WAFW00F: Fingerprint Web Application Firewall

by Black on July 10, 2009

in Penetration Testing, Security Reconnaissance

There are some impressive freeware & open source tools in the scene now. This is an exciting time to be in the network security business. WAFW00F is one such tools that is being updated quite frequently & which is worked upon almost every month.

WAFW00F allows you fingerprint WAF products protecting a website. The tool as of now can fingerprint 20 WAF products. How can it do that? Possibly, it is looking at the following: 

  • Cookies - Some WAF products add their own cookie in the HTTP communication.
  • Server Cloaking - Altering URLs and Response Headers.
  • Response Codes - Different error codes for hostile pages/parameters values.
  • Drop Action - Sending a FIN/RST packet. This can also be a false positive for an IDS/IPS.
  • Pre Built-In Rules - Each WAF has different negative security signatures. A study is done of all them WAF products.

Now, whats really good about this tool is that it can also detect ModSecurity too! Here is what we did: We set up a test enviornment with ModSecurity and ran the python script. Here are the results:
WAfW00f

This is the screen that you get when you run WAFW00F. Now, we ran it against the test machine:

wafw00f.py http://localhost

Here is what we got:
WAFW00F

It surely does what it says eh?

Best of luck hunting!

Get WAFW00f here.

Related External Links

  • hardware firewall » Archive du blog » Thinking Made Easy: Computer
  • Server Hardening with ConfigServer Security & Firewall (CSF
  • Cisco Firewalls are needed for any large or small business. Cisco

    Searches leading to this post:
    wafw00f

    If you enjoyed this article, you might also like:

    Tagged as: , , , ,

    Comments on this entry are closed.

    Previous post:

    Next post: