From a penetration testing perspective to identify if a Web Application Firewall (WAF) is in place is essential. The next question is, does an administrator need to know this? My view is, anyone who is in charge of any system that has implemented some sort of WAF needs to verify this tool is working, at least on a very basic basis. Many organizations have placed this kind of security tool to protect their publicly available services but, is it working from the outside? Is the whitelisted IP really allowed to go through with the WAF not affecting its queries? Simply put, how to detect a WAF?
If you find the articles in Adminbyaccident.com useful to you, please consider making a donation.
Many of these questions can be answered with simple tools like Wafw00f or WhatWAF. Both can detect multiple different WAF vendors. For example Wafw00f can detect products from the following list:
|
WAF Name |
Manufacturer |
|
|
|
|
ACE XML Gateway |
Cisco |
|
aeSecure |
aeSecure |
|
AireeCDN |
Airee |
|
Airlock |
Phion/Ergon |
|
Alert Logic |
Alert Logic |
|
AliYunDun |
Alibaba Cloud Computing |
|
Anquanbao |
Anquanbao |
|
AnYu |
AnYu Technologies |
|
Approach |
Approach |
|
AppWall |
Radware |
|
Armor Defense |
Armor |
|
ArvanCloud |
ArvanCloud |
|
ASP.NET Generic |
Microsoft |
|
ASPA Firewall |
ASPA Engineering Co. |
|
Astra |
Czar Securities |
|
AWS Elastic Load Balancer |
Amazon |
|
AzionCDN |
AzionCDN |
|
Azure Front Door |
Microsoft |
|
Barikode |
Ethic Ninja |
|
Barracuda |
Barracuda Networks |
|
Bekchy |
Faydata Technologies Inc. |
|
Beluga CDN |
Beluga |
|
BIG-IP Local Traffic Manager |
F5 Networks |
|
BinarySec |
BinarySec |
|
BitNinja |
BitNinja |
|
BlockDoS |
BlockDoS |
|
Bluedon |
Bluedon IST |
|
BulletProof Security Pro |
AITpro Security |
|
CacheWall |
Varnish |
|
CacheFly CDN |
CacheFly |
|
Comodo cWatch |
Comodo CyberSecurity |
|
CdnNS Application Gateway |
CdnNs/WdidcNet |
|
ChinaCache Load Balancer |
ChinaCache |
|
Chuang Yu Shield |
Yunaq |
|
Cloudbric |
Penta Security |
|
Cloudflare |
Cloudflare Inc. |
|
Cloudfloor |
Cloudfloor DNS |
|
Cloudfront |
Amazon |
|
CrawlProtect |
Jean-Denis Brun |
|
DataPower |
IBM |
|
DenyALL |
Rohde & Schwarz CyberSecurity |
|
Distil |
Distil Networks |
|
DOSarrest |
DOSarrest Internet Security |
|
DotDefender |
Applicure Technologies |
|
DynamicWeb Injection Check |
DynamicWeb |
|
Edgecast |
Verizon Digital Media |
|
Eisoo Cloud Firewall |
Eisoo |
|
Expression Engine |
EllisLab |
|
BIG-IP AppSec Manager |
F5 Networks |
|
BIG-IP AP Manager |
F5 Networks |
|
Fastly |
Fastly CDN |
|
FirePass |
F5 Networks |
|
FortiWeb |
Fortinet |
|
GoDaddy Website Protection |
GoDaddy |
|
Greywizard |
Grey Wizard |
|
Huawei Cloud Firewall |
Huawei |
|
HyperGuard |
Art of Defense |
|
Imunify360 |
CloudLinux |
|
Incapsula |
Imperva Inc. |
|
IndusGuard |
Indusface |
|
Instart DX |
Instart Logic |
|
ISA Server |
Microsoft |
|
Janusec Application Gateway |
Janusec |
|
Jiasule |
Jiasule |
|
Kona SiteDefender |
Akamai |
|
KS-WAF |
KnownSec |
|
KeyCDN |
KeyCDN |
|
LimeLight CDN |
LimeLight |
|
LiteSpeed |
LiteSpeed Technologies |
|
Open-Resty Lua Nginx |
FLOSS |
|
Oracle Cloud |
Oracle |
|
Malcare |
Inactiv |
|
MaxCDN |
MaxCDN |
|
Mission Control Shield |
Mission Control |
|
ModSecurity |
SpiderLabs |
|
NAXSI |
NBS Systems |
|
Nemesida |
PentestIt |
|
NevisProxy |
AdNovum |
|
NetContinuum |
Barracuda Networks |
|
NetScaler AppFirewall |
Citrix Systems |
|
Newdefend |
NewDefend |
|
NexusGuard Firewall |
NexusGuard |
|
NinjaFirewall |
NinTechNet |
|
NullDDoS Protection |
NullDDoS |
|
NSFocus |
NSFocus Global Inc. |
|
OnMessage Shield |
BlackBaud |
|
Palo Alto Next Gen Firewall |
Palo Alto Networks |
|
PerimeterX |
PerimeterX |
|
PentaWAF |
Global Network Services |
|
pkSecurity IDS |
pkSec |
|
PT Application Firewall |
Positive Technologies |
|
PowerCDN |
PowerCDN |
|
Profense |
ArmorLogic |
|
Puhui |
Puhui |
|
Qiniu |
Qiniu CDN |
|
Reblaze |
Reblaze |
|
RSFirewall |
RSJoomla! |
|
RequestValidationMode |
Microsoft |
|
Sabre Firewall |
Sabre |
|
Safe3 Web Firewall |
Safe3 |
|
Safedog |
SafeDog |
|
Safeline |
Chaitin Tech. |
|
SecKing |
SecKing |
|
eEye SecureIIS |
BeyondTrust |
|
SecuPress WP Security |
SecuPress |
|
SecureSphere |
Imperva Inc. |
|
Secure Entry |
United Security Providers |
|
SEnginx |
Neusoft |
|
ServerDefender VP |
Port80 Software |
|
Shield Security |
One Dollar Plugin |
|
Shadow Daemon |
Zecure |
|
SiteGround |
SiteGround |
|
SiteGuard |
Sakura Inc. |
|
Sitelock |
TrueShield |
|
SonicWall |
Dell |
|
UTM Web Protection |
Sophos |
|
Squarespace |
Squarespace |
|
SquidProxy IDS |
SquidProxy |
|
StackPath |
StackPath |
|
Sucuri CloudProxy |
Sucuri Inc. |
|
Tencent Cloud Firewall |
Tencent Technologies |
|
Teros |
Citrix Systems |
|
Trafficshield |
F5 Networks |
|
TransIP Web Firewall |
TransIP |
|
URLMaster SecurityCheck |
iFinity/DotNetNuke |
|
URLScan |
Microsoft |
|
UEWaf |
UCloud |
|
Varnish |
OWASP |
|
Viettel |
Cloudrity |
|
VirusDie |
VirusDie LLC |
|
Wallarm |
Wallarm Inc. |
|
WatchGuard |
WatchGuard Technologies |
|
WebARX |
WebARX Security Solutions |
|
WebKnight |
AQTRONIX |
|
WebLand |
WebLand |
|
RayWAF |
WebRay Solutions |
|
WebSEAL |
IBM |
|
WebTotem |
WebTotem |
|
West263 CDN |
West263CDN |
|
Wordfence |
Defiant |
|
WP Cerber Security |
Cerber Tech |
|
WTS-WAF |
WTS |
|
360WangZhanBao |
360 Technologies |
|
XLabs Security WAF |
XLabs |
|
Xuanwudun |
Xuanwudun |
|
Yundun |
Yundun |
|
Yunsuo |
Yunsuo |
|
Yunjiasu |
Baidu Cloud Computing |
|
YXLink |
YxLink Technologies |
|
Zenedge |
Zenedge |
|
ZScaler |
Accenture |
But how to install this Wafw00f tool? Well, if you happen to use any of the mainstream GNU/Linux distributions this may well be as easy as with any other package.
In Debian for instance to install Wafw00f one just needs to type:
sudo apt install wafw00f
On the RHEL family things are not very complicated either.
sudo dnf install wafw00f
Fedora 33 example here:
[[email protected] ~]$ sudo dnf install wafw00f
Última comprovació del venciment de les metadades: fa 0:05:01 el diumenge, 21 de març de 2021, 17:17:12.
S'han resolt les dependències.
========================================================================================================================
Package Architecture Version Repository Size
========================================================================================================================
Instal·lar:
wafw00f noarch 2.1.0-4.fc33 fedora 125 k
Instal·lar les dependències:
python3-chardet noarch 3.0.4-18.fc33 fedora 194 k
python3-idna noarch 2.10-2.fc33 fedora 99 k
python3-pluginbase noarch 1.0.0-7.fc33 fedora 21 k
python3-pysocks noarch 1.7.1-7.fc33 fedora 35 k
python3-requests noarch 2.24.0-3.fc33 fedora 113 k
python3-requests+socks noarch 2.24.0-3.fc33 fedora 9.8 k
python3-urllib3 noarch 1.25.8-4.fc33 fedora 172 k
Resum de la transacció
========================================================================================================================
Instal·la 8 Paquets
Mida total de la baixada: 769 k
Mida un cop instal·lat: 2.6 M
És correcte? [s/N]: y
----------
[[email protected] ~]$
However, since I am a FreeBSD user and proponent, I will show here how to install Wafw00f on FreeBSD and one example on how to use it, so anyone who wants to detect a WAF on this BSD can do it.
Just for anyone to see I’m doing this on a FreeBSD 13 system, release candidate 2.
[email protected]:~ % freebsd-version
13.0-RC2
If anyone looks for a package containing the WAF string this is what’s going to be found.
[email protected]:~ % pkg search waf
ko-munhwafonts-cid-1.0_3 Munhwa CID fonts collection(Basic set)
rubygem-aws-sdk-waf-1.37.0 Official AWS Ruby gem for AWS WAF (WAF)
rubygem-aws-sdk-wafregional-1.38.0 Official AWS Ruby gem for AWS WAF Regional (WAF Regional)
rubygem-aws-sdk-wafv2-1.16.0 Official AWS Ruby gem for AWS WAFV2 (WAFV2)
waffle-1.6.1.15 Library that allows to defer selection of an OpenGL API until runtime
So, as you can see there’s no wafw00f package on FreeBSD. What to do?
Wafw00f is basically a Pythong application. One needs to install python, the pip tool to install python written software and off we go.
Let’s install Python-pip first on this FreeBSD 13 system.
[email protected]:~ % sudo pkg install py37-pip
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 5 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
libffi: 3.3_1
py37-pip: 20.2.3
py37-setuptools: 44.0.0
python37: 3.7.10
readline: 8.1.0
Number of packages to be installed: 5
The process will require 128 MiB more space.
19 MiB to be downloaded.
Proceed with this action? [y/N]: y
…...
As you can see, the Python language is a dependency for this package, so with this one command you’ll get the lot.
Once installed let’s update the python-pip library.
[email protected]:~ % sudo pip install --upgrade pip
Collecting pip
Downloading pip-21.0.1-py3-none-any.whl (1.5 MB)
|████████████████████████████████| 1.5 MB 1.3 MB/s
Installing collected packages: pip
Attempting uninstall: pip
Found existing installation: pip 20.2.3
Uninstalling pip-20.2.3:
Successfully uninstalled pip-20.2.3
Successfully installed pip-21.0.1
Now we’ve got the latest version of available software to be installed through the python-pip tool, we can install wafw00f.
[email protected]:~ % sudo pip install wafw00f
Collecting wafw00f
Downloading wafw00f-2.1.0.tar.gz (35 kB)
Collecting requests
Downloading requests-2.25.1-py2.py3-none-any.whl (61 kB)
|████████████████████████████████| 61 kB 2.4 MB/s
Collecting pluginbase
Downloading pluginbase-1.0.0.tar.gz (41 kB)
|████████████████████████████████| 41 kB 309 kB/s
Collecting idna<3,>=2.5
Downloading idna-2.10-py2.py3-none-any.whl (58 kB)
|████████████████████████████████| 58 kB 1.3 MB/s
Collecting urllib3<1.27,>=1.21.1
Downloading urllib3-1.26.4-py2.py3-none-any.whl (153 kB)
|████████████████████████████████| 153 kB 1.1 MB/s
Collecting certifi>=2017.4.17
Downloading certifi-2020.12.5-py2.py3-none-any.whl (147 kB)
|████████████████████████████████| 147 kB 2.0 MB/s
Collecting chardet<5,>=3.0.2
Downloading chardet-4.0.0-py2.py3-none-any.whl (178 kB)
|████████████████████████████████| 178 kB 2.1 MB/s
Collecting PySocks!=1.5.7,>=1.5.6
Downloading PySocks-1.7.1-py3-none-any.whl (16 kB)
Using legacy 'setup.py install' for wafw00f, since package 'wheel' is not installed.
Using legacy 'setup.py install' for pluginbase, since package 'wheel' is not installed.
Installing collected packages: urllib3, idna, chardet, certifi, requests, PySocks, pluginbase, wafw00f
Running setup.py install for pluginbase ... done
Running setup.py install for wafw00f ... done
Successfully installed PySocks-1.7.1 certifi-2020.12.5 chardet-4.0.0 idna-2.10 pluginbase-1.0.0 requests-2.25.1 urllib3-1.26.4 wafw00f-2.1.0
Let’s test Wafw00f.
Disclaimer: Do ONLY use this tool against authorized targets. Performing the tasks described here may constitute an offense in your country. Do not use this tool or procedures at scale without obtaining permission from system’s owners. The process described here is just for demonstration purposes.
Test against a target with a WAF up and running:
As you can see the tool has realized there’s some kind of WAF tool on this site since when if was performing an XSS type of attack it received a forbidden answer from the web server. However when performing regular GET queries the result was a happy 200 answer.
Let’s now perform the same test to a site I know that hasn’t got any WAF solution. This is basically a local test box with just a fresh Apache install and nothing else.
With this tool in the box now there’s no excuse to answer if a WAF is in front of you. You now know how to detect a WAF. Hope this helps someone.
Use this link to get 100 $ credit at DigitalOcean and support Adminbyaccident.com hosting costs.