Detecting Web Application Firewalls

In OWASP AppSec Europe 2009 in Poland, Sandro Gauci and Wendel G. Henrique gave a presentation titled “The Truth About Web Application Firewalls:What the vendors do not want you to know“.

In the presentation they mentions that Web Application Firewalls (WAFs) :

  • can be detected, because they leave several signs
  • can be bypassed by changing the attack in order to avoid rules

To help detect and bypass WAFs, they released wafw00f and waffun tools. At the time of this writing, the waffun has not been released yet.

I am very eager to test it.

I setup a test environment (a webserver and a ModSecurity as the WAF).

Here are several options available in wafw00f :

wafw00f-1a

Then I run the wafw00f against the webserver by giving the command :

wafw00f.py http://localhost

and here is the result :

wafw00f-2a

The tool can detect the WAF correctly. Interesting isn’t it ?

You might want to play with another options provided by the tool.

Until next time.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s