基于Cookie值
Citrix Netscaler(2013年使用广泛)
“Citrix Netscaler”会在HTTP返回头部Cookie位置加入“ns_af”的值,可以以此判断为Citrix Netscaler的WAF,国内此类WAF很少
1 GET / HTTP/1.1 2 Host: target.com 3 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0 4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 5 Accept-Language: en-US,en;q=0.5 6 Accept-Encoding: gzip, deflate 7 Cookie: ASPSESSIONIDAQQSDCSC=HGJHINLDNMNFHABGPPBNGFKC; ns_af=31+LrS3EeEOBbxBV7AWDFIEhrn8A000;ns_af_.target.br_%2F_wat=QVNQU0VTU0lPTklEQVFRU0RDU0Nf?6IgJizHRbTRNuNoOpbBOiKRET2gA& 8 Connection: keep-alive 9 Cache-Control: max-age=0
F5 BIG IP ASM
1 F5 BiG IP ASM会在Cookie中加入“TS+随机字符串”的Cookie信息,一个非恶意的请求如下: 2 GET / HTTP/1.1 3 Host: www.target.com 4 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0 5 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 6 Accept-Language: en-US,en;q=0.5 7 Accept-Encoding: gzip, deflate 8 Cookie: target_cem_tl=40FC2190D3B2D4E60AB22C0F9EF155D5; s_fid=77F8544DA30373AC-31AE8C79E13D7394; s_vnum=1388516400627%26vn%3D1; s_nr=1385938565978-New; s_nr2=1385938565979-New; s_lv=1385938565980; s_vi=[CS]v1|294DCEC0051D2761-40000143E003E9DC[CE]; fe_typo_user=7a64cc46ca253f9889675f9b9b79eb66; TSe3b54b=36f2896d9de8a61cf27aea24f35f8ee1abd1a43de557a25c529fe828; TS65374d=041365b3e678cba0e338668580430c26abd1a43de557a25c529fe8285a5ab5a8e5d0f299 9 Connection: keep-alive 10 Cache-Control: max-age=0
HTTP响应
Mod_Security
Mod_Security是为Apache设计的开源Web防护模块,一个恶意的请求Mod_Security会在响应头返回“406 Not acceptable”
1 请求: 2 GET /<script>alert(1);</script>HTTP/1.1 3 Host: www.target.com 4 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0 5 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 6 Accept-Language: en-US,en;q=0.5 7 Accept-Encoding: gzip, deflate 8 Connection: keep-alive 9 响应: 10 HTTP/1.1 406 Not Acceptable 11 Date: Thu, 05 Dec 2013 03:33:03 GMT 12 Server: Apache 13 Content-Length: 226 14 Keep-Alive: timeout=10, max=30 15 Connection: Keep-Alive 16 Content-Type: text/html; charset=iso-8859-1 17 <head><title>Not Acceptable!</title></head><body><h1>Not Acceptable!</h1><p>An appropriate representation of the requested resource could not be found on this server. This error was generated by Mod_Security.</p></body></html>
WebKnight
WebKnight是用来设计在IIS下面使用的WAF设备,较为常见。WebKnight会对恶意的请求返回“999 No Hacking”
1 请求: 2 GET /?PageID=99<script>alert(1);</script>HTTP/1.1 3 Host: www.aqtronix.com 4 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0 5 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 6 Accept-Language: en-US,en;q=0.5 7 Accept-Encoding: gzip, deflate 8 Connection: keep-alive 9 响应: 10 HTTP/1.1 999 No Hacking 11 Server: WWW Server/1.1 12 Date: Thu, 05 Dec 2013 03:14:23 GMT 13 Content-Type: text/html; charset=windows-1252 14 Content-Length: 1160 15 Pragma: no-cache 16 Cache-control: no-cache 17 Expires: Thu, 05 Dec 2013 03:14:23 GMT
F5 BIG IP
F5 BIG IP会对恶意请求返回“419 Unknown”的信息,如下:
1 GET /<script> HTTP/1.0 2 HTTP/1.1 419 Unknown 3 Cache-Control: no-cache 4 Content-Type: text/html; charset=iso-8859-15 5 Pragma: no-cache 6 Content-Length: 8140 7 Date: Mon, 25 Nov 2013 15:22:44 GMT 8 Connection: keep-alive 9 Vary: Accept-Encoding
dotDefender
dotDefender用来防护.net的程序,会对恶意请求返回“dotDefender Blocked Your Request”
1 GET /---HTTP/1.1 2 Host: www.acc.com 3 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0 4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0. 5 Accept-Language: en-US,en;q=0.5 6 Accept-Encoding: gzip, deflate 7 Connection: keep-alive 8 Cache-Control: max-age=0 9 10 HTTP/1.1 200 OK 11 Cache-Control: no-cache 12 Content-Type: text/html 13 Vary: Accept-Encoding 14 Server: Microsoft-IIS/7.5 15 X-Powered-By: ASP.NET 16 Date: Thu, 05 Dec 2013 03:40:14 GMT 17 Content-Length: 2616 18 <!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd"> 19 <html xmlns="http://www.w3.org/1999/xhtml"> 20 <head> 21 <title>dotDefender Blocked Your Request</title> 22 ……
特定资源文件
部分特定WAF在返回的告警页面含特定的CSS或者JS文件,可以作为判断的依据,这类情况在WAF类里比较少,可归并到HTTP响应中。
1 <html><center><iframe width="100%" align="center" height="870" frameborder="0" scrolling="no" src="http://safe.webscan.360.cn/stopattack.html"></iframe></center> </body> </html> 2 HTTP/1.1 405 Not Allowed 3 Server: ASERVER/1.2.9-3 4 Date: Fri, 27 Dec 2013 14:15:14 GMT 5 Content-Type: text/html 6 Connection: keep-alive 7 X-Powered-By-Anquanbao: MISS from uni-tj-ky-sb3 8 Content-Length: 7188 9 <div class="wrapper"> 10 <div class="titlelogo"></div> 11 <div class="err_tips">由于您访问的URL有可能对网站造成安全威胁,您的访问被阻断。</div> 12 <div class="feedback"> 13 <form action="http://report.anquanbao.com/api.php" method="post"> 14 <input type="hidden" name="black_code" value="" class="hidden_rule_id" /> 15 <input type="hidden" name="deny_time" value="" class="hidden_intercept_time" /> 16 <input type="hidden" name="server_id" value="" class="hidden_server_title" /> 17 <input type="hidden" name="deny_url" value="" class="deny_url" /> 18 <input type="submit" class="submit_img" value="" /> 19 </form> 20 </div> 21 <a href="javascript:;">站长点击查看详情</a> 22 <a href="javascript:;">站长点击查看详情</a> 23 规则ID:10384 24 拦截时间:2013/12/27 22:15:14 25 ServerName:uni-tj-ky-sb3/1.2.9-3
Sqlmap中Waf检测方法(81种,包括360,安全狗,safe3,云锁)
sqlmap.py -u “http://www.xxx.com” --identify-waf --batch