiles.
• HTTP/2 Fingerprint Rotation — Per-request H2 SETTINGS and HEADERS frame profile rotation cycling through Chrome, Firefox, Safari, and Edge profiles to prevent WAF behavioral fingerprinting.
• Source Port Manipulation — Rotates source port per request, breaking WAF session tracking and rate-limit counters that rely on source port consistency.
• Cloudflare Header Injection — Injects Cloudflare-specific internal headers (CF-Connecting-IP, CF-Ray, True-Client-IP) with crafted values to test WAF header trust and attempt IP allowlist bypass.
• Tor IP Rotation — Routes traffic through Tor and rotates exit IP every request automatically.
• Proxy Pool IP Rotation — Rotates IP every request through external proxy pool.
• Origin IP Hunter — Discovers the real server IP behind the WAF using 10 parallel scanners:
  • DNS history, SSL certificate analysis, subdomain enumeration
  • DNS misconfiguration, cloud leak detection, GitHub leak search
  • HTTP header leak, favicon hash, ASN range scan, Censys
• Auto WAF Detection — Detects WAF vendor automatically before bypass starts.
• Direct Origin Bypass — Once real IP is found, routes all traffic directly to the server, skipping the WAF entirely.
• Full HTTPS MITM — Intercepts and inspects HTTPS traffic with dynamic certificate generation per host.
• HTTP/2 & HTTP/1.1 Support — Negotiates ALPN automatically and handles both protocols.
• Response Advisor — Automatically retries on WAF blocks (403, 429, 503) with different techniques.

• Deep Multi-Layer WAF Scanner — Treats the firewall itself as the target. Analyses all WAF defensive layers simultaneously across 10 independent scanning layers:
  • Layer 1 Network — Virtual host bypass, sensitive path probing, Host header manipulation
  • Layer 2 RuleEngine — Payload-based rule-gap detection: SQLi, XSS, RCE, LFI
  • Layer 3 RateLimit — Burst and sustained rate-limit enforcement testing
  • Layer 4 Evasion — Encoding and normalisation bypass with 10 encoding variants per payload
  • Layer 5 Behavioural — Timing analysis: tarpit, JS challenge delay, back-off detection
  • Layer 6 Header — HTTP header injection and IP spoofing bypass
  • Layer 7 TLS — TLS version probing, SNI bypass, certificate fingerprinting
  • Layer 8 MethodVerb — HTTP method bypass including WebDAV methods
  • Layer 9 Session — Cookie manipulation, auth bypass, session fixation probes
  • Layer 10 Misconfig — WAF misconfiguration and information leak detection
• Persistent Session — Each scan merges with historical JSON data from previous scans. Confidence grows over time — the longer you scan, the more accurate the results.
• Statistical Confidence Engine — Per-layer confidence scores computed using mean, standard deviation, and stability analysis. A finding at 86% confidence after 15 verified passes is a real vulnerability, not noise.
• False Positive Verification — Every finding is replayed against a clean baseline before reporting. Findings that do not reproduce are automatically excluded.
• C Extension (_fast_scanner.c) — High-performance Python C extension for classification, entropy analysis, timing anomaly detection, and statistics hot paths.

• TUI Dashboard — Real-time terminal UI showing live traffic, active techniques, Tor IPs, source ports, proxy pool, and scanner findings per layer.
• Headless Mode — --no-tui flag for scripting and CI/CD pipelines.
• Scan-Only Mode — --scan-only to run the WAF vulnerability scanner standalone without starting the proxy.

Install & Use

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy