How To: Identify Web Application Firewalls with Wafw00f & Nmap

Identify Web Application Firewalls with Wafw00f & Nmap

Web application firewalls are one of the strongest defenses a web app has, but they can be vulnerable if the firewall version used is known to an attacker. Understanding which firewall a target is using can be the first step to a hacker discovering how to get past it — and what defenses are in place on a target. And the tools Wafw00f and Nmap make fingerprinting firewalls easy.

While most web app firewalls, or WAFs, are pretty good at defending the services they protect, they occasionally become vulnerable when an exploitable flaw is discovered. If a firewall hasn't been updated in quite some time, it can be easy to figure out the rules of a firewall and work around them to establish a foothold inside. Manually doing this is incredibly tedious and relies on interpreting the distinctive ways that the WAF responds to specific web requests.

Wafw00f for WAF Detection

Wafw00f is a popular Python program that takes the guesswork of fingerprinting a website's firewall off your hands. Based on the responses to a series of carefully crafted web requests, Wafw00f can determine the underlying firewall used by a service that it probes. The list of WAFs that Wafw00f is capable of detecting is impressive and includes the following, among an ever-growing list:

aeSecure (aeSecure)
Airlock (Phion/Ergon)
Alert Logic (Alert Logic)
AliYunDun (Alibaba Cloud Computing)
Anquanbao (Anquanbao)
AnYu (AnYu Technologies)
Approach (Approach)
Armor Defense (Armor)
ASP.NET Generic Protection (Microsoft)
Astra Web Protection (Czar Securities)
AWS Elastic Load Balancer (Amazon)
Yunjiasu (Baidu Cloud Computing)
Barikode (Ethic Ninja)
Barracuda Application Firewall (Barracuda Networks)
Bekchy (Faydata Technologies Inc.)
BinarySec (BinarySec)
BitNinja (BitNinja)
BlockDoS (BlockDoS)
Bluedon (Bluedon IST)
CacheWall (Varnish)
CdnNS Application Gateway (CdnNs/WdidcNet)
WP Cerber Security (Cerber Tech)
ChinaCache CDN Load Balancer (ChinaCache)
Chuang Yu Shield (Yunaq)
ACE XML Gateway (Cisco)
Cloudbric (Penta Security)
Cloudflare (Cloudflare Inc.)
Cloudfront (Amazon)
Comodo cWatch (Comodo CyberSecurity)
CrawlProtect (Jean-Denis Brun)
DenyALL (Rohde & Schwarz CyberSecurity)
Distil (Distil Networks)
DOSarrest (DOSarrest Internet Security)
DotDefender (Applicure Technologies)
DynamicWeb Injection Check (DynamicWeb)
Edgecast (Verizon Digital Media)
Expression Engine (EllisLab)
BIG-IP Access Policy Manager (F5 Networks)
BIG-IP Application Security Manager (F5 Networks)
BIG-IP Local Traffic Manager (F5 Networks)
FirePass (F5 Networks)
Trafficshield (F5 Networks)
FortiWeb (Fortinet)
GoDaddy Website Protection (GoDaddy)
Greywizard (Grey Wizard)
HyperGuard (Art of Defense)
DataPower (IBM)
Imunify360 (CloudLinux)
Incapsula (Imperva Inc.)
Instart DX (Instart Logic)
ISA Server (Microsoft)
Janusec Application Gateway (Janusec)
Jiasule (Jiasule)
KS-WAF (KnownSec)
Kona Site Defender (Akamai)
LiteSpeed Firewall (LiteSpeed Technologies)
Malcare (Inactiv)
Mission Control Application Shield (Mission Control)
ModSecurity (SpiderLabs)
NAXSI (NBS Systems)
Nemesida (PentestIt)
NetContinuum (Barracuda Networks)
NetScaler AppFirewall (Citrix Systems)
NevisProxy (AdNovum)
Newdefend (NewDefend)
NexusGuard Firewall (NexusGuard)
NinjaFirewall (NinTechNet)
NSFocus (NSFocus Global Inc.)
OnMessage Shield (BlackBaud)
Open-Resty Lua Nginx WAF
Palo Alto Next Gen Firewall (Palo Alto Networks)
PerimeterX (PerimeterX)
pkSecurity Intrusion Detection System
PowerCDN (PowerCDN)
Profense (ArmorLogic)
AppWall (Radware)
Reblaze (Reblaze)
RSFirewall (RSJoomla!)
ASP.NET RequestValidationMode (Microsoft)
Sabre Firewall (Sabre)
Safe3 Web Firewall (Safe3)
Safedog (SafeDog)
Safeline (Chaitin Tech.)
SecuPress WordPress Security (SecuPress)
Secure Entry (United Security Providers)
eEye SecureIIS (BeyondTrust)
SecureSphere (Imperva Inc.)
SEnginx (Neusoft)
Shield Security (One Dollar Plugin)
SiteGround (SiteGround)
SiteGuard (Sakura Inc.)
Sitelock (TrueShield)
SonicWall (Dell)
UTM Web Protection (Sophos)
Squarespace (Squarespace)
StackPath (StackPath)
Sucuri CloudProxy (Sucuri Inc.)
Tencent Cloud Firewall (Tencent Technologies)
Teros (Citrix Systems)
TransIP Web Firewall (TransIP)
URLMaster SecurityCheck (iFinity/DotNetNuke)
URLScan (Microsoft)
Varnish (OWASP)
VirusDie (VirusDie LLC)
Wallarm (Wallarm Inc.)
WatchGuard (WatchGuard Technologies)
WebARX (WebARX Security Solutions)
WebKnight (AQTRONIX)
WebSEAL (IBM)
WebTotem (WebTotem)
West263 Content Delivery Network
Wordfence (Feedjit)
WTS-WAF (WTS)
360WangZhanBao (360 Technologies)
XLabs Security WAF (XLabs)
Xuanwudun
Yundun (Yundun)
Yunsuo (Yunsuo)
Zenedge (Zenedge)
ZScaler (Accenture)

Wafw00f comes pre-installed in Kali Linux, but also can be easily installed on any system with Python. Although some of the same functions can be done with Nmap scripts, Wafw00f consistently gave more complete and accurate results during testing.

Tried & True: Nmap Scripts for WAF Footprinting

Nmap is easy to install and use, and comes preinstalled with scripts that are useful for learning more about the WAF your target is behind. The two scripts Nmap offers are like Wafw00f split into two: one for detection and one for fingerprinting the WAF. These scripts are adequate but not always as accurate or capable of detecting a WAF as Wafw00f is, and you may find yourself surprised when it's unable to identify the type of firewall on a service that clearly has one.

Despite the shortcoming, the benefit of Nmap scanning for WAFs is that it can be easily included in other scans that are being done to establish a target surface, making it easier for a hacker to script this kind of detection with their regular recon routine. Increasingly, other hacking tools are using an Nmap scan with WAF detection to serve as a quick and easy method of providing WAF detection in a module for a more powerful tool.

What You'll Need

To run these tools, I recommend you have a Linux system like Kali or Ubuntu, although macOS works just fine. I haven't tested it on Windows, but it should work provided you have Nmap and Python installed. Either way you go, you'll also need an internet connection to scan targets. You don't need to worry about scanning most targets online, as this type of recon shouldn't raise too many red flags.

Step 1: Install Wafw00f

To install Wafw00f, you'll need to have Python already installed and updated on your system. If you're good there, open a terminal window and type the following to download the GitHub repository.

~# git clone https://github.com/EnableSecurity/wafw00f.git

Cloning into 'wafw00f'...
remote: Enumerating objects: 172, done.
remote: Counting objects: 100% (172/172), done.
remote: Compressing objects: 100% (98/98), done.
remote: Total 3689 (delta 120), reused 113 (delta 74), pack-reused 3517
Receiving objects: 100% (3689/3689), 545.81 KiB | 3.17 MiB/s, done.
Resolving deltas: 100% (2655/2655), done.

Next, navigate to the folder you just downloaded, and install the script with the following commands.

~# cd wafw00f
~/wafw00f# python setup.py install

running install
running bdist_egg
running egg_info
creating wafw00f.egg-info
writing requirements to wafw00f.egg-info/requires.txt
writing wafw00f.egg-info/PKG-INFO
writing top-level names to wafw00f.egg-info/top_level.txt
writing dependency_links to wafw00f.egg-info/dependency_links.txt
writing manifest file 'wafw00f.egg-info/SOURCES.txt'
reading manifest file 'wafw00f.egg-info/SOURCES.txt'
reading manifest template 'MANIFEST.in'
writing manifest file 'wafw00f.egg-info/SOURCES.txt'
installing library code to build/bdist.linux-x86_64/egg
running install_lib
running build_py
creating build
creating build/lib.linux-x86_64-2.7
creating build/lib.linux-x86_64-2.7/wafw00f
copying wafw00f/__init__.py -> build/lib.linux-x86_64-2.7/wafw00f
copying wafw00f/manager.py -> build/lib.linux-x86_64-2.7/wafw00f
copying wafw00f/wafprio.py -> build/lib.linux-x86_64-2.7/wafw00f
copying wafw00f/main.py -> build/lib.linux-x86_64-2.7/wafw00f
creating build/lib.linux-x86_64-2.7/wafw00f/tests
copying wafw00f/tests/__init__.py -> build/lib.linux-x86_64-2.7/wafw00f/tests
copying wafw00f/tests/test_main.py -> build/lib.linux-x86_64-2.7/wafw00f/tests
creating build/lib.linux-x86_64-2.7/wafw00f/plugins
copying wafw00f/plugins/safe3.py -> build/lib.linux-x86_64-2.7/wafw00f/plugins
copying wafw00f/plugins/nevisproxy.py -> build/lib.linux-x86_64-2.7/wafw00f/plugins
copying wafw00f/plugins/f5bigipasm.py -> build/lib.linux-x86_64-2.7/wafw00f/plugins
copying wafw00f/plugins/missioncontrol.py -> build/lib.linux-x86_64-2.7/wafw00f/plugins
copying wafw00f/plugins/instartdx.py -> build/lib.linux-x86_64-2.7/wafw00f/plugins
...
Installed /usr/local/lib/python2.7/dist-packages/pluginbase-1.0.0-py2.7.egg
Searching for html5lib==1.0.1
Best match: html5lib 1.0.1
Adding html5lib 1.0.1 to easy-install.pth file

Using /usr/lib/python2.7/dist-packages
Finished processing dependencies for wafw00f==1.0.0

Those should install everything you need to run the program. Now, when you want to run it, you can just type wafw00f into a terminal window. To see the help menu, we can run it with the -h flag.

~# wafw00f -h

                 ______
                /      \
               (  Woof! )
                \______/                      )
                ,,                           ) (_
           .-. -    _______                 ( |__|
          ()``; |==|_______)                .)|__|
          / ('        /|\                  (  |__|
      (  /  )        / | \                  . |__|
       \(_)_))      /  |  \                   |__|

    WAFW00F - Web Application Firewall Detection Tool

Usage: wafw00f url1 [url2 [url3 ... ]]
example: wafw00f http://www.victim.org/

Options:
  -h, --help            show this help message and exit
  -v, --verbose         enable verbosity - multiple -v options increase
                        verbosity
  -a, --findall         Find all WAFs, do not stop testing on the first one
  -r, --disableredirect
                        Do not follow redirections given by 3xx responses
  -t TEST, --test=TEST  Test for one specific WAF
  -l, --list            List all WAFs that we are able to detect
  -p PROXY, --proxy=PROXY
                        Use an HTTP proxy to perform requests, example:
                        http://hostname:8080, socks5://hostname:1080
  -V, --version         Print out the version
  -H HEADERSFILE, --headersfile=HEADERSFILE
                        Pass custom headers, for example to overwrite the
                        default User-Agent string

As you can see, there are some useful settings we can adjust to continue scanning for additional firewalls after we find the first positive result.

Step 2: Scan an External Web Application

Now, let's use Wafw00f to scan a web application and see if we can get a positive result. First up, everyone's favorite company that loses American's personal data, Equifax. We'll be testing its "equifaxsecurity2017.com" page that was set up in the wake of losing everyone's credit information.

To identify the web app running on the site, we can use the following command.

~# wafw00f https://equifaxsecurity2017.com

                 ______
                /      \
               (  Woof! )
                \______/                      )
                ,,                           ) (_
           .-. -    _______                 ( |__|
          ()``; |==|_______)                .)|__|
          / ('        /|\                  (  |__|
      (  /  )        / | \                  . |__|
       \(_)_))      /  |  \                   |__|

    WAFW00F - Web Application Firewall Detection Tool

Checking https://equifaxsecurity2017.com
The site https://equifaxsecurity2017.com is behind BIG-IP Application Security Manager (F5 Networks) WAF.
Number of requests: 5

We've identified our first firewall! It may seem easy, but sometimes beginners will get confused when they see a result like below.

~# wafw00f equifaxsecurity2017.com

                 ______
                /      \
               (  Woof! )
                \______/                      )
                ,,                           ) (_
           .-. -    _______                 ( |__|
          ()``; |==|_______)                .)|__|
          / ('        /|\                  (  |__|
      (  /  )        / | \                  . |__|
       \(_)_))      /  |  \                   |__|

    WAFW00F - Web Application Firewall Detection Tool

Checking http://equifaxsecurity2017.com
Generic Detection results:
No WAF detected by the generic detection
Number of requests: 7

So what is the difference? When we go to equifaxsecurity2017.com, we are redirected to the HTTPS version immediately. The first command is targeted at the HTTPS version, which actually has content and a firewall, while the second command is targeting the HTTP version of the same site.

If you get no result, it could be because the website you're targeting is redirecting to another URL. Try copying and pasting in the URL you are directed to in a browser for a more accurate result.

Step 3: Scan a Target with Nmap Scripts

Nmap also comes preinstalled on Kali Linux, and it contains scripts to attempt the same kind of detection. We'll be trying out two different scripts:http-waf-fingerprint and http-waf-detect. While the point of both scripts is similar, they work in slightly different ways and can be effective against different targets.

First up, we'll use http-waf-fingerprint on the same target we did before.

~# nmap -p 80,443 --script=http-waf-detect equifaxsecurity2017.com

Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-28 00:37 PDT
Nmap scan report for equifaxsecurity2017.com (107.162.143.246)
Host is up (0.034s latency).

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https
| http-waf-detect: IDS/IPS/WAF detected:
|_equifaxsecurity2017.com:443/?p4yl04d3=<script>alert(document.cookie)</script>

Nmap done: 1 IP address (1 host up) scanned in 7.90 seconds

The scan determines that there is, in fact, a firewall here, but it isn't able to tell us much about it. In fact, Nmap doesn't seem to be great at detecting this kind of firewall. If we run it against another example domain, we can see what a positive result looks like.

~# nmap -p 80,443 --script=http-waf-fingerprint noodle.com

Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-28 00:39 PDT
Nmap scan report for noodle.com (104.20.160.41)
Host is up (0.021s latency).
Other addresses for noodle.com (not scanned): 104.20.161.41 2606:4700:10::6814:a029 2606:4700:10::6814:a129

PORT    STATE SERVICE
80/tcp  open  http
| http-waf-fingerprint:
|   Detected WAF
|_    Cloudflare
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 3.10 seconds

While Nmap can't detect everything that Wafw00f can, it's a great way to quickly identify the first line of defense a targeted web server is behind.

Wafw00f & Nmap Make Discovering WAF's Easy

Once a hacker knows what kind of firewall the target is behind, there are several ways they can proceed. The first is to learn the rules the firewall is working with and look for any behaviors that might be exploitable based on the way that specific software works.

The next priority is to check to see if any vulnerabilities exist in recent versions of the WAF that is detected, or if the WAF hasn't been updated for a long period of time. Either of these discoveries could be the weakest link of an organization's security and an easy way in for a hacker, so it's always worth running another Nmap scan or downloading Wafw00f to check for an out-of-date firewall. If you run a service that uses a WAF, it's a good idea to keep this updated, as searching for outdated firewalls can now be largely automated.

I hope you enjoyed this guide to using Wafw00f to identify web application firewalls! If you have any questions about this tutorial on WAF discovery, leave a comment below, and feel free to reach me on Twitter @KodyKinzie.

Cover photo and screenshots by Kody/Null Byte

Never Miss a Hacking or Security Guide

Get new Null Byte guides every week.

Be the First to Comment

Share Your Thoughts

  • Hot
  • Latest