Fingerprinting web application firewalls
Hello there, Today I'll show you how to automatically fingerprint web application firewalls (WAFs) using three of the most known WAF scanners out there.
Wafw00f
Wafw00f is probably the most known and effective tool when it comes to detecting WAFs. When you run wafw00f against a website, it first sends a normal HTTP request to the web and analyses the response identifying a number of WAFs, if that's not successful, it sends a potentially malicious request to the website in order to identify (once more) the WAF behind the website. Finally, if the previous tests aren't able to identify the firewall, it tries to analyse the two previous responses more exhaustively than before to see if there is a WAF actively blocking our attacks.
Installation
Installing wafw00f is very straight forward. First, clone the GitHub repository in a location of your choice:git clone https://github.com/EnableSecurity/waf
Then, cd to the project folder and run setup.py to install the program.
cd wafw00f
python setup.py install
Running wafw00f
Now you will be able to run wafw00f directly from your console. The following command will display the program's help:waafw00f -h
As you can see, running wafw00f is pretty easy and it only takes one parameter to scan a website, its URL.
Ex: wafw00f https://www.amazon.com/
Nmap
As you probably know, Nmap its not all about port scanning. Using NSE (Nmap Scripting Engine) you can create or import custom scripts to automate network tasks (such as fingerprinting WAFs). For this, we will use two scripts that come by default with the Nmap package.
Installing Nmap
This actually depends on the Linux version that you are using but I'll assume that you already know how to download packages on your SO. For Debian/Ubuntu users do the following to install Nmap:
sudo apt install nmap
Detecting WAFs with Nmap
This one is also very easy to run and it acts in a similar way as wafw00f:
nmap --script=http-waf-detect amazon.com
Unluckily, this script doesn't really like some characters (like slashes at the end of an URL. Ex: amazon.com/ ) and usually it is less effective than wafw00f, but chances are you already have Nmap installed on your machine so if you are in a hurry or if you are forced to only use Nmap (for whatever reason) this is an alternative that definitely deserves to be known.
W3af
W3af (Web Application Attack and Audit Framework) main purpose is not to detect WAFs but to find common vulnerabilities in your web applications. Nevertheless W3af comes with a bunch of plugins that extend the program's functionality. The one that I use to fingerprint WAFs is fingerprint_waf.
Installation
git clone --depth 1 https://github.com/andresriancho/w3af.git
cd w3af
Using W3af
W3af comes with both a GUI mode and a console mode, being the GUI the intended way to run the program.
./w3af_gui
./w3af_console
As I don't want to make this post too long I won't explain how to use W3af at all. Have fun discovering it by yourself.It's not that hard and there is enough documentation.
Conclusion
Out of all three programs, I consider wafw00f to be the best one and the most consistent. Nmap could be the most common one (being installed in many OS by default) and W3af might the “hardest” to install but it comes nice GUI. All of them are free and open source and they all run in Linux. Nmap has a Windows version and W3af older versions are also available in Windows.