How does it work?
To do its magic, WAFW00F does the following:
- Sends a normal HTTP request and analyses the response; this identifies a number of WAF solutions.
- If that is not successful, it sends a number of (potentially malicious) HTTP requests and uses simple logic to deduce which WAF it is.
- If that is also not successful, it analyses the responses previously returned and uses another simple algorithm to guess if a WAF or security solution is actively responding to our attacks.
For further details, check out the source code on our main repository.
What does it detect?
WAFW00F can detect a number of firewalls, a list of which is as below:
$ wafw00f -l ______ / \ ( W00f! ) \ ____/ ,, __ 404 Hack Not Found |`-.__ / / __ __ /" _/ /_/ \ \ / / *===* / \ \_/ / 405 Not Allowed / )__// \ / /| / /---` 403 Forbidden \\/` \ | / _ \ `\ /_\\_ 502 Bad Gateway / / \ \ 500 Internal Error `_____``-` /_/ \_\ ~ WAFW00F : v2.0.0 ~ The Web Application Firewall Fingerprinting Toolkit [+] Can test for these WAFs: WAF Name Manufacturer -------- ------------ ACE XML Gateway Cisco aeSecure aeSecure AireeCDN Airee Airlock Phion/Ergon Alert Logic Alert Logic AliYunDun Alibaba Cloud Computing Anquanbao Anquanbao AnYu AnYu Technologies Approach Approach AppWall Radware Armor Defense Armor ArvanCloud ArvanCloud ASP.NET Generic Microsoft ASPA Firewall ASPA Engineering Co. Astra Czar Securities AzionCDN AzionCDN Azure Front Door Microsoft Barikode Ethic Ninja Barracuda Barracuda Networks Bekchy Faydata Technologies Inc. Beluga CDN Beluga BinarySec BinarySec BitNinja BitNinja BlockDoS BlockDoS Bluedon Bluedon IST CacheWall Varnish CacheFly CDN CacheFly Comodo cWatch Comodo CyberSecurity Chuang Yu Shield Yunaq Cloudbric Penta Security Cloudflare Cloudflare Inc. Cloudfloor Cloudfloor DNS Cloudfront Amazon CrawlProtect Jean-Denis Brun DataPower IBM DenyALL Rohde & Schwarz CyberSecurity Distil Distil Networks DOSarrest DOSarrest Internet Security DotDefender Applicure Technologies Edgecast Verizon Digital Media Eisoo Cloud Firewall Eisoo Expression Engine EllisLab BIG-IP AppSec Manager F5 Networks BIG-IP AP Manager F5 Networks Fastly Fastly CDN FirePass F5 Networks FortiWeb Fortinet Greywizard Grey Wizard Huawei Cloud Firewall Huawei HyperGuard Art of Defense Imunify360 CloudLinux Incapsula Imperva Inc. IndusGuard Indusface Instart DX Instart Logic ISA Server Microsoft Jiasule Jiasule Kona SiteDefender Akamai KS-WAF KnownSec KeyCDN KeyCDN LimeLight CDN LimeLight LiteSpeed LiteSpeed Technologies Open-Resty Lua Nginx FLOSS Oracle Cloud Oracle Malcare Inactiv MaxCDN MaxCDN ModSecurity SpiderLabs NAXSI NBS Systems Nemesida PentestIt NevisProxy AdNovum NetContinuum Barracuda Networks NetScaler AppFirewall Citrix Systems Newdefend NewDefend NexusGuard Firewall NexusGuard NinjaFirewall NinTechNet NullDDoS Protection NullDDoS NSFocus NSFocus Global Inc. OnMessage Shield BlackBaud PerimeterX PerimeterX PentaWAF Global Network Services pkSecurity IDS pkSec PowerCDN PowerCDN Profense ArmorLogic Puhui Puhui Qiniu Qiniu CDN Reblaze Reblaze RSFirewall RSJoomla! Sabre Firewall Sabre Safe3 Web Firewall Safe3 Safedog SafeDog Safeline Chaitin Tech. SecKing SecKing eEye SecureIIS BeyondTrust SecuPress WP Security SecuPress SecureSphere Imperva Inc. Secure Entry United Security Providers SEnginx Neusoft ServerDefender VP Port80 Software Shield Security One Dollar Plugin Shadow Daemon Zecure SiteGround SiteGround SiteGuard Sakura Inc. Sitelock TrueShield SonicWall Dell UTM Web Protection Sophos Squarespace Squarespace SquidProxy IDS SquidProxy StackPath StackPath Sucuri CloudProxy Sucuri Inc. Teros Citrix Systems Trafficshield F5 Networks TransIP Web Firewall TransIP URLScan Microsoft UEWaf UCloud Varnish OWASP Viettel Cloudrity VirusDie VirusDie LLC Wallarm Wallarm Inc. WatchGuard WatchGuard Technologies WebARX WebARX Security Solutions WebKnight AQTRONIX WebLand WebLand RayWAF WebRay Solutions WebSEAL IBM WebTotem WebTotem West263 CDN West263CDN Wordfence Defiant WP Cerber Security Cerber Tech WTS-WAF WTS 360WangZhanBao 360 Technologies XLabs Security WAF XLabs Xuanwudun Xuanwudun Yundun Yundun Yunsuo Yunsuo Yunjiasu Baidu Cloud Computing YXLink YxLink Technologies Zenedge Zenedge ZScaler Accenture
How do I use it?
First, install the tools as described here.
For help you can make use of the
--help option. The basic usage is to pass an URL as an argument. Example:
$ wafw00f https://example.org ______ / \ ( W00f! ) \ ____/ ,, __ 404 Hack Not Found |`-.__ / / __ __ /" _/ /_/ \ \ / / *===* / \ \_/ / 405 Not Allowed / )__// \ / /| / /---` 403 Forbidden \\/` \ | / _ \ `\ /_\\_ 502 Bad Gateway / / \ \ 500 Internal Error `_____``-` /_/ \_\ ~ WAFW00F : v2.0.0 ~ The Web Application Firewall Fingerprinting Toolkit [*] Checking https://example.org [+] The site https://example.org is behind Edgecast (Verizon Digital Media) WAF. [~] Number of requests: 2
How do I install it?
The following should do the trick:
python setup.py install
$ wafw00f -h ______ / \ ( Woof! ) \______/ ) ,, ) (_ .-. - _______ ( |__| ()``; |==|_______) .)|__| / (' /|\ ( |__| ( / ) / | \ . |__| \(_)_)) / | \ |__| WAFW00F - Web Application Firewall Detection Tool (v2.0.0) Usage: wafw00f url1 [url2 [url3 ... ]] Example: wafw00f http://www.victim.org/ Options: -h, --help show this help message and exit -v, --verbose Enable verbosity, multiple -v options increase verbosity -a, --findall Find all WAFs which match the signatures, do not stop testing on the first one -r, --noredirect Do not follow redirections given by 3xx responses -t TEST, --test=TEST Test for one specific WAF -l, --list List all WAFs that WAFW00F is able to detect -p PROXY, --proxy=PROXY Use an HTTP proxy to perform requests, examples: http://hostname:8080, socks5://hostname:1080, http://user:pass@hostname:8080 -V, --version Print out the current version of WafW00f and exit. -H HEADERS, --headers=HEADERS Pass custom headers via a text file to overwrite the default header set.
Testing a Single URL
The URL can be directly supplied to the script after WAFW00F has been built and installed on the system.
Testing Multiple URLs
Multiple URLs can be supplied one after another using spaces.
wafw00f http://example.com http://host.com http://site.tld
Listing All Supported WAFs
This option lists all the available supported WAF products by WAFW00F. With this option the companies manufacturing the WAF product can also be viewed alongside the WAF name.
Adding Custom Headers
WAFW00F has its own set of default headers by which it makes the requests. The headers are specifically suited for emulating a Chrome browser running on a Windows platform. This option enables you to supply a comma separated list of custom headers which you might want WAFW00F to use during all requests.
wafw00f http://example.com -H headers.txt
NOTE: The headers which you will supply will overwrite the list of default headers.
With this option, you can use proxies to route the requests through. The scheme should be in the normal URL format
<scheme>://<username:password>@<hostname>:<port>, where the
password can be used in cases where the proxy server supports authentication.
wafw00f http://example.com -p http://user:[email protected]:8080
Testing For A Single WAF Instance
This option helps you set WAFW00F to test for a single instance of a WAF. When this argument is supplied, WAFW00F will test and try to match the fingerprint for the given WAF only. The supplied WAF name should be equal to at least one of the names within
wafprio.py. You can use the
--list argument to list the products supported by the WAF.
wafw00f http://example.com -t 'Edgecast (Verizon Digital Media)'
Testing For All Possible WAF Instances
This option helps set WAFW00F on a run and lets you enumerate all possible instances of a WAF on the site being tested. The logic behind this is that WAFW00F continues testing and matching fingerprints throughout its database and doesn't exclusively stop on the first matched instance.
wafw00f http://example.com -a
This option helps set the verbosity level of the output. You can supply multiple instances of the argument for a better verbose output. More the number of
-vs, more verbose is the output.
wafw00f http://example.com -v -v
Version & License
This option displays the current version of WAFW00F from
wafw00f/__init__.py which you're using.
Questions? Pull up an issue on GitHub Issue Tracker or contact me.
Pull requests, ideas and issues are highly welcome. If you wish to see how WAFW00F is being developed, check out the development board.
Some useful links:
Presently being developed and maintained by:
- Sandro Gauci (@SandroGauci)
- Pinaki Mondal (@0xInfection)
Main page: https://github.com/EnableSecurity/wafw00f
- Hakin9 is a monthly magazine dedicated to hacking and cybersecurity. In every edition, we try to focus on different approaches to show various techniques - defensive and offensive. This knowledge will help you understand how most popular attacks are performed and how to protect your data from them. Our tutorials, case studies and online courses will prepare you for the upcoming, potential threats in the cyber security world. We collaborate with many individuals and universities and public institutions, but also with companies such as Xento Systems, CATO Networks, EY, CIPHER Intelligence LAB, redBorder, TSG, and others.
- Blog2022.12.13What are the Common Security Weaknesses of Cloud Based Networks?
- Blog2022.10.12Vulnerability management with Wazuh open source XDR
- Blog2022.08.29Deception Technologies: Improving Incident Detection and Response by Alex Vakulov
- Blog2022.08.25Exploring the Heightened Importance of Cybersecurity in Mobile App Development by Jeff Kalwerisky