Firewalls for web applications are one of the strongest defenses of a web app, but they can be vulnerable if the firewall version used is known to an attacker. Understanding which firewall a target uses can be the first step to a hacker who discovers how to get past it – and which defenses are on a target. And the Wafw00f and Nmap tools make fingerprints of firewalls easy.
Although most web app firewalls or WAFs are pretty good at defending the services they protect, they sometimes become vulnerable when an exploitable error is discovered. If a firewall has not been updated for a long time, it can be easy to find out the rules of a firewall and work around it to find a place inside. Doing it manually is incredibly annoying and is based on the interpretation of the distinctive ways in which the WAF responds to specific web requests. . Based on the responses to a series of carefully crafted web requests, Wafw00f can determine the underlying firewall used by a service it is investigating. The list of WAF & # 39; s that Wafw00f can detect is impressive and includes the following, from an ever-growing list:
aeSecure (aeSecure) Airlock (Phion / Ergon) Alert Logic (Alert Logic) AliYunDun (Alibaba Cloud Computing) Anquanbao (Anquanbao) AnYu (AnYu Technologies) Approach (Approach) Armor Defense (Armor) ASP.NET generic protection (Microsoft) Astra Web Protection (Czar Securities) AWS Elastic Load Balancer (Amazon) Yunjiasu (Baidu Cloud Computing) Barikode (Ninja Ethics) Barracuda Application Firewall (Barracuda Networks) Bekchy (Faydata Technologies Inc.) BinarySec (BinarySec) BitNinja (BitNinja) BlockDoS (BlockDoS) Bluedon (Bluedon IST) CacheWall (varnish) CdnNS Application Gateway (CdnNs / WdidcNet) WP Cerber Security (Cerber Tech) ChinaCache CDN Load Balancer (ChinaCache) Chuang Yu Shield (Yunaq) ACE XML Gateway (Cisco) Cloudbric (Penta Security) Cloudflare (Cloudflare Inc.) Cloudfront (Amazon) Comodo cWatch (Comodo CyberSecurity) CrawlProtect (Jean-Denis Brun) DenyALL (Rohde & Schwarz CyberSecurity) Distil (Distil Networks) DOSarrest (DOSarrest Internet Security) DotDefender (Applicure Technologies) DynamicWeb injection control (DynamicWeb) Edgecast (Verizon Digital Media) Expression Engine (EllisLab) BIG-IP Access Policy Manager (F5 networks) BIG-IP Application Security Manager (F5 networks) BIG-IP Local Traffic Manager (F5 networks) FirePass (F5 networks) Traffic shield (F5 networks) FortiWeb (Fortinet) GoDaddy website protection (GoDaddy) Gray wizard (Gray Wizard) HyperGuard (Art of Defense) DataPower (IBM) Imunify360 (CloudLinux) Incapsula (Imperva Inc.) Instart DX (Instart Logic) ISA Server (Microsoft) Janusec Application Gateway (Janusec) Jiasule (Jiasule) KS-WAF (KnownSec) Kona Site Defender (Akamai) LiteSpeed Firewall (LiteSpeed Technologies) Malcare (inactive) Mission Control Application Shield (Mission Control) ModSecurity (SpiderLabs) NAXSI (NBS systems) Nemesida (PentestIt) NetContinuum (Barracuda Networks) NetScaler AppFirewall (Citrix Systems) NevisProxy (AdNovum) Newdefend (NewDefend) NexusGuard Firewall (NexusGuard) NinjaFirewall (NinTechNet) NSFocus (NSFocus Global Inc.) OnMessage Shield (BlackBaud) Open-Resty Lua Nginx WAF Palo Alto Next Gen Firewall (Palo Alto Networks) PerimeterX (PerimeterX) pkSecurity intrusion detection system PowerCDN (PowerCDN) Profense (ArmorLogic) AppWall (Radware) Reblaze (Reblaze) RSFirewall (RSJoomla!) ASP.NET RequestValidationMode (Microsoft) Saber Firewall (Saber) Safe3 Web Firewall (Safe3) Safedog (SafeDog) Safeline (Chaitin Tech.) SecuPress WordPress Security (SecuPress) Secure access (United Security Providers) eEye SecureIIS (BeyondTrust) SecureSphere (Imperva Inc.) SEnginx (Neusoft) Shield Security (One Dollar Plugin) SiteGround (SiteGround) SiteGuard (Sakura Inc.) Sitelock (TrueShield) SonicWall (Dell) UTM Web Protection (Sophos) Squarespace (Squarespace) StackPath (StackPath) Sucuri CloudProxy (Sucuri Inc.) Tencent Cloud Firewall (Tencent Technologies) Teros (Citrix Systems) TransIP Web Firewall (TransIP) URLMaster SecurityCheck (iFinity / DotNetNuke) URLScan (Microsoft) Varnish (OWASP) VirusDie (VirusDie LLC) Wallarm (Wallarm Inc.) WatchGuard (WatchGuard Technologies) WebARX (WebARX Security Solutions) WebKnight (AQTRONIX) WebSEAL (IBM) WebTotem (WebTotem) West263 Content Delivery Network Wordfence (Feedjit) WTS-WAF (WTS) 360WangZhanBao (360 Technologies) XLabs Security WAF (XLabs) Xuanwudun Yundun (Yundun) Yunsuo (Yunsuo) Zenedge (Zenedge) ZScaler (Accenture)
Wafw00f is pre-installed in Kali Linux, but can also be easily installed on any system with Python. Although some of the same functions can be done with Nmap scripts, Wafw00f consistently provided more complete and accurate results during testing.
Tried and true: Nmap scripts for WAF Footprinting
Nmap is easy to install and use and is pre-installed with scripts that are useful to find out more about the WAF that your target is behind. The two scripts that Nmap offers are split as Wafw00f into two: one for detection and one for fingerprints of the WAF. These scripts are sufficient, but not always as accurate or able to detect a WAF as Wafw00f, and you may be surprised when it is unable to identify the type of firewall on a service that clearly has one.
Despite the shortcoming, the advantage of Nmap scanning for WAF & # 39; s is that it can easily be included in other scans performed to create a target surface, making it easier for a hacker to make this type of detection. to script with their regular reconroutine. Increasingly, other hacking tools use an Nmap scan with WAF detection to serve as a quick and easy method to provide WAF detection in a module for a more powerful tool.
for these tools, I recommend that you have a Linux system such as Kali or Ubuntu, although macOS works fine. I haven't tested it on Windows, but it should work if you have Nmap and Python installed. Either way, you also need an internet connection to scan targets. You do not have to worry about scanning most targets online, because this type of recon should not yield too many red flags.
To install Wafw00f, you must already have Python installed and updated on your system. If you're right there, open a terminal window and type the following to download the GitHub repository.
~ # git clone https://github.com/EnableSecurity/wafw00f.git Clones in & # 39; wafw00f & # 39; ... remote: list objects: 172, done. external: objects count: 100% (172/172), ready. external: compress objects: 100% (98/98), ready. remote: Total 3689 (delta 120), reused 113 (delta 74), pack reused 3517 Receiving objects: 100% (3689/3689), 545.81 KiB | 3.17 MiB / s, ready. Delta & # 39; s solve: 100% (2655/2655), ready.
Then navigate to the folder that you have just downloaded and install the script with the following commands.
~ # cd wafw00f Install ~ / wafw00f # python setup.py current installation Run bdist_egg running egg_info create wafw00f.egg info write requirements for wafw00f.egg-info / required.txt write wafw00f.egg-info / PKG-INFO write top-level names to wafw00f.egg-info / top_level.txt write dependency_links to wafw00f.egg-info / dependency_links.txt manifest file & # 39; wafw00f.egg-info / SOURCES.txt & # 39; write read manifest file & # 39; wafw00f.egg-info / SOURCES.txt & # 39; manifest template & # 39; MANIFEST.in & # 39; read manifest file & # 39; wafw00f.egg-info / SOURCES.txt & # 39; write install library code to build / bdist.linux-x86_64 / egg run install_lib run build_py make build create build / lib.linux-x86_64-2.7 create / lib.linux-x86_64-2.7 / wafw00f Copy wafw00f / __ init__.py -> build / lib.linux-x86_64-2.7 / wafw00f wafw00f / manager.py -> build / lib.linux-x86_64-2.7 / copy wafw00f copy wafw00f / wafprio.py -> build / lib.linux-x86_64-2.7 / wafw00f wafw00f / main.py -> build / lib.linux-x86_64-2.7 / copy wafw00f build / lib.linux-x86_64-2.7 / wafw00f / create tests wafw00f / tests / __ init__.py -> build / lib.linux-x86_64-2.7 / copy wafw00f / tests wafw00f / tests / test_main.py -> build / lib.linux-x86_64-2.7 / copy wafw00f / tests build / lib.linux-x86_64-2.7 / wafw00f / create plug-ins copy wafw00f / plugins / safe3.py -> build / lib.linux-x86_64-2.7 / wafw00f / plugins copy wafw00f / plugins / nevisproxy.py -> build / lib.linux-x86_64-2.7 / wafw00f / plugins copy wafw00f / plugins / f5bigipasm.py -> build / lib.linux-x86_64-2.7 / wafw00f / plugins copy wafw00f / plugins / missioncontrol.py -> build / lib.linux-x86_64-2.7 / wafw00f / plugins wafw00f / plugins / instartdx.py -> build / lib.linux-x86_64-2.7 / copy wafw00f / plugins ... /Usr/local/lib/python2.7/dist-packages/pluginbase-1.0.0-py2.7.egg installed Search for html5lib == 1.0.1 Best match: html5lib 1.0.1 Add html5lib 1.0.1 to easy-install.pth file Use of /usr/lib/python2.7/dist-packages Completed processing dependencies for wafw00f == 1.0.0
They should install everything you need to run the program. If you want to execute it now, you can simply type wafw00f into a terminal window. To see the help menu, we can do it with the flag -h .
~ # wafw00f -h ______ / (Woof!) ______ /) ,,) (_ .-. - _______ (| __ | () ``; | == | _______).) | __ | / (& # 39; / | (| __ | (/) / | . | __ | (_) _)) / | | __ | WAFW00F - Web Application Detection Tool Use: wafw00f url1 [url2 [url3 ... ]] example: wafw00f http://www.victim.org/ options: -h, - help view and close this help message -v, --verbose switches on extensiveness - multiple -v options increase verbosity -a, --findall Find all WAF & # 39; s, don't stop testing on the first one -r, --disableredirect Do not follow redirects given by 3xx responses -t TEST, --test = TEST Test for one specific WAF -l, --list List of all WAFs that we can detect -p PROXY, --proxy = PROXY Use an HTTP proxy to execute requests, for example: http: // hostname: 8080, socks5: // hostname: 1080 -V, --version Print the version -H HEADERSFILE, --headersfile = HEADERSFILE Provide custom headers, for example to overwrite the standard User-Agent string
As you can see, there are some useful settings that we can adjust to continue scanning for additional firewalls after we have found the first positive result.
let's use Wafw00f to scan a web application and see if we can get a positive result. First, everyone's favorite company that loses the personal information of American, Equifax. We will test the "equifaxsecurity2017.com" page set up after losing everyone's credit information.
To identify the web app running on the site, we can use the following command.
~ # wafw00f https://equifaxsecurity2017.com ______ / (Woof!) ______ /) ,,) (_ .-. - _______ (| __ | () ``; | == | _______).) | __ | / (& # 39; / | (| __ | (/) / | . | __ | (_) _)) / | | __ | WAFW00F - Web Application Detection Tool Check of https://equifaxsecurity2017.com The https://equifaxsecurity2017.com site is located behind BIG-IP Application Security Manager (F5 Networks) WAF. Number of requests: 5
We have identified our first firewall! It may seem simple, but sometimes beginners get confused when they see a result like the one below.
~ # wafw00f equifaxsecurity2017.com ______ / (Woof!) ______ /) ,,) (_ .-. - _______ (| __ | () ``; | == | _______).) | __ | / (& # 39; / | (| __ | (/) / | . | __ | (_) _)) / | | __ | WAFW00F - Web Application Detection Tool Check of http://equifaxsecurity2017.com General detection results: No WAF detected by the generic detection Number of requests: 7
So what's the difference? When we go to equifaxsecurity2017.com, we are immediately redirected to the HTTPS version. The first command focuses on the HTTPS version, which actually has content and a firewall, while the second command targets the HTTP version of the same site.
If you get no result, this may be because the website you are targeting is redirected to a different URL. For a more accurate result, try copying and pasting the URL you are referred to in a browser.
Nmap is also pre-installed on Kali Linux and contains scripts for the same type of detection. We will try out two different scripts: http-waf-fingerprint and http-waf-detect . Although the point of both scripts is similar, they work in slightly different ways and can be effective against different goals.
First we will use http-waf-fingerprint on the same purpose that we did before.
~ # nmap -p 80,443 --script = http-waf-detect equifaxsecurity2017.com Nmap 7.70 (https://nmap.org) starts on 2019-05-28 00:37 PDT Nmap scan report for equifaxsecurity2017.com (126.96.36.199) Host is up (0.034s latency). PORT STATE SERVICE 80 / tcp open http 443 / tcp open https | http-waf-detect: IDS / IPS / WAF detected: | _Equifaxsecurity2017.com 😕 443 / p4yl04d3 = Nmap done: 1 IP address (1 host higher) scanned in 7.90 seconds
The scan determines that there is actually a firewall here, but it can't tell us much about it. Nmap actually doesn't seem that good at detecting this kind of firewall. If we run against a different example domain, we can see what a positive result looks like.
~ # nmap -p 80,443 --script = http-waf-fingerprint noodle.com Nmap 7.70 (https://nmap.org) starts on 2019-05-28 00:39 PDT Nmap scan report for noodle.com (188.8.131.52) Host is up (0.021s latency). Other addresses for noodle.com (not scanned): 184.108.40.206 2606: 4700: 10 :: 6814: a029 2606: 4700: 10 :: 6814: a129 PORT STATE SERVICE 80 / tcp open http | http-waf fingerprint: | WAF detected | _ Cloudflare 443 / tcp open https Nmap done: 1 IP address (1 host higher) scanned in 3.10 seconds
Although Nmap cannot detect everything that Wafw00f can do, it is a great way to quickly identify the first line of defense with a targeted web server behind it.  Wafw00f & Nmap Make discovering WAF & # 39; s easy
Once a hacker knows what kind of firewall is being targeted, there are several ways to proceed. The first is to learn the rules with which the firewall works and to look for behavior that can be abused based on the way specific software works.
The next priority is to check whether there are vulnerabilities in recent versions of the WAF being detected or if the WAF has not been updated for a long period of time. Both discoveries can be the weakest link in an organization's security and an easy way for a hacker, so it is always worthwhile to perform another Nmap scan or download Wafw00f to check for an outdated firewall. If you are running a service that uses a WAF, it is a good idea to keep this updated, as the search for outdated firewalls can now be largely automated. If you have any questions about this WAF discovery tutorial, please leave a comment and feel free to reach me on Twitter @KodyKinzie .