twa icon indicating copy to clipboard operation
twa copied to clipboard
verified publisher icon trailofbits

WAF detection

Open woodruffw opened this issue 6 years ago • 7 comments

It might be interesting to add some Web Application Firewall detection techniques. I don't know much about WAFs, but it looks like there are some common oracles:

  • Known cookies
  • Known weird HTTP codes (999 No Hacking)
  • Known HTML responses

Some potential resources:

  • https://www.owasp.org/images/b/bf/OWASP_Stammtisch_Frankfurt_WAF_Profiling_and_Evasion.pdf
  • https://www.securitynewspaper.com/2018/12/04/detect-web-application-firewall-waf-before-you-attack/ (looks like there's an nmap script for WAF detection)

woodruffw avatar Nov 18 '19 16:11 woodruffw

Hi woodruffw,

I just tried the tool and it is pretty quick and I want to contribute to WAF detection.

karanb192 avatar Jan 19 '20 14:01 karanb192

Please do!

Sent from mobile. Please excuse my brevity.

On Jan 19, 2020, at 9:32 AM, Karan Bansal [email protected] wrote:

 Hi woodruffw,

I just tried the tool and it is pretty quick and I want to contribute to WAF detection.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe.

woodruffw avatar Jan 19 '20 22:01 woodruffw

I’d like to jump in on this too! I have some WAF experience from doing manual audits for site clients. I’ll take a look while I’m sitting here in quarantine.

rickconlee avatar Apr 14 '20 15:04 rickconlee

What are everyone's thoughts on adding nmap to the stack? This would be a great tool and can open the door to other things in the future, yet will also keep this tool simple.

EDIT: Answered my own question. I'm going to give this a go with NMAP and see how it works.

rickconlee avatar Apr 15 '20 16:04 rickconlee

What are everyone's thoughts on adding nmap to the stack? This would be a great tool and can open the door to other things in the future, yet will also keep this tool simple.

I have a slight preference for not adding nmap, since it's not HTTP-specific and takes us further away from twa being "tiny".

That being said, adding it as an optional dependency in the same way that we handle testssl would be fine. So, a user could do something like this:

twa -n

to run nmap-based checks.

woodruffw avatar Apr 15 '20 16:04 woodruffw

Hi woodruffw, Good day! Some WAFs can be identified from the GET requests using the cookie details or the responses. But for detecting most of the WAFs I think you might need support of either Nmap or Wafw00f scripts. I can add a feature for identifying WAFs based on the cookie details or the responses but this will detect only a few WAFs.

MadhuMadhavanSridhar avatar Jan 17 '21 19:01 MadhuMadhavanSridhar

@MadhuMadhavanSridhar That makes sense. I'm okay with only detecting a few (with cookies) for now -- allowing future contributors to add optional nmap based checks seems reasonable to me.

woodruffw avatar Jan 19 '21 16:01 woodruffw