In OWASP AppSec Europe 2009 in Poland, Sandro Gauci and Wendel G. Henrique gave a presentation titled “The Truth About Web Application Firewalls:What the vendors do not want you to know“.
In the presentation they mentions that Web Application Firewalls (WAFs) :
- can be detected, because they leave several signs
- can be bypassed by changing the attack in order to avoid rules
To help detect and bypass WAFs, they released wafw00f and waffun tools. At the time of this writing, the waffun has not been released yet.
I am very eager to test it.
I setup a test environment (a webserver and a ModSecurity as the WAF).
Here are several options available in wafw00f :
Then I run the wafw00f against the webserver by giving the command :
and here is the result :
The tool can detect the WAF correctly. Interesting isn’t it ?
You might want to play with another options provided by the tool.
Until next time.