search
Page cover

WAF Detection

Detecting any firewalls so we can find a way to bypass them.

hashtag
WAF stands for Web Application Firewall.

hashtag
Its goal is to protect the website behind it by filtering/monitoring the traffic.

hashtag
Fingerprinting is a method used to gather information (about any WAF in this context).

hashtag
Tools

hashtag
Detecting WAFs with WAFW00Farrow-up-right

wafw00f $URL

hashtag
Detecting WAFs with WhatWafarrow-up-right

whatwaf -u $URL

hashtag
Detecting WAFs with nmaparrow-up-right

nmap -p 80,443 --script=http-waf-fingerprint $URL
circle-info

Another script called http-waf-detectcan be used. It detects IDS/IPS/WAF but doesn't give information about the vendor, or version...

hashtag
Other examples

hashtag
A manual testing workflow could be to check the cookies and response headers.

Cookies: some WAF can be identified by the cookie's name.

Response headers: sometimes they are changed to apparently "confuse the attacker".

hashtag
Resources

Logohttp-waf-fingerprint NSE script โ€” Nmap Scripting Engine documentationnmap.orgchevron-right
PreviousCMSNextFirewall Evasion