Web application firewalls are one of the strongest defense mechanisms of a web application. However, they can be vulnerable if the firewall version used is known to an attacker. Understanding which firewall a target uses can be the first step for a hacker to figure out how to get past it – and what defenses exist on a target. The tools Wafw00f and Nmap simplify the creation of fingerprints for firewalls.
Although most Web App Firewalls (WAFs) can defend the services they protect quite well, they occasionally become vulnerable when an exploitable error is discovered. If a firewall has not been updated for some time, it can be easy to figure out the rules for a firewall and bypass it to find a firm hold. Manual execution is incredibly tedious and requires interpreting the different ways that the WAF responds to specific web requests.
Wafw00f is a popular Python program that lets you take down the fingerprints of a site's firewall. Based on the answers to a series of carefully designed web requests, Wafw00f can determine the underlying firewall used by a tested service. The list of WAFs that Wafw00f can detect is impressive, with the following list under a growing list:
aeSecure (aeSecure) Air lock (Phion / Ergon) Alarm logic (alarm logic) AliYunDun (Alibaba Cloud Computing) Anquanbao (Anquanbao) AnYu (AnYu Technologies) Approach Armor Defense (armor) Generic ASP.NET protection (Microsoft) Astra Web Protection (Czar Securities) AWS Elastic Load Balancer (Amazon) Yunjiasu (Baidu Cloud Computing) Barikode (Ethic Ninja) Barracuda Application Firewall (Barracuda Networks) Bekchy (Faydata Technologies Inc.) BinarySec BitNinja (BitNinja) BlockDoS (BlockDoS) Bluedon (Bluedon IST) CacheWall (paint) CdnNS Application Gateway (CdnNs / WdidcNet) WP Cerber Security (Cerber Tech) ChinaCache CDN Load Balancer (ChinaCache) Chuang Yu Shield (Yunaq) ACE XML Gateway (Cisco) Cloudbric (Penta security) Cloudflare (Cloudflare Inc.) Cloudfront (Amazon) Comodo cWatch (Comodo CyberSecurity) CrawlProtect (Jean-Denis Brun) DenyALL (Rohde & Schwarz CyberSecurity) Distil (Distil Networks) DOSarrest (DOSarrest Internet Security) DotDefender (Applicure Technologies) DynamicWeb Injection Check (DynamicWeb) Edgecast (Verizon Digital Media) Expression module (EllisLab) BIG-IP Access Policy Manager (F5 Networks) BIG-IP Application Security Manager (F5 Networks) BIG-IP Local Traffic Manager (F5 Networks) FirePass (F5 networks) Road Sign (F5 Networks) FortiWeb (Fortinet) GoDaddy Website Protection (GoDaddy) Greywizard (gray wizard) HyperGuard (Art of Defense) DataPower (IBM) Imunify360 (CloudLinux) Incapsula (Imperva Inc.) Instart DX (Instart Logic) ISA Server (Microsoft) Janusec Application Gateway (Janusec) Jiasule KS-WAF (KnownSec) Kona Site Defender (Akamai) LiteSpeed Firewall (LiteSpeed Technologies) Malcare (inactive) Mission Control Application Shield ModSecurity (SpiderLabs) NAXSI (NBS Systems) Nemesida (PentestIt) NetContinuum (Barracuda Networks) NetScaler AppFirewall (Citrix Systems) NevisProxy (AdNovum) Newdefend NexusGuard Firewall (NexusGuard) Ninja Firewall (NinTechNet) NSFocus (NSFocus Global Inc.) OnMessage Shield (BlackBaud) Open-Resty Lua Nginx WAF Palo Alto Next-Gen Firewall (Palo Alto Networks) PerimeterX (PerimeterX) pkSecurity Intrusion Detection System PowerCDN (PowerCDN) Profense (ArmorLogic) AppWall (Radware) Reblaze RSFirewall (RSJoomla!) ASP.NET RequestValidationMode (Microsoft) Saber Firewall (Saber) Safe3 Web Firewall (Safe3) Safedog (SafeDog) Safeline (Chaitin Tech.) SecuPress WordPress security (SecuPress) Secure access (United Security Providers) eEye SecureIIS (BeyondTrust) SecureSphere (Imperva Inc.) SEnginx (Neusoft) Shield Security (One Dollar Plugin) SiteGround (SiteGround) SiteGuard (Sakura Inc.) Sitelock (TrueShield) SonicWall (Dell) UTM Web Protection (Sophos) Square (square) StackPath Sucuri CloudProxy (Sucuri Inc.) Tencent Cloud Firewall (Tencent Technologies) Teros (Citrix Systems) TransIP web firewall (TransIP) URLMaster SecurityCheck (iFinity / DotNetNuke) URLScan (Microsoft) Paint (OWASP) VirusDie (VirusThe LLC) Wall Arm (Wall Arm Inc.) WatchGuard (WatchGuard Technologies) WebARX (WebARX Security Solutions) WebKnight (AQTRONIX) WebSEAL (IBM) WebTotem (WebTotem) West263 Content Delivery Network Wordfence (Feedjit) WTS-WAF (WTS) 360WangZhanBao (360 technologies) XLabs Security WAF (XLabs) Xuanwudun Yundun Yunsuo (Yunsuo) Zenedge ZScaler (Accenture)
Wafw00f is preinstalled in Kali Linux, but it can also be easily installed on any system with Python. Although some of the same functions can be performed with Nmap scripts, Wafw00f consistently provided more complete and accurate results in testing.
Proven: Nmap Scripts for WAF Footprinting
Nmap is easy to install and use, and comes preinstalled with scripts that are helpful in learning more about the WAF your goal is behind. The two scripts that Nmap offers are, like Wafw00f, divided into two parts: one for recognition and one for printing the WAF. These scripts are sufficient, but not always as accurate or capable of detecting a WAF as Wafw00f is, and you will be surprised if it is not possible to identify the type of firewall of a service that clearly has one ,
The advantage of Nmap scanning for WAFs is that it can be easily included in other scans that are performed to create a target surface. This makes it easier for a hacker to script this type of detection with their regular reconnaissance routine. Increasingly, other hacking tools are using a Nmap scan with WAF detection to provide WAF detection in a module for a more powerful tool quickly and easily.
To run For these tools, I recommend a Linux system like Kali or Ubuntu, even though macOS works fine. I have not tested it on Windows, but it should work, assuming you have Nmap and Python installed. In both cases, you will also need an internet connection to scan destinations. You do not have to worry about scanning most targets online, as this type of education should not trigger too many red flags.
To install Wafw00f, you already need Python installed and upgraded on your system. If you are good there, open a terminal window and enter the following to download the GitHub repository.
~ # git clone https://github.com/EnableSecurity/wafw00f.git Cloning in & # 39; wafw00f & # 39; ... remote: list objects: 172, done. remote: count objects: 100% (172/172), done. remote: compress objects: 100% (98/98), done. Remote: A total of 3689 (Delta 120), reused 113 (Delta 74), pack reused 3517 Receive objects: 100% (3689/3689), 545.81 KiB | 3.17 MiB / s, done. Fix deltas: 100% (2655/2655), done.
Next, navigate to the just downloaded folder and install the script with the following commands.
~ # cd wafw00f Install ~ / wafw00f # python setup.py Run install Running bdist_egg Running egg_info Create wafw00f.egg-info Write requests to wafw00f.egg-info / require.txt Write wafw00f.egg-info / PKG-INFO Writing top-level names in wafw00f.egg-info / top_level.txt Write Dependency_links to wafw00f.egg-info / dependency_links.txt Manifest file & # 39; wafw00f.egg-info / SOURCES.txt & # 39; write Manifest file & # 39; wafw00f.egg-info / SOURCES.txt & # 39; read Manifest template & # 39; MANIFEST.in & # 39; read Manifest file & # 39; wafw00f.egg-info / SOURCES.txt & # 39; write Install the library code in build / bdist.linux-x86_64 / egg run install_lib Run build_py Build build Build build / lib.linux-x86_64-2.7 Build build / lib.linux-x86_64-2.7 / wafw00f Copy from wafw00f / __ init__.py -> build / lib.linux-x86_64-2.7 / wafw00f Copy from wafw00f / manager.py -> build / lib.linux-x86_64-2.7 / wafw00f Copy from wafw00f / wafprio.py -> build / lib.linux-x86_64-2.7 / wafw00f Copy from wafw00f / main.py -> build / lib.linux-x86_64-2.7 / wafw00f Build build / lib.linux-x86_64-2.7 / wafw00f / tests Copy from wafw00f / tests / __ init__.py -> build / lib.linux-x86_64-2.7 / wafw00f / tests Copy from wafw00f / tests / test_main.py -> build / lib.linux-x86_64-2.7 / wafw00f / tests Build build / lib.linux-x86_64-2.7 / wafw00f / plugins Copy from wafw00f / plugins / safe3.py -> build / lib.linux-x86_64-2.7 / wafw00f / plugins Copy from wafw00f / plugins / nevisproxy.py -> build / lib.linux-x86_64-2.7 / wafw00f / plugins Copy from wafw00f / plugins / f5bigipasm.py -> build / lib.linux-x86_64-2.7 / wafw00f / plugins Copy from wafw00f / plugins / missioncontrol.py -> build / lib.linux-x86_64-2.7 / wafw00f / plugins Copy from wafw00f / plugins / instartdx.py -> build / lib.linux-x86_64-2.7 / wafw00f / plugins ... Installed /usr/local/lib/python2.7/dist-packages/pluginbase-1.0.0-py2.7.egg Search for html5lib == 1.0.1 Best match: html5lib 1.0.1 Add html5lib 1.0.1 to the easy-install.pth file Using /usr/lib/python2.7/dist-packages Completed processing dependencies for wafw00f == 1.0.0
These should install everything you need to run the program. If you want to run it now, you can simply type wafw00f in a terminal window. To display the help menu, you can execute it with the flag -h .
~ # wafw00f -h ______ / (Shot!) ______ /) ,,) (_ .-. - _______ (| __ | () ``; | == | _______).) | __ | / (& # 39; / | (| __ | (/) / | . | __ | (_) _)) / | | __ | WAFW00F - Web Application Firewall Discovery Tool Use: wafw00f url1 [url2 [url3 ... ]] Example: wafw00f http://www.victim.org/ options: -h, --help View and exit this help message -v, --verbose enable verbosity - multiple -v options increase detail -a, --findall Find all WAFs, do not stop testing the first ones -r, --disableedirect Do not follow the redirects given by 3xx answers -t TEST, --test = TEST test for a specific WAF -l, --list Lists all WAFs that we can recognize -p PROXY, --proxy = PROXY Use an HTTP proxy to execute requests. Example: http: // hostname: 8080, socks5: // hostname: 1080 -V, --version Print the version -H HEADERSFILE, --headersfile = HEADERSFILE Pass custom headers to B. overwrite the standard user-agent string
As you can see, you can customize some useful settings to keep looking for additional firewalls after the first positive result.
Now we use Wafw00f to scan a web application and see if we can get a positive result. First of all, Equifax, the favorite company of all who loses the personal data of the Americans. We're testing the equifaxsecurity2017.com site, which was set up to lose everyone's credit information.
To identify the web app running on the site, we can use the following command.
~ # wafw00f https://equifaxsecurity2017.com ______ / (Shot!) ______ /) ,,) (_ .-. - _______ (| __ | () ``; | == | _______).) | __ | / (& # 39; / | (| __ | (/) / | . | __ | (_) _)) / | | __ | WAFW00F - Web Application Firewall Discovery Tool Check https://equifaxsecurity2017.com The website https://equifaxsecurity2017.com stands behind BIG-IP Application Security Manager (F5 Networks) WAF. Number of Inquiries: 5
We have identified our first firewall! It may seem easy, but sometimes beginners get confused when they see a result like this.
~ # wafw00f equifaxsecurity2017.com ______ / (Shot!) ______ /) ,,) (_ .-. - _______ (| __ | () ``; | == | _______).) | __ | / (& # 39; / | (| __ | (/) / | . | __ | (_) _)) / | | __ | WAFW00F - Web Application Firewall Discovery Tool Check from http://equifaxsecurity2017.com Generic recognition results: No WAF detected by the generic detection Number of Inquiries: 7
What is the difference? When we go to equifaxsecurity2017.com, we are immediately redirected to the HTTPS version. The first command targets the HTTPS version, which actually contains content and a firewall, while the second command targets the HTTP version of the same site.
When It Is Possible That the Web site you are targeting is redirected to a different URL. Try copying and pasting the URL to which you're directed to a browser for a more accurate result.
Nmap is also preinstalled on Kali Linux and contains scripts that you can use to try the same type of detection. We will try two different scripts: http-waf-fingerprint and http-waf-detect . Although the meaning of both scripts is similar, they may work slightly differently and may be effective against different goals.
First, we use http-waf-fingerprint for the same target we created earlier.
~ # nmap -p 80,443 --script = http-waf-detect equifaxsecurity2017.com Start Nmap 7.70 (https://nmap.org) at 2019-05-28 00:37 PDT Nmap scan report for equifaxsecurity2017.com (184.108.40.206) Host is active (0.034s latency). PORT STATE SERVICE 80 / tcp open http 443 / tcp open https | http-waf-detect: IDS / IPS / WAF detected: | _equifaxsecurity2017.com: 443 /? p4yl04d3 = Nmap finished: 1 IP address (1 host up) scanned in 7.90 seconds
The scan finds that there is actually a firewall here, but can not tell us much about it. In fact, Nmap does not seem to recognize this type of firewall very well. If we do it with another example domain, we can see what a positive result looks like.
~ # nmap -p 80,443 --script = http-waf-fingerprint noodle.com Starting Nmap 7.70 (https://nmap.org) at 2019-05-28 00:39 PDT Nmap Scan report for noodle.com (220.127.116.11) Host is active (0.021s latency). Other addresses for noodle.com (not scanned): 18.104.22.168 2606: 4700: 10 :: 6814: a029 2606: 4700: 10 :: 6814: a129 PORT STATE SERVICE 80 / tcp open http | http-waf-fingerprint: | Detected WAF | _ Cloudflare 443 / tcp open https Nmap finished: 1 IP address (1 host high) scanned in 3.10 seconds
Although Nmap can not see everything that Wafw00f can do, it's a great way, the first line of defense behind a particular web server to identify quickly.  Wafw00f & Nmap make it easy to find WAFs
If a hacker knows what kind of firewall the target is, he can do it in several ways. The first is to know the rules the firewall is working on and to look for behaviors that can be exploited depending on how the software works.
Next, you need to verify that there are vulnerabilities in the latest versions of the firewall, WAF, that is detected, or if the WAF has not been updated for an extended period of time. Any of these discoveries could be the weakest link in a company's security and an easy path for a hacker. So it's always worth doing another Nmap scan or downloading Wafw00f to look for an outdated firewall. If you're running a service that uses a WAF, it's a good idea to keep it up-to-date because it can now largely automate the search for legacy firewalls.
I hope you liked this guide to using Wafw00f to identify web application firewalls! If you have questions about this WAF discovery tutorial, leave a comment below and contact me on Twitter @KodyKinzie .
Do Not Miss: Hacker Advice: How to Protect Yourself from Hacking