Wafw00f

From aldeid
Jump to navigation Jump to search

Description

Web Application Firewalls (WAFs) can be detected through stimulus/response testing scenarios. Here is a short listing of possible detection methods:

  • Cookies: Some WAF products add their own cookie in the HTTP communication.
  • Server Cloaking: Altering URLs and Response Headers
  • Response Codes: Different error codes for hostile pages/parameters values
  • Drop Action: Sending a FIN/RST packet (technically could also be an IDS/IPS)
  • Pre Built-In Rules: Each WAF has different negative security signatures

WafW00f is based on these assumptions to determine remote WAFs.

Installation

$ cd /data/pentest/web/
$ svn checkout http://waffit.googlecode.com/svn/trunk/ waffit-read-only

Usage

To use WafW00F, simply issue:

$ cd /data/pentest/web/waffit-read-only/
$ python wafw00f.py <url>

Examples

$ python wafw00f.py http://www.enkn.net
                                ^     ^
       _   __  _   ____ _   __  _    _   ____
      ///7/ /.' \ / __////7/ /,' \ ,' \ / __/
     | V V // o // _/ | V V // 0 // 0 // _/  
     |_n_,'/_n_//_/   |_n_,' \_,' \_,'/_/    
                               <   
                                ...'

   WAFW00F - Web Application Firewall Detection Tool
   
   By Sandro Gauci && Wendel G. Henrique

Checking http://www.enkn.net
The site http://www.enkn.net is behind a ModSecurity
Number of requests: 6
$ python wafw00f.py http://www.aldeid.com
                                ^     ^
       _   __  _   ____ _   __  _    _   ____
      ///7/ /.' \ / __////7/ /,' \ ,' \ / __/
     | V V // o // _/ | V V // 0 // 0 // _/  
     |_n_,'/_n_//_/   |_n_,' \_,' \_,'/_/    
                               <   
                                ...'
                                
   WAFW00F - Web Application Firewall Detection Tool
   
   By Sandro Gauci && Wendel G. Henrique

Checking http://www.aldeid.com
Generic Detection results:
The site http://www.aldeid.com seems to be behind a WAF 
Reason: Blocking is being done at connection/packet level.
Number of requests: 13
$ python wafw00f.py http://www.microsoft.com
                                 ^     ^
        _   __  _   ____ _   __  _    _   ____
       ///7/ /.' \ / __////7/ /,' \ ,' \ / __/
      | V V // o // _/ | V V // 0 // 0 // _/  
      |_n_,'/_n_//_/   |_n_,' \_,' \_,'/_/    
                                <   
                                 ...'
                                 
    WAFW00F - Web Application Firewall Detection Tool
    
    By Sandro Gauci && Wendel G. Henrique

Checking http://www.microsoft.com
The site http://www.microsoft.com is behind a Citrix NetScaler
Number of requests: 5

Comments

blog comments powered by Disqus