Index: http-waf-detect.nse
===================================================================
--- http-waf-detect.nse (revision 24045)
+++ http-waf-detect.nse (working copy)
@@ -11,9 +11,12 @@
* Barracuda Web Application Firewall
* PHPIDS
* dotDefender
+ * Imperva Web Firewall
+ * Blue Coat SG 400
Since the majority of IDS/IPS/WAF's protect web applications in the same way,
- it is likely that this script detects a lot more of these IDS/IPS/WAFs solutions.
+ it is likely that this script detects a lot more of these IDS/IPS/WAFs solutions. It is important to note that this script will not detect
+ products that do not alter the http traffic.
]]
---
@@ -43,8 +46,8 @@
portrule = shortport.http
local attack_vectors_n1 = {"?p4yl04d=../../../../../../../../../../../../../../../../../etc/passwd",
- "?p4yl04d=1 UNION ALL SELECT 1,2,3,table_name FROM information_schema.tables",
- "?p4yl04d="}
+ "?p4yl04d2=1 UNION ALL SELECT 1,2,3,table_name FROM information_schema.tables",
+ "?p4yl04d3="}
local attack_vectors_n2 = {"?p4yl04d=cat /etc/shadow", "?p4yl04d=id;uname -a", "?p4yl04d=",
"?p4yl04d=' OR 'A'='A", "?p4yl04d=http://google.com", "?p4yl04d=http://evilsite.com/evilfile.php",
@@ -59,6 +62,7 @@
--get original response from a "good" request
orig_req = http.get(host, port, path)
+ orig_req.body = http.clean_404(orig_req.body)
if orig_req.status and orig_req.body then
stdnse.print_debug(2, "Normal HTTP response -> Status:%d Body:\n%s", orig_req.status, orig_req.body)
else
@@ -75,17 +79,19 @@
--perform the "3v1l" requests to try to trigger the IDS/IPS/WAF
tests = nil
for _, vector in pairs(attack_vectors_n1) do
+ stdnse.print_debug(1, "Probing with payload:%s",vector)
tests = http.pipeline_add(path..vector, nil, tests)
end
local test_results = http.pipeline_go(host, port, tests)
if test_results == nil then
- return "[ERROR] HTTP requests are empty. This should not happen."
+ return "[ERROR] HTTP request table is empty. This should not ever happen because we at least made one request."
end
--get results
local waf_bool = false
for i, res in pairs(test_results) do
+ res.body = http.clean_404(res.body)
if orig_req.status ~= res.status or orig_req.body ~= res.body then
stdnse.print_debug(1, "Payload:%s trigerred the IDS/IPS/WAF", attack_vectors_n1[i])
if res.status and res.body then