WAF Detection

Detecting any firewalls so we can find a way to bypass them.

WAF stands for Web Application Firewall.

Its goal is to protect the website behind it by filtering/monitoring the traffic.

Fingerprinting is a method used to gather information (about any WAF in this context).

Tools

Detecting WAFs with WAFW00F

wafw00f $URL

Detecting WAFs with WhatWaf

whatwaf -u $URL

Detecting WAFs with nmap

nmap -p 80,443 --script=http-waf-fingerprint $URL

Another script called http-waf-detectcan be used. It detects IDS/IPS/WAF but doesn't give information about the vendor, or version...

Other examples

A manual testing workflow could be to check the cookies and response headers.

Cookies: some WAF can be identified by the cookie's name.

Response headers: sometimes they are changed to apparently "confuse the attacker".

Resources

http-waf-fingerprint NSE script — Nmap Scripting Engine documentationnmap.org