Modern WAF Bypass Techniques for Autonomous Attacks

Scripting and automation are absolutely critical to many aspects of an attacker’s effectiveness, penetration tester or otherwise. Modern WAFs and “bot detections” often add a small layer of intelligence to their monitoring, attempting to determine whether or not an attack is being automated, and shut the bot/botnet down. This class will cover how common forms of WAF & bot detections work and how you can modify your scripting to fly under the radar.

Class Structure:

Instruction will be extremely hands-on, targetting a live website with common protections in place. Students are expected to have enough knowledge in Python and/or Javascript (both are preferred, JS is absolutely required) to be able to write basic scripts for accessing data via HTTP, as this will be a “we all teach each other” style of course. Students will be tasked with writing their own scripts using the recommended techniques and demonstrate their methodologies to the rest of the class.


  • Windows. MacOS or Linux laptop & permission/ability to install software (i.e. Python, node.js, Webstorm or other IDE(if desired)) and create new network interfaces (VPN, etc).

  • Basic ability to write Python and Javascript for the purposes of automating HTTP requests

  • General knowledge of the HTTP protocol (basic webapp functionality, how headers work)

  • Ability and desire to present and explain one’s own work to a small group

SPEAKER Sam Crowther

SPEAKER Johnny Xmas