wafw00f

Reconnaissance, Identification & Fingerprinting of Web Application Firewall using WAFW00F.

Web Application firewalls are typically firewalls working on the application layer which monitors & modifies HTTP requests. The key difference is that WAFs work on Layer 7 – Application Layer of the OSI Model. Basically all WAFs protect against different HTTP attacks & queries like SQLi & XSS. Since the firewall is able to detect HTTP methods, SQL queries & other scripts put as input to different forms in a website, it can filter out the requests just like a normal firewall would do. One can implement a policy on what should be permitted & what not as input through a website.

A WAF will be typically present in a web application where there is Strict Transport Security enabled like a banking website or an e-commerce website. While conducting a pentest, detecting the the waf comes under recon, and mapping the web application architecture. One should detect the presence of a WAF & evaluate it in case of a Black Box testing. This plays a crucial part in determining the methods to proceed during a Web-Application Penetration Test.

Wafw00f is simply a python tool which automates a set of procedures used in finding a WAF. Wafw00f simply queries a web server with a set of HTTP requests & methods. It analyses the responses from them & detects the firewall in place.

Homepage: https://github.com/sandrogauci/wafw00f

Options:

Syntax : wafw00f url1 [url2 [url3 ... ]]
example: wafw00f http://www.victim.org/
 -h, --help    show this help message and exit
 -v, --verbose enable verbosity - multiple -v options increase verbosity
 -a, --findall Find all WAFs, do not stop testing on the first one
 -r, --disableredirect    Do not follow redirections given by 3xx responses
 -t TEST, --test=TEST     Test for one specific WAF
 -l, --list    List all WAFs that we are able to detect
 --xmlrpc      Switch on the XML-RPC interface instead of CUI
 --xmlrpcport=XMLRPCPORT  Specify an alternative port to listen on, default 8001
 -V, --version Print out the version

Lab: Detect WAFs in some eCommerce websites.

First we’ll see the list of firewalls readily supported. Even though a specific firewall is not supported by wafw00f, it detects  the presence of one.

Command: wafw00f -l
wafw00f
List of firewalls

Let’ s begin

Command: wafw00f www.amazon.com
wafw00f
Basic Fingerprinting

Aggressively Test for  firewalls. This is useful in identifying multiple firewalls.

Command: wafw00f -a www.amazon.com
wafw00f
Aggressive Fingerprinting

Note the number of requests in this & previous cases.

Lets try it on Google

Command: wafw00f google.com -a -v

Giving the verbose option, lets you see the queries. Increase no of v (-vv) to increase verbosity.

wafw00f
Verbose Output
wafw00f
Detection Results

Here a firewall is detected from the response headers. Increase the no of v to see the actual headers.

This procedure  is important during a pentest as said earlier. Fingerprinting the waf also helps to identify any known vulnerabilities in Web Application Firewalls if any exists.

References: https://www.owasp.org/index.php/Category:OWASP_Best_Practices:_Use_of_Web_Application_Firewalls

https://en.wikipedia.org/wiki/Application_firewall

https://www.sans.org/security-resources/idfaq/ips-web-app-firewall.php

Facebook Comments

One thought on “wafw00f

  • June 22, 2016 at 8:19 pm
    Permalink

    hi ravi …nice article on Reconnaissance, Identification ,Fingerprinting..informative..thank you

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: