i web application firewall detection – All things in moderation

web application firewall detection

A web application firewall filters, monitors, and blocks HTTP traffic to and from a web application. A WAF is differentiated from a regular firewall in that a WAF is able to filter the content of specific web applications while regular firewalls serve as a safety gate between servers. It applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection.

In this article, I will intro to some tools to detect what the web application firewall Which precedes a web application.

Usage tools

wafw00f

WAFW00F identifies and fingerprints Web Application Firewall (WAF) products. To do this, WAFW00F does the following:

– wafw00f Sends a normal HTTP request and analyses the response; this identifies a number of WAF solutions
– If that is not successful, it sends a number of (potentially malicious) HTTP requests and uses simple logic to deduce which WAF it is
– If that is also not successful, it analyses the responses previously returned and uses another simple algorithm to guess if a WAF or security solution is actively responding to our attacks

Features: List firwall wafw00f can detect

Anquanbao
FortiWeb
Naxsi
Juniper WebApp Secure
IBM Web Application Security
Cisco ACE XML Gateway
AWS WAF
Better WP Security
F5 BIG-IP ASM
Citrix NetScaler
ModSecurity (OWASP CRS)
F5 BIG-IP APM
360WangZhanBao
Mission Control Application Shield
PowerCDN
Safedog
Sucuri WAF
F5 FirePass
DenyALL WAF
Trustwave ModSecurity
CloudFlare
Profense
Wallarm
Incapsula WAF
Radware AppWall
F5 BIG-IP LTM
Art of Defence HyperGuard
Aqtronix WebKnight
Teros WAF
eEye Digital Security SecureIIS
BinarySec
IBM DataPower
Microsoft ISA Server
NetContinuum
NSFocus
ChinaCache-CDN
West263CDN
InfoGuard Airlock
AdNovum nevisProxy
Barracuda Application Firewall
Comodo WAF
Imperva SecureSphere
BlockDoS
Edgecast / Verizon Digital media
Microsoft URLScan
Applicure dotDefender
USP Secure Entry Server
F5 Trafficshield

Installation:

Dependencies: wafw00f running on Python 2.7.x

git clone https://github.com/EnableSecurity/wafw00f && cd wafw00f
python setup.py install
cd wafw00f/bin
./wafw00f -l

Usage:

wafw00f -l ; List WAFs this tool is able to detect
wafw00f https://example.com/ ; Detect WAFs on website example.com

WhatWaf

WhatWaf is an advanced firewall detection tool who’s goal is to give you the idea of “There’s a WAF?”. WhatWaf works by detecting a firewall on a web application, and attempting to detect a bypass (or two) for said firewall, on the specified target.

Featues:

– Ability to run on a single URL with the -u/–url flag

– Ability to run through a list of URL’s with the -l/–list flag

– Ability to detect over 40 different firewalls

– Ability to try over 20 different tampering techniques

– Ability to pass your own payloads either from a file, from the terminal, or use the default payloads

– Default payloads that should produce at least one WAF triggering

– Ability to bypass firewalls using both SQLi techniques and cross site scripting techniques

– Ability to run behind any proxy type that matches this regex:(socks\d+)?(http(s)?)?://

– Ability to use a random user agent, personal user agent, or custom default user agent

– Auto assign protocol to HTTP or ability to force protocol to HTTPS

– A built in encoder so you can encode your payloads into the discovered bypasses

– Automatic issue creation if an unknown firewall is discovered

– Ability to send output to a JSON, CSV, or YAML file

– …

Installation:

whatwaf running on Python 2.7.x

git clone https://github.com/ekultek/whatwaf.git
cd whatwaf
chmod +x whatwaf.py
pip install -r requirements.txt
./whatwaf.py --help

**Usage: **

./whatwaf.py --help ; Command instructions
./whatwaf.py -u http://example.com/ ;  run on a single URL
./whatwaf.py -l list.txt ; run through a list of URL's 

Leave a Reply