diff --git a/README.md b/README.md index abbcd21..b808669 100644 --- a/README.md +++ b/README.md @@ -91,7 +91,7 @@ Feel free to [contribute](). - BlockDoS A WAF solution which features high performance in-built content delivery systems, custom SSL, DNS protection, dynamic caching and stable DDoS protection. @@ -130,10 +130,11 @@ One that uses a mixed concept of blacklisting and whitelisting stuff. ### Where To Look: - Always look out for common ports that expose that a WAF `80`, `443`, `8000`, `8008`, `8080`, `8088`. -> __Tip:__ You can use automate this easily by commandline using a screenshot taker like [WebScreenShot](https://github.com/maaaaz/webscreenshot). + > __Tip:__ You can use automate this easily by commandline using a screenshot taker like [WebScreenShot](https://github.com/maaaaz/webscreenshot). - Some WAFs set their own cookies in requests (eg. Citrix Netscaler, Yunsuo WAF). - Some associate themselves with separate headers (eg. Anquanbao WAF, Amazon AWS WAF). - Some often alter headers and jumble characters to confuse attacker (eg. Citrix Netscaler, Big IP WAF). +- Some (often rare) expose themselves in the `Server` header - Some WAFs expose themselves in the response content (eg. DotDefender, Armor, truShield Sitelock). - Other WAFs reply with unusual response codes upon malicious requests (eg. WebKnight). @@ -143,9 +144,10 @@ One that uses a mixed concept of blacklisting and whitelisting stuff. 3. If there is a login page somewhere, try some common (easily detectable) payloads like `' or 1 = 1 --`. 4. If there is some search box or input field somewhere, try detecting payloads like ``. 5. Make GET requests with outdated protocols like `HTTP/0.9` (`HTTP/0.9` does not support POST type queries). -6. Drop Action Technique - Send a raw crafted FIN/RST packet to server and identify response. -> __Tip:__ This method could be easily achieved with tools like [HPing3](http://www.hping.org) or [Scapy](https://scapy.net). -7. Side Channel Attacks - Examine the timing behaviour of the request and response content. +6. Many a times, the WAF varies the `Server` header upon different types of interactions. +7. Drop Action Technique - Send a raw crafted FIN/RST packet to server and identify response. + > __Tip:__ This method could be easily achieved with tools like [HPing3](http://www.hping.org) or [Scapy](https://scapy.net). +8. Side Channel Attacks - Examine the timing behaviour of the request and response content. ## WAF Detection Wanna detect WAFs? Lets see how. @@ -291,6 +293,55 @@ Wanna detect WAFs? Lets see how. + + + Bekchy (Faydata) + + + + + + + + BitNinja + + + + + + + + Bluedon IST + + + + + BIG-IP ASM (F5 Networks) @@ -373,7 +424,7 @@ Wanna detect WAFs? Lets see how.
  • Detectability: Moderate
  • Detection Methodology:
  • @@ -438,13 +489,27 @@ Wanna detect WAFs? Lets see how. + + + GoDaddy Firewall + + + + + IBM WebSphere DataPower