Alexis Kestler
Hi there! As an information security geek, I wanted to provide you with an in-depth guide on identifying web application firewalls (WAFs) protecting websites. This can be super helpful for your penetration testing and security research!
WAF detection is an art that takes experience to master. We’ll cover both manual and automated techniques to accurately detect WAFs like a pro.
Grab your favorite beverage and let’s get started!
What are WAFs and Why Detect Them?
First, a quick primer on WAFs.
WAF stands for Web Application Firewall. As the name suggests, WAFs are specialized firewalls that protect web applications by filtering and monitoring HTTP traffic between clients and your servers.
According to Gartner, over 75% of large organizations are expected to deploy WAFs by 2022. They provide strong defenses against common attacks like cross-site scripting (XSS), SQL injection, remote file inclusion etc.
But WAFs can also be a double-edged sword. Overly strict WAF rules can cause false positives and block legitimate traffic. Complex WAFs can themselves introduce weaknesses that attackers exploit.
As an ethical hacker or security analyst, having visibility of the WAF landscape is crucial. By fingerprinting the specific WAF product, you can:
-
Understand the rulesets and filtering logic. This allows you to estimate the vulnerabilities that may still exist.
-
Prioritize testing for weaknesses in that particular WAF implementation. Each product has its own bypass techniques.
-
Determine if the WAF itself is misconfigured. About 30% of WAF deployments have critical misconfigurations according to F5 Networks.
-
Adjust your testing methodology based on the capabilities of that WAF.
So take some time to accurately identify the WAF instead of blindly poking around. Let’s look at smart techniques to determine the website’s firewall.
Manual WAF Detection
First, we’ll explore manual inspection techniques to get initial clues about any WAF in place.
Check Response Headers
Many WAFs can be detected by carefully examining the server’s response headers.
For example, products like ModSecurity and Nginx add the below header:
Server: nginx/1.14.0 (Ubuntu) + ModSecurityThe presence of ModSecurity is a clear giveaway in this case.
Here are some other common WAF headers:
| Header | Indicates |
|---|---|
| X-CDN | Imperva Incapsula WAF |
| X-Distil | Distil Networks WAF |
| X-Sucuri | Sucuri WAF |
| X-WAF | Generic WAF |
To inspect headers, you can use your browser’s DevTools or a command line tool like cURL.
However, WAF headers can also be removed or spoofed intentionally. So don’t stop here! Move on to more reliable automation tools next.
Verify Against Known WAF Sites
Another sneaky manual technique is to compare headers against a website known to use a particular WAF.
For example, visit a site protected by Incapsula. Note down headers like X-CDN and cookie names.
Now compare them against the target site you want to test. If the headers closely match, chances are it has the same Incapsula WAF.
The downside is that you need a corpus of sites with known WAFs to compare against. But this technique can provide additional clues for manual detection.
We’ll now shift our focus to reliable automated tools for WAF detection.
Automated WAF Detection Tools
Automated fingerprinting tools take the manual effort out of WAF detection. They send carefully crafted probes and analyze the application‘s response.
Let‘s discuss some popular open source options:
Nmap http-waf-fingerprint
Nmap is a staple in every security researcher‘s toolkit. One of its handy WAF detection capabilities is the http-waf-fingerprint script.
It will accurately detect and identify the WAF based on response analysis and header clues. Nmap maintains a database of over 25+ WAF fingerprints for precise matching.
Here is how you can use it:
nmap --script http-waf-fingerprint www.example.comOutput:
PORT STATE SERVICE
443/tcp open https
| http-waf-fingerprint: NetContinuum
| WAF-fingerprintAs you can see, Nmap accurately identified the NetContinuum WAF in this case.
I highly recommend including this quick scan in your standard reconnaissance. It reliably detects a wide range of commercial and open source WAFs.
WhatWaf Tool
If you want more extensive WAF capabilities, WhatWaf is an excellent option. It goes far beyond simple detection.
WhatWaf performs advanced fingerprinting to identify not just the presence, but also the exact product behind a website‘s WAF:
python whatwaf.py --url https://example.com
[*] URL: https://www.example.com
[*] Identified WAF: ModSecurity (OWASP CRS)Once the WAF is detected, WhatWaf also has handy features to bypass the firewall and directly test the web app:
- Tampering payloads to evade WAF rules
- Anti-analysis techniques like junk insertion to confuse WAF
- Traffic obfuscation via payload encoding
- WAF misconfiguration checks
This makes WhatWaf an indispensable tool for your WAF analysis.
WAFW00F
WAFW00f is another popular fingerprinting tool coded in Python. It sends malicious payloads designed to trigger the WAF‘s blocking rules.
Based on the response, it detects and reports back the WAF:
wafw00f example.com
WAFW00F - Web Application Firewall Detection Tool
By: Sandro Gauci - Enable Security Ltd
Checking example.com
Detected Application Defender Firewall
Number of requests: 4WAFW00f is quick and simple to use. It focuses specifically on WAF presence without detailed product identification.
One tip is to use it before starting complex scans – to check if a WAF exists on the target site.
Comparing WAF Detection Tools
Each WAF detection tool has unique capabilities. Here is a head-to-head comparison:
| Tool | Pros | Cons |
|---|---|---|
| Nmap http-waf-fingerprint | Reliable fingerprinting, identifies product | Needs Nmap installed |
| WhatWaf | Advanced detection, tampering scripts | Slower compared to others |
| WAFW00f | Quickly detects WAF presence | No product identification |
My recommendation is to use Nmap and WhatWaf together for comprehensive results. WAFW00f also serves great for preliminary scans.
Bypassing WAFs
Identifying the WAF is step one. Next, you need to determine techniques to circumvent it during your actual penetration tests.
This highly depends on the specific product:
- ModSecurity – Use spaced evasion techniques to split WAF blocking rules.
- Imperva – Leverage IP rotation since Imperva tracks by source IP.
- Cloudflare – Test alternate protocols like HTTPS if blocked over HTTP.
- AWS WAF – Probe rule groups and origin IP ranges.
Researching the WAF documentation can unearth flaws and anti-evasion weaknesses. Their capabilities also evolve, so stay updated!
Some general bypass tips:
- Check business logic flaws not protected by the WAF rules.
- Test edge cases – unexpected values, encodings, headers etc.
- Verify rule coverage for new vulnerabilities like Log4J (CVE-2021-44228).
- Try timing, size and complexity thresholds that trigger blocking.
With perseverance and creativity, you can often find chinks in the WAF armor!
Conclusion
That brings us to the end of our WAF detection guide! Let me quickly recap the key takeaways:
- Identifying the WAF helps customize your web app penetration tests.
- Manual techniques involve inspecting headers and response fingerprints.
- Automated tools like Nmap, WhatWaf and WAFW00f provide accurate results.
- Each WAF has unique bypass techniques you should research.
- Combining manual checks and multiple tools gives high confidence.
I hope these techniques help you accurately detect web application firewalls during your next security assessment. WAFs are a formidable defense, but with the right approach you can overcome them!
Please reach out if you have any other tips and tricks for WAF analysis. I’m always looking to improve my pentest skills.
Until next time, stay curious and keep hacking safely!
