Saturday, June 23, 2012

Fingerprinting WAFs with Nmap

  A WAF (Web Application Firewall) is a software or hardware device that sits between the clients and the web servers.  As its name implies, it is a firewall in the sense that it checks traffic going through it and takes actions such as blocking or allowing it based on rules defined by the user. It is an application firewall, because unlike classical firewalls that operate on the transport layer (ie. Allowing traffic to port A, blocking traffic from network B etc...) it speaks an application protocol which is in the case of a WAF, the HTTP protocol. This means that it can apply rules and block/allow/log traffic based on HTTP methods, headers, parameters values, response body etc...

  WAF are generally an added layer of security that attackers have to bypass in order to exploit a web application. Knowledge is half the battle and being able to detect the presence of a WAF, its type and version is critical in order to bypass them.

  WAFs could be fingerprinted with two approaches: Passive and active. Many WAFs modify the HTTP responses from the web server and a passive approach relies on finding signs of their presence in these responses. For example, the BinarySec WAF overrides the Server header value to its own (i.e BinarySEC/3.1.0 ) disclosing in the process not only its presence, but also its actual version. Other WAFs have fingerprints such as cookies with fixed names, unique headers etc... An active approach for fingerprinting relies on the behaviour of the WAF. For example, the Naxsi WAF has a score based approach, this means that while a request with an URI like /?parameter=[ may go under radar, a request with an URI such as /?parameter=[]]][ will trigger the detection engine due to having many special characters. So, comparing the two responses' status code may tell if Naxsi is present or not. Obviously, an active approach to fingerprinting is smarter and offer more possibilities but on the other hand is more prone to false positives.

  I have gathered a certain number of fingerprints from various projects and added some that I already knew and implemented them in a Nmap script that support intensive mode (active fingerprinting). Compared to known tools such as wafw00f, it is way faster (using HTTP pipelining), more comprehensive by having many more fingerprints and has way less false positives. You can find http-waf-fingerprint here.