Thanks all for the great replies and resources!<br><br>I will take my time to go through the responses and test the tools.<br><br clear="all">Ryan Dewhurst<br><br>blog <a href="http://www.ethicalhack3r.co.uk" target="_blank">www.ethicalhack3r.co.uk</a><br>
projects <a href="http://www.dvwa.co.uk" target="_blank">www.dvwa.co.uk</a> | <a href="http://www.webwordcount.com" target="_blank">www.webwordcount.com</a><br>twitter <a href="http://www.twitter.com/ethicalhack3r" target="_blank">www.twitter.com/ethicalhack3r</a><br>

<br><br><div class="gmail_quote">On Fri, Feb 4, 2011 at 11:10 AM,  <span dir="ltr"><<a href="mailto:melihtanfayed@engineer.com">melihtanfayed@engineer.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<font color="black" face="arial" size="2"><font color="black" face="arial" size="2">

<div style="font-family: arial,helvetica; font-size: 10pt; color: black;">


<div>

<font color="black" face="arial" size="2"><font color="black" face="arial" size="2">



<div> <br>


I have seen this in turkish owasp mailing list. it is not smart but usefull for testing waf systems.<br>


<br>


waf tester - <a href="http://ttlexpired.com/blog/?p=234" target="_blank">http://ttlexpired.com/blog/?p=234</a><br>


<br>


Cheers<br>


<br>



</div><div class="im">







<div> 




<div class="MsoNormal"><b><span style="font-size: 10pt;" lang="EN-US">From:</span></b><span style="font-size: 10pt;" lang="EN-US"> <a href="mailto:websecurity-bounces@lists.webappsec.org" target="_blank">websecurity-bounces@lists.webappsec.org</a>
[mailto:<a href="mailto:websecurity-bounces@lists.webappsec.org" target="_blank">websecurity-bounces@lists.webappsec.org</a>] <b>On Behalf Of </b>Ryan
Dewhurst<br>



<b>Sent:</b> Wednesday, February 02, 2011 1:37 PM<br>



<b>To:</b> <a href="mailto:websecurity@lists.webappsec.org" target="_blank">websecurity@lists.webappsec.org</a><br>



<b>Subject:</b> [WEB SECURITY] WAF XSS Fuzzer?!</span></div>







<div class="MsoNormal"><span lang="EN-US"> </span></div>







<div class="MsoNormal"><span lang="EN-US">Hi list,<br>



<br>



I was wondering if such a thing existed and if not, would such a thing be
possible? <br>



<br>



Or does WAF evasion always need some degree of intelligence to produce a viable
payload?<br>



<br>



I must admit my WAF evasion knowledge is quite poor. I am awaiting The Web
Application Obfuscation book as a starting point.<br>



<br>



Thanks,<br>



Ryan<br>



<br clear="all">
Ryan Dewhurst<br>



<br>



blog <a href="http://www.ethicalhack3r.co.uk/" target="_blank">www.ethicalhack3r.co.uk</a><br>



projects <a href="http://www.dvwa.co.uk/" target="_blank">www.dvwa.co.uk</a> | <a href="http://www.webwordcount.com/" target="_blank">www.webwordcount.com</a><br>



twitter <a href="http://www.twitter.com/ethicalhack3r" target="_blank">www.twitter.com/ethicalhack3r</a></span></div>





</div>







<div style="clear: both;"></div>



</div></font></font>

</div>

 
</div>

</font></font>
<br>_______________________________________________<br>
The Web Security Mailing List<br>
<br>
WebSecurity RSS Feed<br>
<a href="http://www.webappsec.org/rss/websecurity.rss" target="_blank">http://www.webappsec.org/rss/websecurity.rss</a><br>
<br>
Join WASC on LinkedIn <a href="http://www.linkedin.com/e/gis/83336/4B20E4374DBA" target="_blank">http://www.linkedin.com/e/gis/83336/4B20E4374DBA</a><br>
<br>
WASC on Twitter<br>
<a href="http://twitter.com/wascupdates" target="_blank">http://twitter.com/wascupdates</a><br>
<br>
<a href="mailto:websecurity@lists.webappsec.org">websecurity@lists.webappsec.org</a><br>
<a href="http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org" target="_blank">http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org</a><br>
<br></blockquote></div><br>