Index: http-waf-detect.nse
===================================================================
--- http-waf-detect.nse	(revision 24045)
+++ http-waf-detect.nse	(working copy)
@@ -11,9 +11,12 @@
  * Barracuda Web Application Firewall 
  * PHPIDS 
  * dotDefender
+ * Imperva Web Firewall
+ * Blue Coat SG 400
 
 Since the majority of IDS/IPS/WAF's protect web applications in the same way,
- it is likely that this script detects a lot more of these IDS/IPS/WAFs solutions.
+ it is likely that this script detects a lot more of these IDS/IPS/WAFs solutions. It is important to note that this script will not detect
+ products that do not alter the http traffic.
 ]]
 
 ---
@@ -43,8 +46,8 @@
 portrule = shortport.http
 
 local attack_vectors_n1 = {"?p4yl04d=../../../../../../../../../../../../../../../../../etc/passwd", 
-                          "?p4yl04d=1 UNION ALL SELECT 1,2,3,table_name FROM information_schema.tables", 
-                          "?p4yl04d=<script>alert(document.cookie)</script>"}
+                            "?p4yl04d2=1 UNION ALL SELECT 1,2,3,table_name FROM information_schema.tables",
+                            "?p4yl04d3=<script>alert(document.cookie)</script>"}
 
 local attack_vectors_n2 = {"?p4yl04d=cat /etc/shadow", "?p4yl04d=id;uname -a", "?p4yl04d=<?php phpinfo(); ?>", 
                           "?p4yl04d=' OR 'A'='A", "?p4yl04d=http://google.com", "?p4yl04d=http://evilsite.com/evilfile.php", 
@@ -59,6 +62,7 @@
 
   --get original response from a "good" request
   orig_req = http.get(host, port, path)
+  orig_req.body = http.clean_404(orig_req.body)
   if orig_req.status and orig_req.body then
     stdnse.print_debug(2, "Normal HTTP response -> Status:%d Body:\n%s", orig_req.status, orig_req.body)
   else
@@ -75,17 +79,19 @@
   --perform the "3v1l" requests to try to trigger the IDS/IPS/WAF
   tests = nil
   for _, vector in pairs(attack_vectors_n1) do
+    stdnse.print_debug(1, "Probing with payload:%s",vector)
     tests = http.pipeline_add(path..vector, nil, tests)
   end
   local test_results = http.pipeline_go(host, port, tests)
 
   if test_results == nil then
-    return "[ERROR] HTTP requests are empty. This should not happen."
+    return "[ERROR] HTTP request table is empty. This should not ever happen because we at least made one request."
   end 
 
   --get results
   local waf_bool = false
   for i, res in pairs(test_results) do
+    res.body = http.clean_404(res.body)
     if orig_req.status ~= res.status or orig_req.body ~= res.body then
       stdnse.print_debug(1, "Payload:%s trigerred the IDS/IPS/WAF", attack_vectors_n1[i])
       if res.status and res.body then