Admin... by accident!

You may have chosen to be an admin. I didn't!

How to detect a WAF – Web Application Firewall

by

From a penetration testing perspective to identify if a Web Application Firewall (WAF) is in place is essential. The next question is, does an administrator need to know this? My view is, anyone who is in charge of any system that has implemented some sort of WAF needs to verify this tool is working, at least on a very basic basis. Many organizations have placed this kind of security tool to protect their publicly available services but, is it working from the outside? Is the whitelisted IP really allowed to go through with the WAF not affecting its queries? Simply put, how to detect a WAF?

If you find the articles in Adminbyaccident.com useful to you, please consider making a donation.

Use this link to get $200 credit at DigitalOcean and support Adminbyaccident.com costs.

Get $100 credit for free at Vultr using this link and support Adminbyaccident.com costs.

Mind Vultr supports FreeBSD on their VPS offer.

Many of these questions can be answered with simple tools like Wafw00f or WhatWAF. Both can detect multiple different WAF vendors. For example Wafw00f can detect products from the following list:

WAF Name

Manufacturer

ACE XML Gateway

Cisco

aeSecure

aeSecure

AireeCDN

Airee

Airlock

Phion/Ergon

Alert Logic

Alert Logic

AliYunDun

Alibaba Cloud Computing

Anquanbao

Anquanbao

AnYu

AnYu Technologies

Approach

Approach

AppWall

Radware

Armor Defense

Armor

ArvanCloud

ArvanCloud

ASP.NET Generic

Microsoft

ASPA Firewall

ASPA Engineering Co.

Astra

Czar Securities

AWS Elastic Load Balancer

Amazon

AzionCDN

AzionCDN

Azure Front Door

Microsoft

Barikode

Ethic Ninja

Barracuda

Barracuda Networks

Bekchy

Faydata Technologies Inc.

Beluga CDN

Beluga

BIG-IP Local Traffic Manager

F5 Networks

BinarySec

BinarySec

BitNinja

BitNinja

BlockDoS

BlockDoS

Bluedon

Bluedon IST

BulletProof Security Pro

AITpro Security

CacheWall

Varnish

CacheFly CDN

CacheFly

Comodo cWatch

Comodo CyberSecurity

CdnNS Application Gateway

CdnNs/WdidcNet

ChinaCache Load Balancer

ChinaCache

Chuang Yu Shield

Yunaq

Cloudbric

Penta Security

Cloudflare

Cloudflare Inc.

Cloudfloor

Cloudfloor DNS

Cloudfront

Amazon

CrawlProtect

Jean-Denis Brun

DataPower

IBM

DenyALL

Rohde & Schwarz CyberSecurity

Distil

Distil Networks

DOSarrest

DOSarrest Internet Security

DotDefender

Applicure Technologies

DynamicWeb Injection Check

DynamicWeb

Edgecast

Verizon Digital Media

Eisoo Cloud Firewall

Eisoo

Expression Engine

EllisLab

BIG-IP AppSec Manager

F5 Networks

BIG-IP AP Manager

F5 Networks

Fastly

Fastly CDN

FirePass

F5 Networks

FortiWeb

Fortinet

GoDaddy Website Protection

GoDaddy

Greywizard

Grey Wizard

Huawei Cloud Firewall

Huawei

HyperGuard

Art of Defense

Imunify360

CloudLinux

Incapsula

Imperva Inc.

IndusGuard

Indusface

Instart DX

Instart Logic

ISA Server

Microsoft

Janusec Application Gateway

Janusec

Jiasule

Jiasule

Kona SiteDefender

Akamai

KS-WAF

KnownSec

KeyCDN

KeyCDN

LimeLight CDN

LimeLight

LiteSpeed

LiteSpeed Technologies

Open-Resty Lua Nginx

FLOSS

Oracle Cloud

Oracle

Malcare

Inactiv

MaxCDN

MaxCDN

Mission Control Shield

Mission Control

ModSecurity

SpiderLabs

NAXSI

NBS Systems

Nemesida

PentestIt

NevisProxy

AdNovum

NetContinuum

Barracuda Networks

NetScaler AppFirewall

Citrix Systems

Newdefend

NewDefend

NexusGuard Firewall

NexusGuard

NinjaFirewall

NinTechNet

NullDDoS Protection

NullDDoS

NSFocus

NSFocus Global Inc.

OnMessage Shield

BlackBaud

Palo Alto Next Gen Firewall

Palo Alto Networks

PerimeterX

PerimeterX

PentaWAF

Global Network Services

pkSecurity IDS

pkSec

PT Application Firewall

Positive Technologies

PowerCDN

PowerCDN

Profense

ArmorLogic

Puhui

Puhui

Qiniu

Qiniu CDN

Reblaze

Reblaze

RSFirewall

RSJoomla!

RequestValidationMode

Microsoft

Sabre Firewall

Sabre

Safe3 Web Firewall

Safe3

Safedog

SafeDog

Safeline

Chaitin Tech.

SecKing

SecKing

eEye SecureIIS

BeyondTrust

SecuPress WP Security

SecuPress

SecureSphere

Imperva Inc.

Secure Entry

United Security Providers

SEnginx

Neusoft

ServerDefender VP

Port80 Software

Shield Security

One Dollar Plugin

Shadow Daemon

Zecure

SiteGround

SiteGround

SiteGuard

Sakura Inc.

Sitelock

TrueShield

SonicWall

Dell

UTM Web Protection

Sophos

Squarespace

Squarespace

SquidProxy IDS

SquidProxy

StackPath

StackPath

Sucuri CloudProxy

Sucuri Inc.

Tencent Cloud Firewall

Tencent Technologies

Teros

Citrix Systems

Trafficshield

F5 Networks

TransIP Web Firewall

TransIP

URLMaster SecurityCheck

iFinity/DotNetNuke

URLScan

Microsoft

UEWaf

UCloud

Varnish

OWASP

Viettel

Cloudrity

VirusDie

VirusDie LLC

Wallarm

Wallarm Inc.

WatchGuard

WatchGuard Technologies

WebARX

WebARX Security Solutions

WebKnight

AQTRONIX

WebLand

WebLand

RayWAF

WebRay Solutions

WebSEAL

IBM

WebTotem

WebTotem

West263 CDN

West263CDN

Wordfence

Defiant

WP Cerber Security

Cerber Tech

WTS-WAF

WTS

360WangZhanBao

360 Technologies

XLabs Security WAF

XLabs

Xuanwudun

Xuanwudun

Yundun

Yundun

Yunsuo

Yunsuo

Yunjiasu

Baidu Cloud Computing

YXLink

YxLink Technologies

Zenedge

Zenedge

ZScaler

Accenture

But how to install this Wafw00f tool? Well, if you happen to use any of the mainstream GNU/Linux distributions this may well be as easy as with any other package.

In Debian for instance to install Wafw00f one just needs to type:

sudo apt install wafw00f

On the RHEL family things are not very complicated either.

sudo dnf install wafw00f

Fedora 33 example here:

[albert@localhost ~]$ sudo dnf install wafw00f

Última comprovació del venciment de les metadades: fa 0:05:01 el diumenge, 21 de març de 2021, 17:17:12.

S'han resolt les dependències.

========================================================================================================================

Package Architecture Version Repository Size

========================================================================================================================

Instal·lar:

wafw00f noarch 2.1.0-4.fc33 fedora 125 k

Instal·lar les dependències:

python3-chardet noarch 3.0.4-18.fc33 fedora 194 k

python3-idna noarch 2.10-2.fc33 fedora 99 k

python3-pluginbase noarch 1.0.0-7.fc33 fedora 21 k

python3-pysocks noarch 1.7.1-7.fc33 fedora 35 k

python3-requests noarch 2.24.0-3.fc33 fedora 113 k

python3-requests+socks noarch 2.24.0-3.fc33 fedora 9.8 k

python3-urllib3 noarch 1.25.8-4.fc33 fedora 172 k

Resum de la transacció

========================================================================================================================

Instal·la 8 Paquets

Mida total de la baixada: 769 k

Mida un cop instal·lat: 2.6 M

És correcte? [s/N]: y

----------

[albert@localhost ~]$

However, since I am a FreeBSD user and proponent, I will show here how to install Wafw00f on FreeBSD and one example on how to use it, so anyone who wants to detect a WAF on this BSD can do it.

Just for anyone to see I’m doing this on a FreeBSD 13 system, release candidate 2.

albert@BSD13:~ % freebsd-version

13.0-RC2

albert@BSD13:~ %

If anyone looks for a package containing the WAF string this is what’s going to be found.

albert@BSD13:~ % pkg search waf

ko-munhwafonts-cid-1.0_3 Munhwa CID fonts collection(Basic set)

rubygem-aws-sdk-waf-1.37.0 Official AWS Ruby gem for AWS WAF (WAF)

rubygem-aws-sdk-wafregional-1.38.0 Official AWS Ruby gem for AWS WAF Regional (WAF Regional)

rubygem-aws-sdk-wafv2-1.16.0 Official AWS Ruby gem for AWS WAFV2 (WAFV2)

waffle-1.6.1.15 Library that allows to defer selection of an OpenGL API until runtime

albert@BSD13:~ %

So, as you can see there’s no wafw00f package on FreeBSD. What to do?

Wafw00f is basically a Pythong application. One needs to install python, the pip tool to install python written software and off we go.

Let’s install Python-pip first on this FreeBSD 13 system.

albert@BSD13:~ % sudo pkg install py37-pip

Updating FreeBSD repository catalogue...

FreeBSD repository is up to date.

All repositories are up to date.

The following 5 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:

libffi: 3.3_1

py37-pip: 20.2.3

py37-setuptools: 44.0.0

python37: 3.7.10

readline: 8.1.0

Number of packages to be installed: 5

The process will require 128 MiB more space.

19 MiB to be downloaded.

Proceed with this action? [y/N]: y

…...

albert@BSD13:~ %

As you can see, the Python language is a dependency for this package, so with this one command you’ll get the lot.

Once installed let’s update the python-pip library.

albert@BSD13:~ % sudo pip install --upgrade pip

Collecting pip

Downloading pip-21.0.1-py3-none-any.whl (1.5 MB)

|████████████████████████████████| 1.5 MB 1.3 MB/s

Installing collected packages: pip

Attempting uninstall: pip

Found existing installation: pip 20.2.3

Uninstalling pip-20.2.3:

Successfully uninstalled pip-20.2.3

Successfully installed pip-21.0.1

albert@BSD13:~ %

Now we’ve got the latest version of available software to be installed through the python-pip tool, we can install wafw00f.

albert@BSD13:~ % sudo pip install wafw00f

Collecting wafw00f

Downloading wafw00f-2.1.0.tar.gz (35 kB)

Collecting requests

Downloading requests-2.25.1-py2.py3-none-any.whl (61 kB)

|████████████████████████████████| 61 kB 2.4 MB/s

Collecting pluginbase

Downloading pluginbase-1.0.0.tar.gz (41 kB)

|████████████████████████████████| 41 kB 309 kB/s

Collecting idna<3,>=2.5

Downloading idna-2.10-py2.py3-none-any.whl (58 kB)

|████████████████████████████████| 58 kB 1.3 MB/s

Collecting urllib3<1.27,>=1.21.1

Downloading urllib3-1.26.4-py2.py3-none-any.whl (153 kB)

|████████████████████████████████| 153 kB 1.1 MB/s

Collecting certifi>=2017.4.17

Downloading certifi-2020.12.5-py2.py3-none-any.whl (147 kB)

|████████████████████████████████| 147 kB 2.0 MB/s

Collecting chardet<5,>=3.0.2

Downloading chardet-4.0.0-py2.py3-none-any.whl (178 kB)

|████████████████████████████████| 178 kB 2.1 MB/s

Collecting PySocks!=1.5.7,>=1.5.6

Downloading PySocks-1.7.1-py3-none-any.whl (16 kB)

Using legacy 'setup.py install' for wafw00f, since package 'wheel' is not installed.

Using legacy 'setup.py install' for pluginbase, since package 'wheel' is not installed.

Installing collected packages: urllib3, idna, chardet, certifi, requests, PySocks, pluginbase, wafw00f

Running setup.py install for pluginbase ... done

Running setup.py install for wafw00f ... done

Successfully installed PySocks-1.7.1 certifi-2020.12.5 chardet-4.0.0 idna-2.10 pluginbase-1.0.0 requests-2.25.1 urllib3-1.26.4 wafw00f-2.1.0

albert@BSD13:~ %

Let’s test Wafw00f.

Disclaimer: Do ONLY use this tool against authorized targets. Performing the tasks described here may constitute an offense in your country. Do not use this tool or procedures at scale without obtaining permission from system’s owners. The process described here is just for demonstration purposes.

Test against a target with a WAF up and running:

As you can see the tool has realized there’s some kind of WAF tool on this site since when if was performing an XSS type of attack it received a forbidden answer from the web server. However when performing regular GET queries the result was a happy 200 answer.

Let’s now perform the same test to a site I know that hasn’t got any WAF solution. This is basically a local test box with just a fresh Apache install and nothing else.

With this tool in the box now there’s no excuse to answer if a WAF is in front of you. You now know how to detect a WAF. Hope this helps someone.

If you find the articles in Adminbyaccident.com useful to you, please consider making a donation.

Use this link to get $200 credit at DigitalOcean and support Adminbyaccident.com costs.

Get $100 credit for free at Vultr using this link and support Adminbyaccident.com costs.

Mind Vultr supports FreeBSD on their VPS offer.