Detecting Web Application Firewalls
2015-07-09 10:11
483 查看
转自:https://pentestlab.wordpress.com/2013/01/13/detecting-web-application-firewalls/
Web application firewalls play an important role in the security of websites as they can mitigate risks and they can offer protection against a large-scale of vulnerabilities.That is
the reason that many companies in nowadays are implementing a web application firewall solution in their existing infrastructure.Of course
an implementation of a WAF on its own cannot resolve the security problems that a web application might have and proper modifications must be made in order many of the attacks to be able to identified and blocked.
Penetration testers must be aware before they start the web application engagement if there is a WAF in place as the results of their attacks can be affected.So if
the penetration test is a white-box then this question should be asked in the initial meetings with the client.If it
is a black-box then the penetration tester should try to investigate on his own whether or not there is a web application firewall in place.In this
article we will try to examine the methods and the tools that will allow us to detect a WAF.
Before we start it is always good to know where a WAF is usually used on a network.Most of the times a web application
firewall is between a web server and a client like the one that we can see in the next image.However there are web application firewalls that can be installed directly into the web servers.
WAF – Network Topology
The existence of a web application firewall can be identified with a variety of ways.A good indication is by checking the cookies because some web application firewalls add their own cookie in the communication between the client and the web server.For example
in the next image we can see an HTTP request where a cookie has been added by the WAF.Specifically the ns_af unveils
that the web application firewall is a Citrix Netscaler.
WAF Discovery Via Cookies
Another method is through the HTTP headers as many WAF products allow the header to be rewritten and they can also make the web server to produce different HTTP responses from the common ones.For example
as we can see and from the image below the web server respond to our request with a message You shouldn’t be here and unveiled that is Varnish.
Indication of WAF via HTTP response
Additionally a web application firewall presence can be identified in cases where you are trying to send a request and the session is expiring very quickly like the example in the next image.
WAF – Session Expired
The most well-known tool that can detect and fingerprint web application firewalls is the WAFW00F.The usage of this tool is very simple and can discover a variety of WAF products.The next
image is showing the successful detection of a Citrix Netscaler firewall that protects the website.
Detection of WAF with wafwoof
Nmap also can be used for this purpose as it contains a script that can detect a web application firewall.Specifically we run the script against the same website as above and the results were the following:
WAF detection via Nmap
Finally there is a script that
is capable only to detect Imperva WAF installations.
Detection of Imperva WAF
Conclusion
In this article we examined some methods and tools for detection of web application firewalls.This is an important process
that must be done in every web application penetration test during the information gathering stage in order to ensure that the results from the attacks that will performed are accurate.Also by
having the knowledge that a WAF is in place the penetration tester can try different techniques in order to bypass the protections and to exploit any weaknesses in the web application.
Web application firewalls play an important role in the security of websites as they can mitigate risks and they can offer protection against a large-scale of vulnerabilities.That is
the reason that many companies in nowadays are implementing a web application firewall solution in their existing infrastructure.Of course
an implementation of a WAF on its own cannot resolve the security problems that a web application might have and proper modifications must be made in order many of the attacks to be able to identified and blocked.
Penetration testers must be aware before they start the web application engagement if there is a WAF in place as the results of their attacks can be affected.So if
the penetration test is a white-box then this question should be asked in the initial meetings with the client.If it
is a black-box then the penetration tester should try to investigate on his own whether or not there is a web application firewall in place.In this
article we will try to examine the methods and the tools that will allow us to detect a WAF.
Before we start it is always good to know where a WAF is usually used on a network.Most of the times a web application
firewall is between a web server and a client like the one that we can see in the next image.However there are web application firewalls that can be installed directly into the web servers.
WAF – Network Topology
Manual Discovery
The existence of a web application firewall can be identified with a variety of ways.A good indication is by checking the cookies because some web application firewalls add their own cookie in the communication between the client and the web server.For examplein the next image we can see an HTTP request where a cookie has been added by the WAF.Specifically the ns_af unveils
that the web application firewall is a Citrix Netscaler.
WAF Discovery Via Cookies
Another method is through the HTTP headers as many WAF products allow the header to be rewritten and they can also make the web server to produce different HTTP responses from the common ones.For example
as we can see and from the image below the web server respond to our request with a message You shouldn’t be here and unveiled that is Varnish.
Indication of WAF via HTTP response
Additionally a web application firewall presence can be identified in cases where you are trying to send a request and the session is expiring very quickly like the example in the next image.
WAF – Session Expired
Automated Discovery
The most well-known tool that can detect and fingerprint web application firewalls is the WAFW00F.The usage of this tool is very simple and can discover a variety of WAF products.The nextimage is showing the successful detection of a Citrix Netscaler firewall that protects the website.
Detection of WAF with wafwoof
Nmap also can be used for this purpose as it contains a script that can detect a web application firewall.Specifically we run the script against the same website as above and the results were the following:
WAF detection via Nmap
Finally there is a script that
is capable only to detect Imperva WAF installations.
Detection of Imperva WAF
Conclusion
In this article we examined some methods and tools for detection of web application firewalls.This is an important process
that must be done in every web application penetration test during the information gathering stage in order to ensure that the results from the attacks that will performed are accurate.Also by
having the knowledge that a WAF is in place the penetration tester can try different techniques in order to bypass the protections and to exploit any weaknesses in the web application.
相关文章推荐
- Android基础类之BaseAdapter
- WebViewJavascriptBridge使用(ios自学笔记)
- stemapp7月9日版测试dojo的click、onmouseover事件成功
- 制作Android手机开机动画的详细过程
- swift下viewcontroller跳转和关闭当前页面
- 【转】iOS应用崩溃日志分析
- iOS7.1及以后版本企业应用发布过程中的问题及解决方案
- iOS中滤镜的使用(一) 马赛克滤镜
- android 更新实现自己主动
- sapply与自定义函数配合使用
- Unity3D游戏开发之SQLite让数据库开发更简单
- AndroidManifest.xml 详解
- C#开发Unity游戏教程之Unity中方法的参数
- Caused by: java.lang.NoSuchMethodException: <init> [class android.content.Context, interface androi
- 可穿戴设备(CC2541)上微信(4)
- Android NDK(JNI)开发
- iOS8 UIApplicationOpenSettingsURLString
- Android手势操作
- UIWebView用法详解及代码分享
- 2015必看的开源APP源码