It’s always a good idea for an attacker to know where a WAF is typically utilized on a network before they start fingerprinting.
Penetration testers must be aware of a WAF before beginning a web application engagement since the outcome of their assaults may be impacted.
But before that…
What is WAF?
WAF (Web Application Firewall ) plays a significant role in website security. They filter and monitor the traffic. Web Application Firewalls provide protection against major flaws. Many organizations are modernizing their infrastructure to include web application firewalls. According to ethical hacking experts, web application firewalls cannot fix security issues on their own; adequate configuration is required to recognize and block external threats.
A WAF differs from a traditional firewall in that it may filter the content of specific online applications, whereas traditional firewalls act as a safety barrier between servers.
An HTTP interaction is subjected to a set of rules. These rules address typical vulnerabilities like cross-site scripting and SQL injection in general.
There are many free and open-source tools on the internet that can discover the firewalls behind web applications.
And in this article, we’ll look at the approaches and tools that can be used to discover a WAF.
Please note:In this tutorial, I have used my own site for enumerating the details. Don’t perform scanning or other hacking activity on any website without prior permission from the owner.
Detecting using TELNET
Telnet is mainly used by network administrators and penetration testers. Telnet enables you to connect to remote hosts over any port, as previously stated.
HTTP parameters are often left (or inserted) in response headers by web application firewalls.
Telnet can be used to obtain basic gathering information such as the server and cookies used in fingerprinting.
Type Telnet Targetwebsite.com 80
root@writer: # telnet Targetwebsite.com 80
Connected to Targetwebsite.com.
Escape character is '^]'.
After running the command above, write HEAD / HTTP / 1.1 and press the enter key.
root@writer: # telnet 220.127.116.11 80
Connected to 18.104.22.168.
Escape character is '^]'.
HEAD / HTTP/1.1
HTTP/1.1 200 OK
Date: SUN, 10 Oct 2021 05:08:03 IST
Server: Apache X-Powered-By: PHP/5.3.5 ZendServer/5.0
Set-Cookie: SESSIONID VULN SITE=t25put8gliicvqf62u3ctgjm21; path=/
Expires: Thu, 19 Nov 1981 08:52:00 IST
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Via: 1.1 varnish
Connection closed by foreign host.
It indicates the server on which the website is hosted and the back-end language on which it was created after using telnet on the target port 80.
Some WAF systems allow the header to be modified, and they can also cause the webserver to send HTTP replies that are different from the standard ones.
As shown in the result above, the webserver responded to our request and revealed that the firewall/edge gateway was Varnish.
#1. Detecting using NMAP
Nmap, which has a script that can identify a web application firewall, can also be used for this purpose.
Nmap is a security assessment tool that many pen-testers and network administrators commonly utilize.
Nmap is used to obtain information about the target.
The script was run against the same webpage as before
Type the command nmap –script=http-waf-fingerprint targetweb.com
root@writer:# nmap --script=http-waf-fingerprint targetwebsite.com
Starting Nmap 7.90 ( https://nmap.org ) at 2021-10-10 07:58 IST
Nmap scan report for targetsite.com (22.214.171.124)
Host is up (0.24s latency).
Not shown: 982filtered ports
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
| Detected WAF
| Citrix Netscaler
443/tcp open https
5432/tcp closed postgresql
8080/tcp closed http-proxy
Nmap done: 1 IP address (1 host up) scanned in 25.46 seconds
After using the above Nmap command, the Citrix Netscaler firewall was detected.
#2. Detecting using Whatwaf
Whatwaf is a security tool for fingerprinting web apps and detecting the presence of any WAF. This tool is useful for determining whether a web application is protected by a WAF during security assessments.
Firewall bypassing, application detection, application fingerprinting, and software identification are all frequent uses for WhatWaf. Network
Pen-testers and security professionals are the intended users of this program.
At launch, without a Python version, we can easily specify an executable file:
However, because we did not install Python 2 dependencies, it is advised that you specifically provide the Python version.
python3 ./whatwaf --help
Whatwaf firewall detection tool is straightforward to use! We just need to execute the following command:
./whatwaf -u https://www.targetsite.com
As you can see below, this tool detected the firewall for the provided website URL.
Reminder! – I used my own site for the scanning
└─# ./whatwaf -u https://www.renjith.org
' .--. '
,--. .--. ,--. .--.| | | |
| | | | | | | |'--' | |
| | | | | | | | __. |
| |.'.| | | |.'.| | | .'
| | | | |___|
| ,'. |hat| ,'. |af .---.
'--' '--' '--' '--' '---'
[11:12:34][ERROR] you must install psutil first `pip install psutil` to start mining XMR
[11:12:34][INFO] checking for updates
[11:12:34][WARN] it is highly advised to use a proxy when using WhatWaf. do so by passing the proxy flag (IE `--proxy http://127.0.0.1:9050`) or by passing the Tor flag (IE `--tor`)
[11:12:34][INFO] using User-Agent 'whatwaf/2.0.3 (Language=2.7.18; Platform=Linux)'
[11:12:34][INFO] using default payloads
[11:12:34][INFO] testing connection to target URL before starting attack
[11:12:35][SUCCESS] connection succeeded, continuing
[11:12:35][INFO] running single web application 'https://www.renjith.org'
[11:12:35][WARN] URL does not appear to have a query (parameter), this may interfere with the detection results
[11:12:35][INFO] request type: GET
[11:12:35][INFO] gathering HTTP responses
[11:12:42][INFO] gathering normal response to compare against
[11:12:42][INFO] loading firewall detection scripts
[11:12:42][INFO] running firewall detection checks
[11:12:44][FIREWALL] detected website protection identified as 'Apache Generic'
[11:12:44][INFO] starting bypass analysis
[11:12:44][INFO] loading payload tampering scripts
[11:12:45][INFO] running tampering bypass checks
[11:19:09][SUCCESS] apparent working tampers for target:
(#1) description: tamper payload by changing characters into a wildcard
example: '/bin/cat /et?/?asswd'
load path: content.tampers.randomwildcard
As shown in the result above, the webserver responded to our request and revealed that the firewall was Apache. We can also use the tor service to scan for the WAF, but it may increase the latency.
./whatwaf -u https://www.targetsite.com --tor
The main advantage of the Whatwaf tool is, it automatically tries to give the payloads to bypass the revealed firewall.
#3. Detecting Using Wafw00f
The most well-known tool for detecting the web application firewall is Wafw00f. Wafw00f sends an HTTP request to the web application firewall to identify it. When sending HTTP requests fails, wafw00f makes a malicious HTTP request. If making a malicious HTTP request fails, wafw00f examines prior HTTP requests and employs a simple algorithm to determine whether the web application firewall reacts to our attacks.
Wafw00f isn’t preinstalled in Kali Linux distributions.
How to install Wafw00f?
The zip package is available for download from the official GitHub source.
Download the Wafwoof Tool. You can also use the git client to clone the repository. To get the package, run the commands:
And to use it in verbose mode, run the following command.
wafw00f <url> -v
You can see a few additional capabilities of this utility by executing this command.
wafw00f <url> --help
Wrapping Up 👨💻
In this article, we looked at different strategies and tools for detecting web application firewalls. This is an important activity that must be performed during the information collection stage of every web application penetration test.
Furthermore, knowing that a WAF is in place allows the penetration tester to try various approaches to get around the defenses and exploit any holes in the online application.
According to an ethical hacking researcher, having a web application firewall (WAF) is increasingly necessary. Analyzing your web application logs to detect new assaults occurring on the back-end web application server is always important. This allows you to customize rules in your web application firewall to provide the highest level of protection.
Hey there, my name is Ashlin, and I’m a senior technical writer. I’ve been in the game for a while now, and I specialize in writing about all sorts of cool technology topics like Linux, Networking, Security, Dev Tools, Data Analytics, and Cloud… read more