i WAFW00F – Web Application Firewall Fingerprinting – All things in moderation

WAFW00F – Web Application Firewall Fingerprinting

Introduction

WAF (Web application firewall) is a security tool that detect and block from various type of attacks to protect website which included : SQL-injection, XSS, Local file inclusion and others.

WAFW00F is the tool written in python by Sandro Gauci && Wendel G. Henrique to find a WAF that is protecting a web server. A penetration tester can get name of the installed Web Application Firewall so that exploitation will be started.

Homepage: https://github.com/sandrogauci/wafw00f

How it work?

To do its magic, WAFW00F does the following:

  • Sends a normal HTTP request and analyses the response; this identifies a number of WAF solutions
  • If that is not successful, it sends a number of (potentially malicious) HTTP requests and uses simple logic to deduce which WAF it is
  • If that is also not successful, it analyses the responses previously returned and uses another simple algorithm to guess if a WAF or security solution is actively responding to our attacks

– Currently WAFW00F can detect following WAFs:
Anquanbao
Juniper WebApp Secure
IBM Web Application Security
Cisco ACE XML Gateway
Better WP Security
F5 BIG-IP APM
360WangZhanBao
ModSecurity (OWASP CRS)
PowerCDN
Safedog
F5 FirePass
DenyALL WAF
Trustwave ModSecurity
CloudFlare
Imperva SecureSphere
Incapsula WAF
Citrix NetScaler
F5 BIG-IP LTM
Art of Defence HyperGuard
Aqtronix WebKnight
Teros WAF
eEye Digital Security SecureIIS
BinarySec
IBM DataPower
Microsoft ISA Server
NetContinuum
NSFocus
ChinaCache-CDN
West263CDN
InfoGuard Airlock
AdNovum nevisProxy
Barracuda Application Firewall
F5 BIG-IP ASM
Profense
Mission Control Application Shield
Microsoft URLScan
Applicure dotDefender
USP Secure Entry Server
F5 Trafficshield

Installation

  • Test on ubuntu 14.04 with python 2.7
  • Download source tool from github: git clone https://github.com/EnableSecurity/wafw00f.git
  • Execute file setup.py: python setup.py install

WAFW00F Usage:

1. Options

Syntax : wafw00f url1 [url2 [url3 ... ]]
example: wafw00f http://vulnweb.com/
 -h, --help    show this help message and exit
 -v, --verbose enable verbosity - multiple -v options increase verbosity
 -a, --findall Find all WAFs, do not stop testing on the first one
 -r, --disableredirect    Do not follow redirections given by 3xx responses
 -t TEST, --test=TEST     Test for one specific WAF
 -l, --list    List all WAFs that we are able to detect
 --xmlrpc      Switch on the XML-RPC interface instead of CUI
 --xmlrpcport=XMLRPCPORT  Specify an alternative port to listen on, default 8001
 -V, --version Print out the version

2. examples
Detect WAFs in some websites

  • No WAF detected:

  • WAFW00F detect ModSecurity (OWASP CRS) on owasp.org

References:

https://github.com/EnableSecurity/wafw00f

Leave a Reply