Web application firewalls are one of the strongest defenses that a web app has, but they can be vulnerable if the firewall version used is known to an attacker. Understanding which firewall a target uses can be the first step for a hacker to discover how to get past it – and what defenses are on a target. And the Wafw00f and Nmap tools make fingerprints of firewalls simple.
While most firewalls on the Web, or WAF, are quite good at defending the services they protect, they sometimes become vulnerable when an exploitable defect is detected. If a firewall has not been updated for quite some time, it may be easy to find out the rules for a firewall and work around them to create a foothold inside. Doing this manually is extremely tedious and relies on interpreting the distinct ways WAF responds to specific web requests.
Wafw00f is a popular Python program that takes the guesswork of fingerprinting a website firewall from your hands. Based on the responses to a series of carefully crafted web requests, Wafw00f can determine the underlying firewall used by a service it is investigating. The list of WAFs that Wafw00f can detect is impressive and includes the following among an ever-growing list:
aeSecure (aeSecure) Airlock (Phion / Ergon) Alert Logic (Alert Logic) AliYunDun (Alibaba Cloud Computing) Anquanbao (Anquanbao) AnYu (AnYu Technologies) Approach Armor Defense (Armor) ASP.NET Generic Protection (Microsoft) Astra Web Protection (Czar Securities) AWS Elastic Load Balancer (Amazon) Yunjiasu (Baidu Cloud Computing) Bar Code (Ethical Ninja) Barracuda Application Firewall (Barracuda Networks) Bekchy (Faydata Technologies Inc.) BinarySec (BinarySec) BitNinja (BitNinja) BlockDoS (BlockDoS) Bluedon (Bluedon IST) CacheWall (lack) CdnNS Application Gateway (CdnNs / WdidcNet) WP Cerber Security (Cerber Tech) ChinaCache CDN Load Balancer (ChinaCache) Chuang Yu Shield (Yunaq) ACE XML Gateway (Cisco) Cloudbric (Penta Security) Cloudflare (Cloudflare Inc.) Cloudfront (Amazon) Comodo cWatch (Comodo CyberSecurity) CrawlProtect (Jean-Denis Brun) DenyALL (Rohde & Schwarz CyberSecurity) Distil (Distil Networks) DOS Arrest (DOS Arrest Internet Security) DotDefender (Application Technologies) DynamicWeb Injection Check (DynamicWeb) Edgecast (Verizon Digital Media) Expression Engine (EllisLab) BIG-IP Access Policy Manager (F5 Networks) BIG-IP Application Security Manager (F5 Networks) BIG-IP Local Traffic Manager (F5 Networks) FirePass (F5 Networks) Trafficshield (F5 Networks) FortiWeb (Fortinet) GoDaddy Website Protection (GoDaddy) Gray Wizard (Gray Wizard) HyperGuard (Art of Defense) DataPower (IBM) Imunify360 (CloudLinux) Incapsula (Imperva Inc.) Instart DX (Instart Logic) ISA server (Microsoft) Janusec Application Gateway (Janusec) Jiasule (Jiasule) KS-WAF (Famous Sec) Kona Site Defender (Akamai) LiteSpeed Firewall (LiteSpeed Technologies) Malcare (Inactive) Mission Control Application Shield (Mission Control) ModSecurity (SpiderLabs) NAXSI (NBS Systems) Nemesida (PentestIt) NetContinuum (Barracuda Networks) NetScaler AppFirewall (Citrix Systems) NevisProxy (AdNovum) Newdefend (NewDefend) NexusGuard Firewall (NexusGuard) NinjaFirewall (NinTechNet) NSFocus (NSFocus Global Inc.) OnMessage Shield (BlackBaud) Open-Resty Lua Nginx WAF Palo Alto Next Gen Firewall (Palo Alto Networks) PerimeterX (PerimeterX) pkSecurity Intrusion Detection System PowerCDN (PowerCDN) Profense (ArmorLogic) AppWall (Radware) Reblaze (Reblaze) RSFirewall (RSJoomla!) ASP.NET RequestValidationMode (Microsoft) Saber Firewall (Saber) Safe3 Web Firewall (Safe3) Safedog (SafeDog) Safeline (Chaitin Tech.) SecuPress WordPress Security (SecuPress) Secure Entry (United Security Providers) eEye SecureIIS (BeyondTrust) SecureSphere (Imperva Inc.) SEnginx (Neusoft) Shield Security (One Dollar Plugin) SiteGround (SiteGround) SiteGuard (Sakura Inc.) Sitelock (TrueShield) SonicWall (Dell) UTM Web Protection (Sophos) Squarespace (Squarespace) StackPath (StackPath) Sucuri CloudProxy (Sucuri Inc.) Tencent Cloud Firewall (Tencent Technologies) Teros (Citrix Systems) TransIP Web Firewall (TransIP) URLMaster SecurityCheck (iFinity / DotNetNuke) URLScan (Microsoft) Paint (OWASP) VirusDie (VirusDie LLC) Wallarm (Wallarm Inc.) WatchGuard (WatchGuard Technologies) WebARX (WebARX Security Solutions) WebKnight (AQTRONIX) WebSEAL (IBM) WebTotem (WebTotem) West263 Content Delivery Network Wordfence (Feedjit) WTS-WAF (WTS) 360WangZhanBao (360 Technologies) XLabs Security WAF (XLabs) Xuanwudun Yundun (Yundun) Yunsuo (Yunsuo) Zenedge (Zenedge) ZScaler (Accenture)
Wafw00f comes pre-installed in Kali Linux, but can also be easily installed on any Python system. Although some of the same functions can be performed with Nmap scripts, Wafw00f consistently provided more complete and accurate results during testing.
Tested and true: Nmap scripts for WAF Footprinting
Nmap is easy to install and use and comes pre-installed with scripts that are useful for learning more about WAF as your target. The two scripts that Nmap offers are like Wafw00f divided into two: one for detection and one for fingerprints by WAF. These scripts are sufficient but not always as accurate or capable of detecting a WAF as Wafw00f is, and you may be surprised when it is not possible to identify the type of firewall on a service that clearly has one.
Despite the shortcomings, the advantage of Nmap scanning for WAF is that it can easily be included in other scans made to create a target area, making it easier for a hacker to script this type of discovery with their usual reconstruction routine. Increasingly, other hacking tools use Nmap scanning with WAF detection to act as a quick and easy method of providing WAF detection in a module for a more powerful tool.
To run these tools, I recommend that you have a Linux system like Kali or Ubuntu, although macOS works well. I haven't tested it on Windows, but it should work if you have Nmap and Python installed. No matter how you go, you also need an internet connection to scan targets. You do not have to worry about scanning most targets online, as this type of reconstruction should not raise too many red flags.
To install Wafw00f, you must have Python already installed and updated on your system. If you are good there, open a terminal window and type the following to download the GitHub repository.
~ # git clone https://github.com/EnableSecurity/wafw00f.git Cloning to & # 39; wafw00f & # 39; ... remote control: List items: 172, ready. remote control: Count items: 100% (172/172), done. remote control: Compression of objects: 100% (98/98), done. remote control: Total 3689 (delta 120), reused 113 (delta 74), reused 3517 Receiving items: 100% (3689/3689), 545.81 KiB | 3.17 MiB / s, done. Loose deltas: 100% (2655/2655), clear.
Then navigate to the folder you just downloaded and install the script with the following commands.
~ # cd wafw00f ~ / wafw00f # python setup.py install running installation run bdist_egg run egg_info create wafw00f.egg info write requirements for wafw00f.egg-info / needs.txt write wafw00f.egg-info / PKG-INFO write top level names to wafw00f.egg-info / top_level.txt write dependency_links to wafw00f.egg-info / dependency_links.txt write manifest file & # 39; wafw00f.egg-info / SOURCES.txt & # 39; reads manifest file & # 39; wafw00f.egg-info / SOURCES.txt & # 39; reading manifest template & # 39; MANIFEST.in & # 39; write manifest file & # 39; wafw00f.egg-info / SOURCES.txt & # 39; install library code to build / bdist.linux-x86_64 / egg run install_lib run build_py create building create build / lib.linux-x86_64-2.7 create build / lib.linux-x86_64-2.7 / wafw00f copy wafw00f / __ init__.py -> build / lib.linux-x86_64-2.7 / wafw00f copy wafw00f / manager.py -> build / lib.linux-x86_64-2.7 / wafw00f copying wafw00f / wafprio.py -> build / lib.linux-x86_64-2.7 / wafw00f copy wafw00f / main.py -> build / lib.linux-x86_64-2.7 / wafw00f create build / lib.linux-x86_64-2.7 / wafw00f / tests copying wafw00f / tests / __ init__.py -> build / lib.linux-x86_64-2.7 / wafw00f / tests copying wafw00f / tests / test_main.py -> build / lib.linux-x86_64-2.7 / wafw00f / tests create build / lib.linux-x86_64-2.7 / wafw00f / plugins copy wafw00f / plugins / safe3.py -> build / lib.linux-x86_64-2.7 / wafw00f / plugins copy wafw00f / plugins / nevisproxy.py -> build / lib.linux-x86_64-2.7 / wafw00f / plugins copy wafw00f / plugins / f5bigipasm.py -> build / lib.linux-x86_64-2.7 / wafw00f / plugins copy wafw00f / plugins / missioncontrol.py -> build / lib.linux-x86_64-2.7 / wafw00f / plugins copy wafw00f / plugins / instartdx.py -> build / lib.linux-x86_64-2.7 / wafw00f / plugins ... Installed /usr/local/lib/python2.7/dist-packages/pluginbase-1.0.0-py2.7.egg Searching for html5lib == 1.0.1 Best match: html5lib 1.0.1 Add html5lib 1.0.1 to the easy-install.pth file Use /usr/lib/python2.7/dist-packages Finishing Dependencies for wafw00f == 1.0.0
These should install everything you need to run the program. When you now want to run it, you can only type wafw00f in a terminal window. To see the help menu we can run it with the flag -h .
~ # wafw00f -h ______ / (Woof!) ______ /) ,,) (_ .-. - _______ (| __ | () & # 39; & # 39 ;; | == | _______).) | __ | / (& # 39; / | (| __ | (/) / | . | __ | (_) _)) / | | __ | WAFW00F - Firewall Detection Tool for Web Applications Usage: wafw00f url1 [url2 [url3 ... ]] example: wafw00f http://www.victim.org/ Option: -h, --help show this help message and exit -v, --verbose enables verbosity - more -v alternatives increase verbosity -a, --findall Find all WAFs, don't stop testing the first one -r, - disabled Do not follow redirects provided by 3xx responses -t TEST, --test = TEST test for a specific WAF -l, - list List all WAF that we can detect -p PROXY, - proxy = PROXY Use an HTTP proxy to execute queries, for example: http: // hostname: 8080, socks5: // hostname: 1080 -V, --version Print the version -H HEADERSFILE, --headersfile = HEADERSFILE Fit custom headings, for example to overwrite standard User-Agent string
As you can see, there are some useful settings that we can adjust to continue searching for additional firewalls after we find the first positive result.
Now, let's use Wafw00f to scan a web application and see if we can get a positive result. First up, everyone's favorite company that loses American personal data, Equifax. We test the "equifaxsecurity2017.com" page set up in the wake to lose everyone's credit information.
To identify the web app that is running on the site, we can use the following command.
~ # wafw00f https://equifaxsecurity2017.com ______ / (Woof!) ______ /) ,,) (_ .-. - _______ (| __ | () & # 39; & # 39 ;; | == | _______).) | __ | / (& # 39; / | (| __ | (/) / | . | __ | (_) _)) / | | __ | WAFW00F - Firewall Detection Tool for Web Applications Checking https://equifaxsecurity2017.com The website https://equifaxsecurity2017.com is behind the BIG-IP Application Security Manager (F5 Networks) WAF. Number of requests: 5
We have identified our first firewall! It may seem simple, but sometimes beginners get confused when they see a result like below.
~ # wafw00f equifaxsecurity2017.com ______ / (Woof!) ______ /) ,,) (_ .-. - _______ (| __ | () & # 39; & # 39 ;; | == | _______).) | __ | / (& # 39; / | (| __ | (/) / | . | __ | (_) _)) / | | __ | WAFW00F - Firewall Detection Tool for Web Applications Check http://equifaxsecurity2017.com Generic detection results: No WAF detected by the generic detection Number of Inquiries: 7
So what's the difference? When we go to equifaxsecurity2017.com, we are immediately redirected to the HTTPS version. The first command targets the HTTPS version, which actually has content and a firewall, while the second command targets the HTTP version of the same site.
If you do not get results, it may be because the site you are directing directs to another URL. Try copying and pasting into the URL you have directed to a web browser for more accurate results.
Nmap also comes pre-installed on Kali Linux, and it contains scripts to try the same type of discovery. We test two different scripts: http-waf-fingerprint and http-waf-detect . While the scores for both scripts are similar, they work in slightly different ways and can be effective against different goals.
First, we will use http-waf-fingerprint on the same target as we did before.
~ # nmap -p 80,443 --script = http-waf-detect equifaxsecurity2017.com Launch Nmap 7.70 (https://nmap.org) at 2019-05-28 00:37 PDT Nmap scan report for equifaxsecurity2017.com (126.96.36.199) The value is up (0.034s latency). PORTSTATSJÄNST 80 / tcp open http 443 / tcp open https | http-waf-detect: IDS / IPS / WAF detection: | _Equifaxsecurity2017.com 😕 443 / p4yl04d3 = Nmap done: 1 IP address (1 host up) scanned in 7.90 seconds
The scan determines that there is actually a firewall here, but it cannot tell us much about it. In fact, Nmap does not seem to be good at detecting this type of firewall. If we run against another example domain, we can see what a positive result looks like.
~ # nmap -p 80,443 --script = http-waf-fingerprint noodle.com Launch Nmap 7.70 (https://nmap.org) at 2019-05-28 00:39 PDT Nmap scan report for noodle.com (188.8.131.52) The value is up (0.021 s latency). Other addresses for noodle.com (not scanned): 184.108.40.206 2606: 4700: 10 :: 6814: a029 2606: 4700: 10 :: 6814: a129 PORTSTATSJÖST 80 / tcp open http | http WAF fingerprinting: | Discovered WAF | _ Cloudflare 443 / tcp open https Nmap done: 1 IP address (1 host up) scanned in 3.10 seconds
While Nmap cannot detect everything that Wafw00f can, it is a good way to quickly identify the first line of defense that a targeted web server is behind.  Wafw00f & Nmap Make Discovering WAF's Easy
Once a hacker knows what type of firewall the target is behind, there are several ways to proceed. The first is to learn the rules that the firewall works with and look for behaviors that can be utilized based on how specific software works.
The next priority is to check for any vulnerabilities in the latest versions of WAF detected or if WAF has not been updated for a long time. Either of these discoveries may be the weakest link to an organization's security and an easy way to get in for a hacker, so it's always worthwhile running a new Nmap scan or downloading Wafw00f to look for an outdated firewall. If you run a service that uses a WAF, it is a good idea to keep this updated, as the search for outdated firewalls can now be largely automated.
I hope you liked this guide to use Wafw00f to identify web application firewalls! If you have any questions about this WAF discovery tutorial, leave a comment below and feel free to reach me on Twitter @KodyKinzie .