Pages

Subscribe:

Detecting Web application firewall during Pentesting

It has Always been overlooked by Penetration Testers while Testing Web Applications, most of the Web Applications are Protected by Application firewall & it is not so easy to find which firewall has been using,here comes a tool “WAFW00F” which can fingerprint 20 WAF products this helps a Pentester to find and analyse the WebApplication.


http://code.google.com/p/waffit/


WAFW00F allows you fingerprint WAF products protecting a website. The tool as of now can fingerprint 20 WAF products. How can it do that? Possibly, it is looking at the following:
* Cookies – Some WAF products add their own cookie in the HTTP communication.
* Server Cloaking – Altering URLs and Response Headers.
* Response Codes – Different error codes for hostile pages/parameters values.
* Drop Action – Sending a FIN/RST packet. This can also be a false positive for an IDS/IPS.
* Pre Built-In Rules – Each WAF has different negative security signatures. A study is done of all them WAF products.
Below is the test Conducted on Modsecurity its an Open Source Firewall
1) punter@rtfm:~$svn checkout waffit – Revision 11: /trunk waffit-read-only
2) punter@rtfm:~$cd to that downloaded directory cd /pentest/web/waffit-read-only#
3) punter@rtfm:~$python wafw00f.py http://192.168.0.122–>
punter@rtfm:~$ python wafw00f.py http://192.168.0.122
^ ^
_ __ _ ____ _ __ _ _ ____
///7/ /.’ \ / __////7/ /,’ \ ,’ \ / __/
| V V // o // _/ | V V // 0 // 0 // _/
|_n_,’/_n_//_/ |_n_,’ \_,’ \_,’/_/
<
…’
WAFW00F – Web Application Firewall Detection Tool
By Sandro Gauci && Wendel G. Henrique
Checking http://192.168.0.122
The site http://192.168.0.122 is behind a ModSecurity
Number of requests: 5