Web Application Firewalls (WAFs) can be detected through
stimulus/response testing scenarios. Here is a short listing of possible
detection methods:
- Cookies: Some WAF products add their own cookie in the HTTP communication.
- Server Cloaking: Altering URLs and Response Headers
- Response Codes: Different error codes for hostile pages/parameters values
- Drop Action: Sending a FIN/RST packet (technically could also be an IDS/IPS)
- Pre Built-In Rules: Each WAF has different negative security signatures
WafW00f is based on these assumptions to determine remote WAFs.
Tutorials ::
$ python wafw00f.py http://www.aldeid.com
^ ^
_ __ _ ____ _ __ _ _ ____
///7/ /.' \ / __////7/ /,' \ ,' \ / __/
| V V // o // _/ | V V // 0 // 0 // _/
|_n_,'/_n_//_/ |_n_,' \_,' \_,'/_/
<
...'
WAFW00F - Web Application Firewall Detection Tool
By Sandro Gauci && Wendel G. Henrique
Checking http://www.aldeid.com
Generic Detection results:
The site http://www.aldeid.com seems to be behind a WAF
Reason: Blocking is being done at connection/packet level.
Number of requests: 13
Download ::
Linux ::
$ cd /data/pentest/web/ $ svn checkout http://waffit.googlecode.com/svn/trunk/ waffit-read-only
Official Website :: http://www.aldeid.com/wiki/Wafw00f
0 comments :
Post a Comment