Web application firewalls are one of the strongest defenses a web app has, but they can be vulnerable if the firewall version used is known to an attacker. Understanding which firewall a target is using can be the first step to a hacker discovering how to get past it — and what defenses are in place on a target. And the tools Wafw00f and Nmap make fingerprinting firewalls easy.
While most web app firewalls, or WAFs, are pretty good at defending the services they protect, they occasionally become vulnerable when an exploitable flaw is discovered. If a firewall hasn't been updated in quite some time, it can be easy to figure out the rules of a firewall and work around them to establish a foothold inside. Manually doing this is incredibly tedious and relies on interpreting the distinctive ways that the WAF responds to specific web requests.
Wafw00f is a popular Python program that takes the guesswork of fingerprinting a website's firewall off your hands. Based on the responses to a series of carefully crafted web requests, Wafw00f can determine the underlying firewall used by a service that it probes. The list of WAFs that Wafw00f is capable of detecting is impressive and includes the following, among an ever-growing list:
aeSecure (aeSecure) Airlock (Phion/Ergon) Alert Logic (Alert Logic) AliYunDun (Alibaba Cloud Computing) Anquanbao (Anquanbao) AnYu (AnYu Technologies) Approach (Approach) Armor Defense (Armor) ASP.NET Generic Protection (Microsoft) Astra Web Protection (Czar Securities) AWS Elastic Load Balancer (Amazon) Yunjiasu (Baidu Cloud Computing) Barikode (Ethic Ninja) Barracuda Application Firewall (Barracuda Networks) Bekchy (Faydata Technologies Inc.) BinarySec (BinarySec) BitNinja (BitNinja) BlockDoS (BlockDoS) Bluedon (Bluedon IST) CacheWall (Varnish) CdnNS Application Gateway (CdnNs/WdidcNet) WP Cerber Security (Cerber Tech) ChinaCache CDN Load Balancer (ChinaCache) Chuang Yu Shield (Yunaq) ACE XML Gateway (Cisco) Cloudbric (Penta Security) Cloudflare (Cloudflare Inc.) Cloudfront (Amazon) Comodo cWatch (Comodo CyberSecurity) CrawlProtect (Jean-Denis Brun) DenyALL (Rohde & Schwarz CyberSecurity) Distil (Distil Networks) DOSarrest (DOSarrest Internet Security) DotDefender (Applicure Technologies) DynamicWeb Injection Check (DynamicWeb) Edgecast (Verizon Digital Media) Expression Engine (EllisLab) BIG-IP Access Policy Manager (F5 Networks) BIG-IP Application Security Manager (F5 Networks) BIG-IP Local Traffic Manager (F5 Networks) FirePass (F5 Networks) Trafficshield (F5 Networks) FortiWeb (Fortinet) GoDaddy Website Protection (GoDaddy) Greywizard (Grey Wizard) HyperGuard (Art of Defense) DataPower (IBM) Imunify360 (CloudLinux) Incapsula (Imperva Inc.) Instart DX (Instart Logic) ISA Server (Microsoft) Janusec Application Gateway (Janusec) Jiasule (Jiasule) KS-WAF (KnownSec) Kona Site Defender (Akamai) LiteSpeed Firewall (LiteSpeed Technologies) Malcare (Inactiv) Mission Control Application Shield (Mission Control) ModSecurity (SpiderLabs) NAXSI (NBS Systems) Nemesida (PentestIt) NetContinuum (Barracuda Networks) NetScaler AppFirewall (Citrix Systems) NevisProxy (AdNovum) Newdefend (NewDefend) NexusGuard Firewall (NexusGuard) NinjaFirewall (NinTechNet) NSFocus (NSFocus Global Inc.) OnMessage Shield (BlackBaud) Open-Resty Lua Nginx WAF Palo Alto Next Gen Firewall (Palo Alto Networks) PerimeterX (PerimeterX) pkSecurity Intrusion Detection System PowerCDN (PowerCDN) Profense (ArmorLogic) AppWall (Radware) Reblaze (Reblaze) RSFirewall (RSJoomla!) ASP.NET RequestValidationMode (Microsoft) Sabre Firewall (Sabre) Safe3 Web Firewall (Safe3) Safedog (SafeDog) Safeline (Chaitin Tech.) SecuPress WordPress Security (SecuPress) Secure Entry (United Security Providers) eEye SecureIIS (BeyondTrust) SecureSphere (Imperva Inc.) SEnginx (Neusoft) Shield Security (One Dollar Plugin) SiteGround (SiteGround) SiteGuard (Sakura Inc.) Sitelock (TrueShield) SonicWall (Dell) UTM Web Protection (Sophos) Squarespace (Squarespace) StackPath (StackPath) Sucuri CloudProxy (Sucuri Inc.) Tencent Cloud Firewall (Tencent Technologies) Teros (Citrix Systems) TransIP Web Firewall (TransIP) URLMaster SecurityCheck (iFinity/DotNetNuke) URLScan (Microsoft) Varnish (OWASP) VirusDie (VirusDie LLC) Wallarm (Wallarm Inc.) WatchGuard (WatchGuard Technologies) WebARX (WebARX Security Solutions) WebKnight (AQTRONIX) WebSEAL (IBM) WebTotem (WebTotem) West263 Content Delivery Network Wordfence (Feedjit) WTS-WAF (WTS) 360WangZhanBao (360 Technologies) XLabs Security WAF (XLabs) Xuanwudun Yundun (Yundun) Yunsuo (Yunsuo) Zenedge (Zenedge) ZScaler (Accenture)
Wafw00f comes pre-installed in Kali Linux, but also can be easily installed on any system with Python. Although some of the same functions can be done with Nmap scripts, Wafw00f consistently gave more complete and accurate results during testing.
Nmap is easy to install and use, and comes preinstalled with scripts that are useful for learning more about the WAF your target is behind. The two scripts Nmap offers are like Wafw00f split into two: one for detection and one for fingerprinting the WAF. These scripts are adequate but not always as accurate or capable of detecting a WAF as Wafw00f is, and you may find yourself surprised when it's unable to identify the type of firewall on a service that clearly has one.
Despite the shortcoming, the benefit of Nmap scanning for WAFs is that it can be easily included in other scans that are being done to establish a target surface, making it easier for a hacker to script this kind of detection with their regular recon routine. Increasingly, other hacking tools are using an Nmap scan with WAF detection to serve as a quick and easy method of providing WAF detection in a module for a more powerful tool.
To run these tools, I recommend you have a Linux system like Kali or Ubuntu, although macOS works just fine. I haven't tested it on Windows, but it should work provided you have Nmap and Python installed. Either way you go, you'll also need an internet connection to scan targets. You don't need to worry about scanning most targets online, as this type of recon shouldn't raise too many red flags.
To install Wafw00f, you'll need to have Python already installed and updated on your system. If you're good there, open a terminal window and type the following to download the GitHub repository.
~# git clone https://github.com/EnableSecurity/wafw00f.git Cloning into 'wafw00f'... remote: Enumerating objects: 172, done. remote: Counting objects: 100% (172/172), done. remote: Compressing objects: 100% (98/98), done. remote: Total 3689 (delta 120), reused 113 (delta 74), pack-reused 3517 Receiving objects: 100% (3689/3689), 545.81 KiB | 3.17 MiB/s, done. Resolving deltas: 100% (2655/2655), done.
Next, navigate to the folder you just downloaded, and install the script with the following commands.
~# cd wafw00f ~/wafw00f# python setup.py install running install running bdist_egg running egg_info creating wafw00f.egg-info writing requirements to wafw00f.egg-info/requires.txt writing wafw00f.egg-info/PKG-INFO writing top-level names to wafw00f.egg-info/top_level.txt writing dependency_links to wafw00f.egg-info/dependency_links.txt writing manifest file 'wafw00f.egg-info/SOURCES.txt' reading manifest file 'wafw00f.egg-info/SOURCES.txt' reading manifest template 'MANIFEST.in' writing manifest file 'wafw00f.egg-info/SOURCES.txt' installing library code to build/bdist.linux-x86_64/egg running install_lib running build_py creating build creating build/lib.linux-x86_64-2.7 creating build/lib.linux-x86_64-2.7/wafw00f copying wafw00f/__init__.py -> build/lib.linux-x86_64-2.7/wafw00f copying wafw00f/manager.py -> build/lib.linux-x86_64-2.7/wafw00f copying wafw00f/wafprio.py -> build/lib.linux-x86_64-2.7/wafw00f copying wafw00f/main.py -> build/lib.linux-x86_64-2.7/wafw00f creating build/lib.linux-x86_64-2.7/wafw00f/tests copying wafw00f/tests/__init__.py -> build/lib.linux-x86_64-2.7/wafw00f/tests copying wafw00f/tests/test_main.py -> build/lib.linux-x86_64-2.7/wafw00f/tests creating build/lib.linux-x86_64-2.7/wafw00f/plugins copying wafw00f/plugins/safe3.py -> build/lib.linux-x86_64-2.7/wafw00f/plugins copying wafw00f/plugins/nevisproxy.py -> build/lib.linux-x86_64-2.7/wafw00f/plugins copying wafw00f/plugins/f5bigipasm.py -> build/lib.linux-x86_64-2.7/wafw00f/plugins copying wafw00f/plugins/missioncontrol.py -> build/lib.linux-x86_64-2.7/wafw00f/plugins copying wafw00f/plugins/instartdx.py -> build/lib.linux-x86_64-2.7/wafw00f/plugins ... Installed /usr/local/lib/python2.7/dist-packages/pluginbase-1.0.0-py2.7.egg Searching for html5lib==1.0.1 Best match: html5lib 1.0.1 Adding html5lib 1.0.1 to easy-install.pth file Using /usr/lib/python2.7/dist-packages Finished processing dependencies for wafw00f==1.0.0
Those should install everything you need to run the program. Now, when you want to run it, you can just type wafw00f into a terminal window. To see the help menu, we can run it with the -h flag.
~# wafw00f -h ______ / \ ( Woof! ) \______/ ) ,, ) (_ .-. - _______ ( |__| ()``; |==|_______) .)|__| / (' /|\ ( |__| ( / ) / | \ . |__| \(_)_)) / | \ |__| WAFW00F - Web Application Firewall Detection Tool Usage: wafw00f url1 [url2 [url3 ... ]] example: wafw00f http://www.victim.org/ Options: -h, --help show this help message and exit -v, --verbose enable verbosity - multiple -v options increase verbosity -a, --findall Find all WAFs, do not stop testing on the first one -r, --disableredirect Do not follow redirections given by 3xx responses -t TEST, --test=TEST Test for one specific WAF -l, --list List all WAFs that we are able to detect -p PROXY, --proxy=PROXY Use an HTTP proxy to perform requests, example: http://hostname:8080, socks5://hostname:1080 -V, --version Print out the version -H HEADERSFILE, --headersfile=HEADERSFILE Pass custom headers, for example to overwrite the default User-Agent string
As you can see, there are some useful settings we can adjust to continue scanning for additional firewalls after we find the first positive result.
Now, let's use Wafw00f to scan a web application and see if we can get a positive result. First up, everyone's favorite company that loses American's personal data, Equifax. We'll be testing its "equifaxsecurity2017.com" page that was set up in the wake of losing everyone's credit information.
- Don't Miss: Scrape Target Email Addresses with TheHarvester
To identify the web app running on the site, we can use the following command.
~# wafw00f https://equifaxsecurity2017.com ______ / \ ( Woof! ) \______/ ) ,, ) (_ .-. - _______ ( |__| ()``; |==|_______) .)|__| / (' /|\ ( |__| ( / ) / | \ . |__| \(_)_)) / | \ |__| WAFW00F - Web Application Firewall Detection Tool Checking https://equifaxsecurity2017.com The site https://equifaxsecurity2017.com is behind BIG-IP Application Security Manager (F5 Networks) WAF. Number of requests: 5
We've identified our first firewall! It may seem easy, but sometimes beginners will get confused when they see a result like below.
~# wafw00f equifaxsecurity2017.com ______ / \ ( Woof! ) \______/ ) ,, ) (_ .-. - _______ ( |__| ()``; |==|_______) .)|__| / (' /|\ ( |__| ( / ) / | \ . |__| \(_)_)) / | \ |__| WAFW00F - Web Application Firewall Detection Tool Checking http://equifaxsecurity2017.com Generic Detection results: No WAF detected by the generic detection Number of requests: 7
So what is the difference? When we go to equifaxsecurity2017.com, we are redirected to the HTTPS version immediately. The first command is targeted at the HTTPS version, which actually has content and a firewall, while the second command is targeting the HTTP version of the same site.
If you get no result, it could be because the website you're targeting is redirecting to another URL. Try copying and pasting in the URL you are directed to in a browser for a more accurate result.
Nmap also comes preinstalled on Kali Linux, and it contains scripts to attempt the same kind of detection. We'll be trying out two different scripts:http-waf-fingerprint and http-waf-detect. While the point of both scripts is similar, they work in slightly different ways and can be effective against different targets.
First up, we'll use http-waf-fingerprint on the same target we did before.
~# nmap -p 80,443 --script=http-waf-detect equifaxsecurity2017.com Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-28 00:37 PDT Nmap scan report for equifaxsecurity2017.com (184.108.40.206) Host is up (0.034s latency). PORT STATE SERVICE 80/tcp open http 443/tcp open https | http-waf-detect: IDS/IPS/WAF detected: |_equifaxsecurity2017.com:443/?p4yl04d3=<script>alert(document.cookie)</script> Nmap done: 1 IP address (1 host up) scanned in 7.90 seconds
The scan determines that there is, in fact, a firewall here, but it isn't able to tell us much about it. In fact, Nmap doesn't seem to be great at detecting this kind of firewall. If we run it against another example domain, we can see what a positive result looks like.
~# nmap -p 80,443 --script=http-waf-fingerprint noodle.com Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-28 00:39 PDT Nmap scan report for noodle.com (220.127.116.11) Host is up (0.021s latency). Other addresses for noodle.com (not scanned): 18.104.22.168 2606:4700:10::6814:a029 2606:4700:10::6814:a129 PORT STATE SERVICE 80/tcp open http | http-waf-fingerprint: | Detected WAF |_ Cloudflare 443/tcp open https Nmap done: 1 IP address (1 host up) scanned in 3.10 seconds
While Nmap can't detect everything that Wafw00f can, it's a great way to quickly identify the first line of defense a targeted web server is behind.
Once a hacker knows what kind of firewall the target is behind, there are several ways they can proceed. The first is to learn the rules the firewall is working with and look for any behaviors that might be exploitable based on the way that specific software works.
The next priority is to check to see if any vulnerabilities exist in recent versions of the WAF that is detected, or if the WAF hasn't been updated for a long period of time. Either of these discoveries could be the weakest link of an organization's security and an easy way in for a hacker, so it's always worth running another Nmap scan or downloading Wafw00f to check for an out-of-date firewall. If you run a service that uses a WAF, it's a good idea to keep this updated, as searching for outdated firewalls can now be largely automated.
I hope you enjoyed this guide to using Wafw00f to identify web application firewalls! If you have any questions about this tutorial on WAF discovery, leave a comment below, and feel free to reach me on Twitter @KodyKinzie.