WAF detection

[woodruffw]

It might be interesting to add some Web Application Firewall detection techniques. I don't know much about WAFs, but it looks like there are some common oracles:

• Known cookies
• Known weird HTTP codes (999 No Hacking)
• Known HTML responses

Some potential resources:

• https://www.owasp.org/images/b/bf/OWASP_Stammtisch_Frankfurt_WAF_Profiling_and_Evasion.pdf
• https://www.securitynewspaper.com/2018/12/04/detect-web-application-firewall-waf-before-you-attack/ (looks like there's an nmap script for WAF detection)

[karanb192]

Hi woodruffw,

I just tried the tool and it is pretty quick and I want to contribute to WAF detection.

[woodruffw]

Please do! Sent from mobile. Please excuse my brevity.

…

On Jan 19, 2020, at 9:32 AM, Karan Bansal ***@***.***> wrote:  Hi woodruffw, I just tried the tool and it is pretty quick and I want to contribute to WAF detection. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe.

[rickconlee]

I’d like to jump in on this too! I have some WAF experience from doing manual audits for site clients. I’ll take a look while I’m sitting here in quarantine.

[rickconlee]

What are everyone's thoughts on adding nmap to the stack? This would be a great tool and can open the door to other things in the future, yet will also keep this tool simple.

EDIT: Answered my own question. I'm going to give this a go with NMAP and see how it works.

[woodruffw]

What are everyone's thoughts on adding nmap to the stack? This would be a great tool and can open the door to other things in the future, yet will also keep this tool simple.

I have a slight preference for not adding nmap, since it's not HTTP-specific and takes us further away from twa being "tiny".

That being said, adding it as an optional dependency in the same way that we handle testssl would be fine. So, a user could do something like this:

twa -n

to run nmap-based checks.

[MadhuMadhavanSridhar]

Hi woodruffw,
Good day!
Some WAFs can be identified from the GET requests using the cookie details or the responses. But for detecting most of the WAFs I think you might need support of either Nmap or Wafw00f scripts. I can add a feature for identifying WAFs based on the cookie details or the responses but this will detect only a few WAFs.

[woodruffw]

@MadhuMadhavanSridhar That makes sense. I'm okay with only detecting a few (with cookies) for now -- allowing future contributors to add optional nmap based checks seems reasonable to me.