mirrors/Awesome-WAF
1
0
Fork 0
mirror of https://github.com/0xInfection/Awesome-WAF.git synced 2024-12-22 22:43:34 +07:00
Code Issues Packages Projects Releases Wiki Activity

Added more waf fingerprints

Browse Source
This commit is contained in:
0xInfection 2019-03-02 19:10:08 +05:30
parent 950e42eb3e
commit 697ac88c81
1 changed files with 206 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

236
README.md
View File

@ -143,7 +143,7 @@ Wanna detect WAFs? Lets see how.
<li>Blocked response page contains:</li>
<ul>
<li><code>Sorry, your request has been blocked as it may cause potential threats to the server's security</code> text snippet.</li>
<li>Reference to <code>errors.aliyun.com</code> site.</li>
<li>Reference to <code>errors.aliyun.com</code> site URL.</li>
</ul>
</ul>
</ul>
@ -220,7 +220,27 @@ Wanna detect WAFs? Lets see how.
</tr>
<tr>
<td>
Amazon AWS WAF
ASP.NET Generic (IIS)
</td>
<td>
<ul>
<li><b>Detectability: </b>Moderate</li>
<li><b>Detection Methodology:</b></li>
<ul>
<li>Response headers may contain <code>X-ASPNET-Version</code> header value.</li>
<li>Blocked response page content may contain:</li>
<ul>
<li><code>This generic 403 error means that the authenticated user is not authorized to use the requested resource</code>.</li>
<li><code>Error Code 0x00000000<</code> keyword.</li>
</ul>
<li><code>X-Powered-By</code> header has field value set to <code>ASP.NET</code>.</li>
</ul>
</ul>
</td>
</tr>
<tr>
<td>
AWS (Amazon)
</td>
<td>
<ul>
@ -247,6 +267,25 @@ Wanna detect WAFs? Lets see how.
</ul>
</td>
</tr>
<tr>
<td>
Barikode Firewall
</td>
<td>
<ul>
<li><b>Detectability: </b>Moderate</li>
<li><b>Detection Methodology:</b></li>
<ul>
<li>Blocked response page content may contain:
<ul>
<li><code>barikode</code> keyword.</li>
<li><code>Forbidden Access</code> text snippet in <code>h1</code>.</li>
</ul>
</li>
</ul>
</ul>
</td>
</tr>
<tr>
<td>
Barracuda WAF
@ -277,6 +316,22 @@ Wanna detect WAFs? Lets see how.
</ul>
</td>
</tr>
<tr>
<td>
Better WP Security
</td>
<td>
<ul>
<li><b>Detectability: </b>Easy</li>
<li><b>Detection Methodology:</b></li>
<ul>
<li>Specific to only sites using CMS as Wordpress.</li>
<li>Plugin enumeration reveals the WAF plugin presence.</li>
<li>Making a GET request to <code>wp-content/plugins/better-wp-security/</code> directory yeilds<code>200 OK</code>.</li>
</ul>
</ul>
</td>
</tr>
<tr>
<td>
BitNinja Firewall
@ -384,6 +439,25 @@ Wanna detect WAFs? Lets see how.
</ul>
</td>
</tr>
<tr>
<td>
Chuangyu WAF
</td>
<td>
<ul>
<li><b>Detectability: </b>Moderate</li>
<li><b>Detection Methodology:</b></li>
<ul>
<li>Response page has refernce to:
<ul>
<li><code>365cyd.com</code> or <code>365cyd.net</code> URL.</li>
<li>Help page at <code>http://help.365cyd.com/cyd-error-help.html?code=403</code>.</li>
</ul>
</li>
</ul>
</ul>
</td>
</tr>
<tr>
<td>
Cisco ACE XML Gateway
@ -472,34 +546,6 @@ Wanna detect WAFs? Lets see how.
</ul>
</td>
</tr>
<tr>
<td>
GoDaddy Firewall
</td>
<td>
<ul>
<li><b>Detectability: </b>Easy</li>
<li><b>Detection Methodology:</b></li>
<ul>
<li>Blocked response page contains value<br> <code>Access Denied - GoDaddy Website Firewall</code>.</li>
</ul>
</ul>
</td>
</tr>
<tr>
<td>
IBM WebSphere DataPower
</td>
<td>
<ul>
<li><b>Detectability: </b>Difficult</li>
<li><b>Detection Methodology:</b></li>
<ul>
<li>Response headers contains field value value <code>X-Backside-Transport</code> with value <code>OK</code> or <code>FAIL</code>.</li>
</ul>
</ul>
</td>
</tr>
<tr>
<td>
Deny-All Firewall
@ -559,6 +605,20 @@ Wanna detect WAFs? Lets see how.
</ul>
</td>
</tr>
<tr>
<td>
DynamicWeb Injection Check
</td>
<td>
<ul>
<li><b>Detectability: </b>Easy</li>
<li><b>Detection Methodology:</b></li>
<ul>
<li>Blocked response headers contain <code>X-403-Status-By</code> field with value <code>dw-inj-check</code> value.</li>
</ul>
</ul>
</td>
</tr>
<tr>
<td>
EdgeCast (Verizon)
@ -621,6 +681,20 @@ Wanna detect WAFs? Lets see how.
</ul>
</td>
</tr>
<tr>
<td>
GoDaddy Firewall
</td>
<td>
<ul>
<li><b>Detectability: </b>Easy</li>
<li><b>Detection Methodology:</b></li>
<ul>
<li>Blocked response page contains value<br> <code>Access Denied - GoDaddy Website Firewall</code>.</li>
</ul>
</ul>
</td>
</tr>
<tr>
<td>
HyperGuard Firewall
@ -635,6 +709,20 @@ Wanna detect WAFs? Lets see how.
</ul>
</td>
</tr>
<tr>
<td>
IBM DataPower
</td>
<td>
<ul>
<li><b>Detectability: </b>Difficult</li>
<li><b>Detection Methodology:</b></li>
<ul>
<li>Response headers contains field value value <code>X-Backside-Transport</code> with value <code>OK</code> or <code>FAIL</code>.</li>
</ul>
</ul>
</td>
</tr>
<tr>
<td>
Imperva SecureSphere
@ -964,6 +1052,24 @@ Wanna detect WAFs? Lets see how.
</ul>
</td>
</tr>
<tr>
<td>
pkSecurityModule IDS
</td>
<td>
<ul>
<li><b>Detectability: </b>Moderate</li>
<li><b>Detection Methodology:</b></li>
<ul>
<li>Response content may contain</li>
<ul>
<li><code>pkSecurityModule: Security.Alert</code>.</li>
<li><code>A safety critical request was discovered and blocked</code> text snippet.</li>
</ul>
</ul>
</ul>
</td>
</tr>
<tr>
<td>
Radware Appwall
@ -1033,6 +1139,27 @@ Wanna detect WAFs? Lets see how.
</ul>
</td>
</tr>
<tr>
<td>
Sabre Firewall
</td>
<td>
<ul>
<li><b>Detectability: </b>Easy</li>
<li><b>Detection Methodology:</b></li>
<ul>
<li>Returns status code <code>500 Internal Error</code> upon malicious requests.</li>
<li>Response content has:
<ul>
<li>Contact email <code>dxsupport@sabre.com</code>.</li>
<li><code>Your request has been blocked</code> bold warning.</li>
<li><code>clicking the above email link will automatically add some important details to the email for us to investigate the problem</code> text snippet.</li>
</ul>
</li>
</ul>
</ul>
</td>
</tr>
<tr>
<td>
Safe3 Firewall
@ -1098,6 +1225,20 @@ Wanna detect WAFs? Lets see how.
</ul>
</td>
</tr>
<tr>
<td>
Shadow Daemon WAF
</td>
<td>
<ul>
<li><b>Detectability: </b>Difficult</li>
<li><b>Detection Methodology:</b></li>
<ul>
<li>Blocked response page contains <code>request forbidden by administrative rules.</code> keyword.</li>
</ul>
</ul>
</td>
</tr>
<tr>
<td>
ShieldSecurity
@ -1466,6 +1607,20 @@ Wanna detect WAFs? Lets see how.
</ul>
</td>
</tr>
<tr>
<td>
Xuanwudun WAF
</td>
<td>
<ul>
<li><b>Detectability: </b>Easy</li>
<li><b>Detection Methodology:</b></li>
<ul>
<li>Blocked response page contains reference to <code>http://admin.dbappwaf.cn/index.php/Admin/ClientMisinform/</code> site URL.</li>
</ul>
</ul>
</td>
</tr>
<tr>
<td>
Yundun Firewall
@ -1510,6 +1665,27 @@ Wanna detect WAFs? Lets see how.
</ul>
</td>
</tr>
<tr>
<td>
ZScaler (Accenture)
</td>
<td>
<ul>
<li><b>Detectability: </b>Easy</li>
<li><b>Detection Methodology:</b></li>
<ul>
<li>Blocked response page contains:</li>
<ul>
<li><code>Access Denied: Accenture Policy</code> text.</li>
<li>Reference to <code>https://policies.accenture.com</code> URL.</li>
<li><code>Your organization has selected Zscaler to protect you from internet threats</code>.</li>
<li><code>The Internet site you have attempted to access is prohibited. Accenture's webfilters indicate that the site likely contains content considered inappropriate</code>.</li>
</ul>
<li><code>Server</code> header has value set to <code>ZScaler</code>.</li>
</ul>
</ul>
</td>
</tr>
</table>
## Evasion Techniques