WAFW00F - The Web Application Firewall Fingerprinting Tool

How does it work?

To do its magic, WAFW00F does the following:

  • Sends a normal HTTP request and analyses the response; this identifies a number of WAF solutions.
  • If that is not successful, it sends a number of (potentially malicious) HTTP requests and uses simple logic to deduce which WAF it is.
  • If that is also not successful, it analyses the responses previously returned and uses another simple algorithm to guess if a WAF or security solution is actively responding to our attacks.

For further details, check out the source code on our main repository.

What does it detect?

WAFW00F can detect a number of firewalls, a list of which is as below:

$ wafw00f -l

                                                                      
                ______                                                
               /      \                                               
              (  W00f! )                                              
               \  ____/                                               
               ,,    __            404 Hack Not Found                 
           |`-.__   / /                      __     __                
           /"  _/  /_/                       \ \   / /                
          *===*    /                          \ \_/ /  405 Not Allowed
         /     )__//                           \   /                  
    /|  /     /---`                        403 Forbidden
    \\/`   \ |                                 / _ \ 
    `\    /_\\_              502 Bad Gateway  / / \ \  500 Internal Error
      `_____``-`                             /_/   \_\

                        ~ WAFW00F : v2.0.0 ~
        The Web Application Firewall Fingerprinting Toolkit

[+] Can test for these WAFs:

  WAF Name                      Manufacturer
  --------                      ------------

  ACE XML Gateway               Cisco
  aeSecure                      aeSecure
  AireeCDN                      Airee
  Airlock                       Phion/Ergon
  Alert Logic                   Alert Logic
  AliYunDun                     Alibaba Cloud Computing
  Anquanbao                     Anquanbao
  AnYu                          AnYu Technologies
  Approach                      Approach
  AppWall                       Radware
  Armor Defense                 Armor
  ArvanCloud                    ArvanCloud
  ASP.NET Generic               Microsoft
  ASPA Firewall                 ASPA Engineering Co.
  Astra                         Czar Securities
  AzionCDN                      AzionCDN
  Azure Front Door              Microsoft
  Barikode                      Ethic Ninja
  Barracuda                     Barracuda Networks
  Bekchy                        Faydata Technologies Inc.
  Beluga CDN                    Beluga
  BinarySec                     BinarySec
  BitNinja                      BitNinja
  BlockDoS                      BlockDoS
  Bluedon                       Bluedon IST
  CacheWall                     Varnish
  CacheFly CDN                  CacheFly
  Comodo cWatch                 Comodo CyberSecurity
  Chuang Yu Shield              Yunaq
  Cloudbric                     Penta Security
  Cloudflare                    Cloudflare Inc.
  Cloudfloor                    Cloudfloor DNS
  Cloudfront                    Amazon
  CrawlProtect                  Jean-Denis Brun
  DataPower                     IBM
  DenyALL                       Rohde & Schwarz CyberSecurity
  Distil                        Distil Networks
  DOSarrest                     DOSarrest Internet Security
  DotDefender                   Applicure Technologies
  Edgecast                      Verizon Digital Media
  Eisoo Cloud Firewall          Eisoo
  Expression Engine             EllisLab
  BIG-IP AppSec Manager         F5 Networks
  BIG-IP AP Manager             F5 Networks
  Fastly                        Fastly CDN
  FirePass                      F5 Networks
  FortiWeb                      Fortinet
  Greywizard                    Grey Wizard
  Huawei Cloud Firewall         Huawei
  HyperGuard                    Art of Defense
  Imunify360                    CloudLinux
  Incapsula                     Imperva Inc.
  IndusGuard                    Indusface
  Instart DX                    Instart Logic
  ISA Server                    Microsoft
  Jiasule                       Jiasule
  Kona SiteDefender             Akamai
  KS-WAF                        KnownSec
  KeyCDN                        KeyCDN
  LimeLight CDN                 LimeLight
  LiteSpeed                     LiteSpeed Technologies
  Open-Resty Lua Nginx          FLOSS
  Oracle Cloud                  Oracle
  Malcare                       Inactiv
  MaxCDN                        MaxCDN
  ModSecurity                   SpiderLabs
  NAXSI                         NBS Systems
  Nemesida                      PentestIt
  NevisProxy                    AdNovum
  NetContinuum                  Barracuda Networks
  NetScaler AppFirewall         Citrix Systems
  Newdefend                     NewDefend
  NexusGuard Firewall           NexusGuard
  NinjaFirewall                 NinTechNet
  NullDDoS Protection           NullDDoS
  NSFocus                       NSFocus Global Inc.
  OnMessage Shield              BlackBaud
  PerimeterX                    PerimeterX
  PentaWAF                      Global Network Services
  pkSecurity IDS                pkSec
  PowerCDN                      PowerCDN
  Profense                      ArmorLogic
  Puhui                         Puhui
  Qiniu                         Qiniu CDN
  Reblaze                       Reblaze
  RSFirewall                    RSJoomla!
  Sabre Firewall                Sabre
  Safe3 Web Firewall            Safe3
  Safedog                       SafeDog
  Safeline                      Chaitin Tech.
  SecKing                       SecKing
  eEye SecureIIS                BeyondTrust
  SecuPress WP Security         SecuPress
  SecureSphere                  Imperva Inc.
  Secure Entry                  United Security Providers
  SEnginx                       Neusoft    
  ServerDefender VP             Port80 Software
  Shield Security               One Dollar Plugin
  Shadow Daemon                 Zecure  
  SiteGround                    SiteGround 
  SiteGuard                     Sakura Inc.   
  Sitelock                      TrueShield
  SonicWall                     Dell        
  UTM Web Protection            Sophos   
  Squarespace                   Squarespace  
  SquidProxy IDS                SquidProxy
  StackPath                     StackPath
  Sucuri CloudProxy             Sucuri Inc.
  Teros                         Citrix Systems
  Trafficshield                 F5 Networks
  TransIP Web Firewall          TransIP  
  URLScan                       Microsoft
  UEWaf                         UCloud
  Varnish                       OWASP 
  Viettel                       Cloudrity
  VirusDie                      VirusDie LLC
  Wallarm                       Wallarm Inc.
  WatchGuard                    WatchGuard Technologies
  WebARX                        WebARX Security Solutions
  WebKnight                     AQTRONIX
  WebLand                       WebLand
  RayWAF                        WebRay Solutions
  WebSEAL                       IBM
  WebTotem                      WebTotem
  West263 CDN                   West263CDN
  Wordfence                     Defiant 
  WP Cerber Security            Cerber Tech
  WTS-WAF                       WTS      
  360WangZhanBao                360 Technologies
  XLabs Security WAF            XLabs
  Xuanwudun                     Xuanwudun
  Yundun                        Yundun
  Yunsuo                        Yunsuo
  Yunjiasu                      Baidu Cloud Computing
  YXLink                        YxLink Technologies
  Zenedge                       Zenedge
  ZScaler                       Accenture

How do I use it?

First, install the tools as described here.

For help you can make use of the --help option. The basic usage is to pass an URL as an argument. Example:

$  wafw00f https://example.org

                ______
               /      \
              (  W00f! )
               \  ____/
               ,,    __            404 Hack Not Found
           |`-.__   / /                      __     __
           /"  _/  /_/                       \ \   / /
          *===*    /                          \ \_/ /  405 Not Allowed
         /     )__//                           \   /
    /|  /     /---`                        403 Forbidden
    \\/`   \ |                                 / _ \
    `\    /_\\_              502 Bad Gateway  / / \ \  500 Internal Error
      `_____``-`                             /_/   \_\

                        ~ WAFW00F : v2.0.0 ~
        The Web Application Firewall Fingerprinting Toolkit
    
[*] Checking https://example.org
[+] The site https://example.org is behind Edgecast (Verizon Digital Media) WAF.
[~] Number of requests: 2

How do I install it?

The following should do the trick:

python setup.py install

Usage

Arguments List

$ wafw00f -h

                    ______
                   /      \
                  (  Woof! )
                   \______/                      )
                   ,,                           ) (_
              .-. -    _______                 ( |__|
             ()``; |==|_______)                .)|__|
             / ('        /|\                  (  |__|
         (  /  )        / | \                  . |__|
          \(_)_))      /  |  \                   |__|

   WAFW00F - Web Application Firewall Detection Tool (v2.0.0)

Usage: wafw00f url1 [url2 [url3 ... ]]
Example: wafw00f http://www.victim.org/

Options:
  -h, --help            show this help message and exit
  -v, --verbose         Enable verbosity, multiple -v options increase
                        verbosity
  -a, --findall         Find all WAFs which match the signatures, do not stop
                        testing on the first one
  -r, --noredirect      Do not follow redirections given by 3xx responses
  -t TEST, --test=TEST  Test for one specific WAF
  -l, --list            List all WAFs that WAFW00F is able to detect
  -p PROXY, --proxy=PROXY
                        Use an HTTP proxy to perform requests, examples:
                        http://hostname:8080, socks5://hostname:1080,
                        http://user:[email protected]:8080
  -V, --version         Print out the current version of WafW00f and exit.
  -H HEADERS, --headers=HEADERS
                        Pass custom headers via a text file to overwrite the
                        default header set.

Testing a Single URL

The URL can be directly supplied to the script after WAFW00F has been built and installed on the system.

wafw00f http://example.com

Testing Multiple URLs

Multiple URLs can be supplied one after another using spaces.

wafw00f http://example.com http://host.com http://site.tld

Listing All Supported WAFs

Option: -l or --list

This option lists all the available supported WAF products by WAFW00F. With this option the companies manufacturing the WAF product can also be viewed alongside the WAF name.

wafw00f --list

Adding Custom Headers

Option: -H or --headers

WAFW00F has its own set of default headers by which it makes the requests. The headers are specifically suited for emulating a Chrome browser running on a Windows platform. This option enables you to supply a comma separated list of custom headers which you might want WAFW00F to use during all requests.

wafw00f http://example.com -H headers.txt

NOTE: The headers which you will supply will overwrite the list of default headers.

Using Proxies

Option: -p or --proxy

With this option, you can use proxies to route the requests through. The scheme should be in the normal URL format <scheme>://<username:password>@<hostname>:<port>, where the username and password can be used in cases where the proxy server supports authentication.

wafw00f http://example.com -p http://user:[email protected]:8080

Testing For A Single WAF Instance

Option: -t or --test

This option helps you set WAFW00F to test for a single instance of a WAF. When this argument is supplied, WAFW00F will test and try to match the fingerprint for the given WAF only. The supplied WAF name should be equal to at least one of the names within wafprio.py. You can use the --list argument to list the products supported by the WAF.

wafw00f http://example.com -t 'Edgecast (Verizon Digital Media)'

Testing For All Possible WAF Instances

Option: -a or --findall

This option helps set WAFW00F on a run and lets you enumerate all possible instances of a WAF on the site being tested. The logic behind this is that WAFW00F continues testing and matching fingerprints throughout its database and doesn't exclusively stop on the first matched instance.

wafw00f http://example.com -a

Controlling Verbosity

Option: -v ...

This option helps set the verbosity level of the output. You can supply multiple instances of the argument for a better verbose output. More the number of -vs, more verbose is the output.

wafw00f http://example.com -v -v

Version & License

Option: -V or --version

This option displays the current version of WAFW00F from wafw00f/__init__.py which you're using.

wafw00f --version

Final Words

Questions? Pull up an issue on GitHub Issue Tracker or contact me.
Pull requests, ideas and issues are highly welcome. If you wish to see how WAFW00F is being developed, check out the development board.

Some useful links:

Presently being developed and maintained by:


Main page: https://github.com/EnableSecurity/wafw00f

January 16, 2020
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013