A WAF or Web Application Firewall is a software that is usually installed between the server (or server farm) and Inet to perform some type of filtering, register some type of attack or suspicious traffic. It is useful in scenarios where attacks are frequent and web servers are not patched either due to a requirement imposed by the code to be executed or because it is simply desired to filter by HW on a specialized device for such a task. In this article, we will see how to install a tool designed to detect the types of WAFs that are in front of web servers.
The tool to be used is
wafw00f
, for its installation we will need pip since wafw00f is written in python:
pip install wafw00f
This tool is based on running several tests by sending traffic to the domain, this traffic tries to generate errors in which to search for patterns of certain manufacturers or load balancing software.
We perform a first test:
The site http://www.hotmail.com is behind a F5 BIG-IP LTM
It seems that things are going well ;), now let’s try with alfaexploit and google:
No WAF detected by the generic detection
The site http://www.google.es seems to be behind a WAF or some sort of security solution
Reason: The server header is different when an attack is detected.
The server header for a normal response is "gws", while the server header a response to an attack is "sffe.",
If we put an ngrep and observe the generated traffic, we will see headers similar to the following one. In this case, an attempt is being made to generate the error by assigning a very large value to the http Transfer-Encoding header.
T 192.168.34.23:40232 -> A.B.C.D:80 [AP]
GET / HTTP/1.1.
Host: www.ASD.com.
Accept-Encoding: identity.
Transfer-Encoding: zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz.
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7.
Accept: */*.
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b1) Gecko/20081007 Firefox/3.0.
####
T A.B.C.D:80 -> 192.168.34.23:40232 [AF]
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>501 Method Not Implemented</title>
</head><body>
<h1>Method Not Implemented</h1>
<p>The server encountered an internal error or
misconfiguration and was unable to complete
your request.</p>
<p>Please contact the server administrator,
sys@A.B.C.D and inform them of the time the error occurred,
and anything you might have done that may have
caused the error.</p>
<p>More information about this error may be available
in the server error log.</p>
<p>Additionally, a 500 Internal Server Error
error was encountered while trying to use an ErrorDocument to handle the request.</p>
<hr>
<address>Apache Server at www.A.B.C.D.com Port 80</address>
</body></html>