🛡️ WAF Playground
Test your Web Application Firewall with legitimate requests and attack simulations
⚠️
Warning:
This tool is for educational and testing purposes only. Use only against your own systems or with explicit permission.
✅ Legitimate User Requests
Normal Search: ?search=blue shoes
Standard Login: username=john.doe@example.com
API Request: GET /api/products/12345
Contact Form: name=John&message=Hello
JSON API: {"action": "update", "id": 123}
Pagination: ?page=2&limit=10&sort=date
Product Filter: ?category=electronics&price=100-500
Update Profile: name=Jane&bio=Software Developer
💉 SQL Injection
Basic SQL Injection: ' OR '1'='1
UNION SELECT Attack
Blind SQL Injection with SLEEP
Stacked Queries: ; DROP TABLE users
🎭 Cross-Site Scripting (XSS)
Basic XSS: <script>alert('XSS')</script>
IMG Tag XSS Attack
Encoded XSS Payload
DOM-based XSS Attempt
💻 Command Injection
Read /etc/passwd: ; cat /etc/passwd
Pipe Command: | ls -la
Backtick Injection: `whoami`
Base64 Encoded Command
📁 Path Traversal
Basic: ../../../etc/passwd
URL Encoded Path Traversal
Double Encoding: ..%252f..%252f
Unicode Encoding Bypass
📄 XML External Entity (XXE)
Basic XXE: External Entity
Blind XXE with OOB
Billion Laughs Attack
XXE to SSRF
🔗 Protocol & Header Attacks
HTTP Request Smuggling
CRLF Injection: %0d%0a
Unusual HTTP Methods
🔍 LDAP & NoSQL Injection
LDAP Injection: *)(uid=*
NoSQL Injection: {$ne: null}
Blind LDAP Injection
🔎 Scanner & Bot Patterns
SQLMap: Complex Multi-Vector Payload
DirBuster: Common Sensitive Paths
Burp Suite: Automated Scan Pattern
📊 Response Log
Clear Log