Penetration testers must be aware of a WAF before beginning a web application engagement since the outcome of their assaults may be impacted. But before that…

What is WAF?

WAF (Web Application Firewall ) plays a significant role in website security. They filter and monitor the traffic. Web Application Firewalls provide protection against major flaws. Many organizations are modernizing their infrastructure to include web application firewalls. According to ethical hacking experts, web application firewalls cannot fix security issues on their own; adequate configuration is required to recognize and block external threats. A WAF differs from a traditional firewall in that it may filter the content of specific online applications, whereas traditional firewalls act as a safety barrier between servers.

An HTTP interaction is subjected to a set of rules. These rules address typical vulnerabilities like cross-site scripting and SQL injection in general. There are many free and open-source tools on the internet that can discover the firewalls behind web applications. And in this article, we’ll look at the approaches and tools that can be used to discover a WAF. Please note: In this tutorial, I have used my own site for enumerating the details. Don’t perform scanning or other hacking activity on any website without prior permission from the owner.

Manual Discovery

Detecting using TELNET

Telnet is mainly used by network administrators and penetration testers. Telnet enables you to connect to remote hosts over any port, as previously stated.

HTTP parameters are often left (or inserted) in response headers by web application firewalls. Telnet can be used to obtain basic gathering information such as the server and cookies used in fingerprinting. Type Telnet Targetwebsite.com  80

After running the command above, write HEAD / HTTP / 1.1 and press the enter key. It indicates the server on which the website is hosted and the back-end language on which it was created after using telnet on the target port 80. Some WAF systems allow the header to be modified, and they can also cause the webserver to send HTTP replies that are different from the standard ones. As shown in the result above, the webserver responded to our request and revealed that the firewall/edge gateway was Varnish.

Automated Discovery

#1. Detecting using NMAP

Nmap, which has a script that can identify a web application firewall, can also be used for this purpose.

Nmap is a security assessment tool that many pen-testers and network administrators commonly utilize. Nmap is used to obtain information about the target. The script was run against the same webpage as before Type the command nmap –script=http-waf-fingerprint targetweb.com

After using the above Nmap command, the Citrix Netscaler firewall was detected.

#2. Detecting using Whatwaf

Whatwaf is a security tool for fingerprinting web apps and detecting the presence of any WAF. This tool is useful for determining whether a web application is protected by a WAF during security assessments. If this is the case, bypassing and avoidance strategies may be helpful in further testing or exploiting the online application. Firewall bypassing, application detection, application fingerprinting, and software identification are all frequent uses for WhatWaf. Network Pen-testers and security professionals are the intended users of this program.

How to install WhatWaf?

Installation on Kali-Linux At launch, without a Python version, we can easily specify an executable file: However, because we did not install Python 2 dependencies, it is advised that you specifically provide the Python version.

Tool Usage

Whatwaf firewall detection tool is straightforward to use! We just need to execute the following command: As you can see below, this tool detected the firewall for the provided website URL. Reminder! – I used my own site for the scanning As shown in the result above, the webserver responded to our request and revealed that the firewall was Apache. We can also use the tor service to scan for the WAF, but it may increase the latency. The main advantage of the Whatwaf tool is, it automatically tries to give the payloads to bypass the revealed firewall.

#3. Detecting Using Wafw00f

The most well-known tool for detecting the web application firewall is Wafw00f. Wafw00f sends an HTTP request to the web application firewall to identify it. When sending HTTP requests fails, wafw00f makes a malicious HTTP request. If making a malicious HTTP request fails, wafw00f examines prior HTTP requests and employs a simple algorithm to determine whether the web application firewall reacts to our attacks. Wafw00f isn’t preinstalled in Kali Linux distributions.

How to install Wafw00f?

The zip package is available for download from the official GitHub source. Download the Wafwoof Tool. You can also use the git client to clone the repository. To get the package, run the commands: To download the wafw00f tool in the system, navigate to the wafw00f folder or directory and perform the following command. The setup file will be processed, and wafw00f will be installed in the system.

Tool Usage

To use this tool, run this command. REMINDER – Only scan the websites that you are permitted to test Too bad, firewall was detected! We will try a different target website for the discussion purpose. No Firewall is detected this time. And to use it in verbose mode, run the following command. You can see a few additional capabilities of this utility by executing this command.

Wrapping Up 👨‍💻

In this article, we looked at different strategies and tools for detecting web application firewalls. This is an important activity that must be performed during the information collection stage of every web application penetration test. Furthermore, knowing that a WAF is in place allows the penetration tester to try various approaches to get around the defenses and exploit any holes in the online application. According to an ethical hacking researcher, having a web application firewall (WAF) is increasingly necessary. Analyzing your web application logs to detect new assaults occurring on the back-end web application server is always important. This allows you to customize rules in your web application firewall to provide the highest level of protection. You may also be interested in reading: Vulnerabilities using Nikto Scanner.

How to Detect Which WAF is Protecting a Website - 11