How to determine the type of Web Application Firewall (WAF)

Why does using a WAF not guarantee site protection?

WAF, Web Application Firewall — a web application firewall, is a program that analyzes requests coming to a web server and, based on rules, filters out those that may be potentially dangerous for a web site. Thanks to the use of WAF, it is impossible to exploit the vulnerabilities of the website, because the requests with the payload do not reach the web server and web applications, they are rejected by the firewall of the web applications. In fact, with WAF (as with many other security solutions), things are not that simple. From a WAF’s point of view, the ideal protection is when no request can reach the web server – no clients, no danger. And if you just enable all the WAF rules, then the web server can stop working, because almost all requests will be considered “potentially dangerous”. Of course, these two extremes do not sit well with webmasters and they need to find a balance when the site is still working and the WAF is also still effective.

Of course, these two extremes do not sit well with webmasters and they need to find a balance when the site is still working and the WAF is also still effective. There are already hundreds of WAF solutions and they all vary greatly. Setting up some of them boils down to turning filterable threat categories on and off in the web interface. To configure some of them, you need to edit text files that describe the dangerous requests in the WAF’s own language. To make your WAF rules as strict as possible, you need to enable rules that block all but the necessary types of requests to the web server. To do this, you need, first, to have a good understanding of how the website being protected works, what it needs and what it doesn’t; and, secondly, to have a good understanding of the types of attacks, how they are exploited, and the work of the configurable WAF. All this is complicated and, as you can guess, such an ideal option rarely happens.

WAFW00F

The wafw00f program very quickly and accurately determines the type of WAF for the specified site. Among the additional functions of wafw00f are the following:

  • scanning the site through a proxy

  • support for csv, json or text input and output formats

Using the program is very simple – just specify the domain of the site for which you want to find out the WAF:

Example:

The line “Number of requests” shows the number of requests made – only two were enough. As a result, the Cloudflare WAF was detected. If you think that the identification of web application protection by fingerprints is inaccurate, then add the -a option, as a result, WAFW00F will not stop after the first match, but will check on all fingerprints:

To send requests through a proxy, use the -p option, after which specify the proxy data – SOCKS and authentication are supported, examples of correctly specified proxy parameters:

The following command uses the Tor network as a proxy:

Despite the slowness of the Tor network, identification of web protection (which turned out to be Wordfence from the manufacturer Defiant) was very fast and required only two requests. Targets for Web Protection identification can be compiled into a file. When starting the program, you can specify a file with a list of targets, CSV, JSON or Text formats are supported. For csv and json, a column or element called “url” is required. Text file format: 1 URL per line.

Example:

With the -t option you can specify exactly which WAF you want to find, this option should be especially useful with -i:

By the way, you can display a complete list of supported web application firewalls with the command:

Note in which format the WAF is specified. If you are unsure how to specify the WAF correctly, go to https://github.com/EnableSecurity/wafw00f/tree/master/wafw00f/plugins, find the file with the WAF you want and open it. Find a string that starts with NAME, for example:

In this case the name is ‘ACE XML Gateway (Cisco)‘. The program is very fast and simple, detects WAF well. But because it is not possible to change the User-Agent, sometimes the application is not able to identify Web Protection because the server rejects the requests of this tool with the default User-Agent. From our small list of test sites, this program was able to determine the WAF type for two out of four.

IdentYwaf

IdentityYwaf is another easy-to-use yet effective program. Similar to the previous one, this is an identification tool that can recognize the type of web security (such as WAF) based on the server’s response. Moreover, this tool makes additional queries to determine which vulnerability categories the WAF is configured against. After completing the scan, the tool gives an estimate (in percentage) of the difficulty of exploiting vulnerabilities (if any).

Currently, this program can detect more than 80 different security products (for example, aeSecure, Airlock, CleanTalk, CrawlProtect, Imunify360, MalCare, ModSecurity, Palo Alto, SiteGuard, UrlScan, Wallarm, WatchGuard, Wordfence and so on), while the knowledge base constantly expanding.

  • not blind when the WAF is identified based on their typical messages. For example, “403 (‘<title>Attention Required! | Cloudflare</title>…Sorry, you will block…Why have I been blocked…This website is using a security service to protect itself from online attacks…The action you just performed triggered the security solution…You can email the owner to let them know you were blocked’)”. Such a message clearly contains the name of the file firewall, but at the same time it may be an attempt to confuse the penetration tester

  • blind when the WAF is identified based on the payload locks sent to it.

An example of a web application firewall scan:

Let’s study the output of the program. The defined type of web protection is not a blind method, it is Wordfence from Defiant:

A total of 45 tests were performed with different payloads (secure requests that are very similar to exploit requests):

The result is presented as a diagram, where a dot is a non-blocked payload (no protection against this attack) and a cross is a block from the WAF in response to the sent payload):

The complexity of exploiting potential attacks is simple:

Blocked attack categories:

The final decision based on the blind identification method and its probability:

One more test:

Note the greater number of blockable payloads, categories and, as a result, the higher complexity of exploiting potential vulnerabilities:

The non-blind method identified the web security as CloudFlare, the blind method generally reached the same conclusion:

WAFW00F failed to identify ebay.com’s web security, let’s see if identYwaf can:

This example shows the advantage of two independent WAF identification methods:

The uninformative message “<Access Access Denied</title>…You don’t have permission to access” failed to identify the WAF by fingerprints. But tests using a variety of payload types identified the web defense as Kona Site Defender, made by Akamai Technologies:

Information was also collected about blocking rules, which vulnerability categories are filtered:

If you want to change the User Agent to random, add the –random-agent option:

If you want the payload to be POSTed, add the –post option:

You can use the –proxy=PROXY option to specify an HTTP proxy address (for example, “http://127.0.0.1:8080”). But SOCKS (Tor network) proxy failed in my tests. But with the help of the Privoxy program, this problem is solved (for details on setting up Privoxy, see the link provided).

You can also set the timeout (waiting for a response) and the time interval between requests (default is none), see https://kali.tools/?p=6669 for details on these options.

WhatWaf

WhatWaf – is an advanced web application security detection tool designed to help you answer the question, “Is your web server running WAF and which one?”. As part of its operation, WhatWaf detects the presence and type of web application firewall and attempts to detect bypass methods for the specified firewall on the specified target. This tool can detect more than 70+ different web application firewalls and tries more than 30+ different bypass techniques. The WhatWaf program is the most flexible in setting, you can find a full list of options in the program card: https://kali.tools/?p=6683

Using:

Example:

Please note that as a URL you can specify the address of the settings page (for example, https://hackware.ru/?p=16287). In addition, it is even recommended – the parameters will be used to pass the payload, which will allow you to more accurately determine the ways to bypass the WAF. Also note that the URL is preceded by http or https. The fact is that the program uses HTTP by default, and all modern sites, especially under WAF, use HTTPS. Therefore, the protocol should be clearly stated. There is a –force-ssl option which, according to the description, causes the program to default to HTTPS, but in my tests this option did not work.

The first thing that catches your eye is the long work of this utility. The thing is, WhatWaf doesn’t just try to detect web security, it also looks for ways to bypass web application firewalls. The circumvention methods consist in the use of intervention scripts (tampers), which modify the payload so that, on the one hand, it (practically) does not lose functionality, but at the same time it ceases to be detected by web protection filters, which usually work on the basis of regular expression searches. Examples of how tampers work are: replacing spaces with plus signs, inserting unnecessary comments or characters that mean nothing, replacing a space with multiple spaces, encoding or double-encoding in URL encoding, changing the case of characters, inserting meaningless tags, and more.

The FIREWALL line indicates the detected web application firewall:

Consider the result of the following scan:

In the FIREWALL lines, we see possible protection systems:

And after the line:

Discovered ways to bypass web application firewall filters are listed. If you only need to know the type of WAF and you want to skip the bypass check, then use the –skip option:

If you want to specify multiple targets, save them to a file (one URL per line) and run the program with the -l option:

You can change the USER-AGENT. This can be done with the –ra option (in this case a random USER-AGENT will be chosen):

Alternatively, with the –pa option, you can specify a specific User Agent:

WhatWaf supports work through a proxy, for this there is an option –proxy:

There are several options specifically for the Tor network. With the –check-tor option, you can check the connection to Tor:

But in my case, this option did not work correctly, it kept showing the message “[WARN] it appears Tor is not configured properly” (Tor is not configured properly), while WhatWaf worked perfectly through Tor. There is a special –tor option for anonymous scans:

It is implied that tor listens on port 9050, if you have a different configuration, use the -tP option to specify your own port. The W option causes the utility to additionally try to determine the version of the web server. To view the cache results of previous scans, run the utility with the –uC option:

To update an app, go to the app folder and do, or do:

Online file firewall detection service

I collected all the considered tools on the page of one online WAF type detection service (web application firewall): https://suip.biz/ru/?act=wafw00f. All you have to do is enter the domain name of the site you are interested in, and the service will scan each program sequentially.

It even managed to preserve the colored output for the two utilities (there are many different shielded sequences for coloring the output in the terminal, so translating color from Bash to HTML is not always a trivial task). In general, it is convenient to compare the scanning results of all three tools at once.

 

Found an error?
If you find an error, take a screenshot and send it to the bot.