Detecting Web Application Firewalls

转载 2015年07月09日 10:11:31

转自:https://pentestlab.wordpress.com/2013/01/13/detecting-web-application-firewalls/

Web application firewalls play an important role in the security of websites as they can mitigate risks and they can offer protection against a large-scale of vulnerabilities.That is the reason that many companies in nowadays are implementing a web application firewall solution in their existing infrastructure.Of course an implementation of a WAF on its own cannot resolve the security problems that a web application might have and proper modifications must be made in order many of the attacks to be able to identified and blocked.

Penetration testers must be aware before they start the web application engagement if there is a WAF in place as the results of their attacks can be affected.So if the penetration test is a white-box then this question should be asked in the initial meetings with the client.If it is a black-box then the penetration tester should try to investigate on his own whether or not there is a web application firewall in place.In this article we will try to examine the methods and the tools that will allow us to detect a WAF.

Before we start it is always good to know where a WAF is usually used on a network.Most of the times a web application firewall is between a web server and a client like the one that we can see in the next image.However there are web application firewalls that can be installed directly into the web servers.

WAF – Network Topology

Manual Discovery

The existence of a web application firewall can be identified with a variety of ways.A good indication is by checking the cookies because some web application firewalls add their own cookie in the communication between the client and the web server.For example in the next image we can see an HTTP request where a cookie has been added by the WAF.Specifically the ns_af unveils that the web application firewall is a Citrix Netscaler.

WAF Discovery Via Cookies

WAF Discovery Via Cookies

 

Another method is through the HTTP headers as many WAF products allow the header to be rewritten and they can also make the web server to produce different HTTP responses from the common ones.For example as we can see and from the image below the web server respond to our request with a message You shouldn’t be here and unveiled that is Varnish.

Indication of WAF via HTTP response

Indication of WAF via HTTP response

 

Additionally a web application firewall presence can be identified in cases where you are trying to send a request and the session is expiring very quickly like the example in the next image.

WAF - Session Expired

WAF – Session Expired

Automated Discovery

The most well-known tool that can detect and fingerprint web application firewalls is the WAFW00F.The usage of this tool is very simple and can discover a variety of WAF products.The next image is showing the successful detection of a Citrix Netscaler firewall that protects the website.

Detection of WAF with wafwoof

Detection of WAF with wafwoof

 

Nmap also can be used for this purpose as it contains a script that can detect a web application firewall.Specifically we run the script against the same website as above and the results were the following:

WAF detection via Nmap

WAF detection via Nmap

 

Finally there is a script that is capable only to detect Imperva WAF installations.

Detection of Imperva WAF

Detection of Imperva WAF

 

Conclusion

In this article we examined some methods and tools for detection of web application firewalls.This is an important process that must be done in every web application penetration test during the information gathering stage in order to ensure that the results from the attacks that will performed are accurate.Also by having the knowledge that a WAF is in place the penetration tester can try different techniques in order to bypass the protections and to exploit any weaknesses in the web application.


Playing with Web Application Firewalls

  • 2011年09月19日 02:19
  • 176KB
  • 下载

为什么WAF(Web Aplication Firewalls)不能确保数据库安全?

警告:不要以为有了 WAF 的保护,数据库安全就万无一失了。事实上,数据库仍然存在很大的安全隐患。Web 应用程序防火墙(WAF)现在已经成为许多商业 Web 网站与系统的基本保护措施,它的确在防范许...
  • OneRASP
  • OneRASP
  • 2015年11月26日 10:57
  • 242

为什么WAF(Web Aplication Firewalls)不能确保数据库安全?

警告:不要以为有了 WAF 的保护,数据库安全就万无一失了。事实上,数据库仍然存在很大的安全隐患。Web 应用程序防火墙(WAF)现在已经成为许多商业 Web 网站与系统的基本保护措施,它的确在防范许...
  • OneRASP
  • OneRASP
  • 2015年11月26日 10:59
  • 281

Detecting Near-Duplicates for Web Crawling - simhash与重复信息识别

随着信息爆炸时代的来临,互联网上充斥着着大量的近重复信息,有效地识别它们是一个很有意义的课题。例如,对于搜索引擎的爬虫系统来说,收录重复的网页是毫无意义的,只会造成存储和计算资源的浪费;同时,展示重复...

Detecting Near-Duplicates for Web Crawling

  • 2016年07月31日 11:03
  • 154KB
  • 下载

在Web Application中集成CAS登录模块

使用CAS开源模块在web应用程序中实现登录功能

移动web app开发-----application cache 离线缓存原理篇

上篇文章中写了appcache的manifest文件如何书写,appcache的类型和状态,下面我们通过这篇文章来学习下appcache的下载和更新机制。 浏览器自动更新 1.假如入我...
  • slalx
  • slalx
  • 2012年06月05日 22:59
  • 8812
内容举报
返回顶部
收藏助手
不良信息举报
您举报文章:Detecting Web Application Firewalls
举报原因:
原因补充:

(最多只允许输入30个字)