Ua-tester – A tool for User Agent WAF, IDS/IPS, Redirection testing

UA-tester is a tool to check whether a website provides different pages for different user agents like for mobile, desktop bots etc. Well, this tool also delivers a lot of information. It is basically a python script which runs through various user-agents on a specified site.

It also tries various options like setting cookie, redirection, URL-stability(whether the URL expires or not) an a lot more. Now I am not sure of how this might be used as a WAF-Tester. But I think, all these options & tests you perform resemble a Nmap scan.

You get a lot of information on response codes, redirection, static/dynamic URLs used, XSS protection, server headers etc. From those, you get to know if there is a WAF at all or what the WAF is doing to prevent from scanning their website. One cool thing is the tool gets you the MD5 of the data got from a request to the site. Changes in the hash for different user-agents indicate there are separate pages.

Options – UA-tester

Syntax: uatester –u url –d <agent1> <agent2>
-u / --url Complete URL
-f / --file <Path to User Agent file> / If no file is provided, -d options must be present
-s / --single provide single user-agent string (may need to be contained within quotes)
-d / --default Select the UA String type(s) to check. Select 1 or more of the following ↵
catagories. (M)obile, (D)esktop, mis(C), (T)ools, (B)ots, e(X)treme [!])
-o / --output <Path to output file> CSV formated output (FILE WILL BE OVERWRITTEN[!])
-v / --verbose results (Displays full headers for each check) >> Recommended
--debug See debug messages (This isn't the switch you're looking for)

UA-Tester Homepage:

Lab 1: Simple Query to Google

In this lab, we are gonna check with Desktop & mobile user-agents with google.

Command: ua-tester -u -d M D
Querying Google

There we can see the different user agents. For each of these user agents, a redirect is being done. Also, check the details displayed.

Info on URL redirection Response codes etc


Leave a comment

Your email address will not be published. Required fields are marked *