local http = require "http"
local stdnse = require "stdnse"
local shortport = require "shortport"
local string = require "string"
local table = require "table"
local url = require "url"
description = [[
Tries to detect the presence of a web application firewall and its type and
version.
This works by sending a number of requests and looking in the responses for
known behavior and fingerprints such as Server header, cookies and headers
values. Intensive mode works by sending additional WAF specific requests to
detect certain behaviour.
Credit to wafw00f and w3af for some fingerprints.
]]
---
-- @args http-waf-fingerprint.root The base path. Defaults to /
.
-- @args http-waf-fingerprint.intensive If set, will add WAF specific scans,
-- which takes more time. Off by default.
--
-- @usage
-- nmap --script=http-waf-fingerprint
-- nmap --script=http-waf-fingerprint --script-args http-waf-fingerprint.intensive=1
--
--@output
--PORT STATE SERVICE REASON
--80/tcp open http syn-ack
--| http-waf-fingerprint:
--| Detected WAF
--|_ BinarySec version 3.2.2
author = "Hani Benhabiles"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"discovery", "intrusive"}
--
-- Version 0.1:
-- - Initial version based on work done with wafw00f and w3af.
-- - Removed many false positives.
-- - Added fingeprints for WAFs such as Incapsula WAF, Cloudflare, USP-SES,
-- Cisco ACE XML Gateway and ModSecurity.
-- - Added fingerprints and version detection for Webknight and BinarySec,
-- Citrix Netscaler and ModSecurity
--
-- Version 0.2:
-- - Added intensive mode.
-- - Added fingerprints for Naxsi waf in intensive mode.
--
-- TODO: Fingerprints for other WAFs
--
portrule = shortport.service("http")
-- Each WAF has a table with name, version and detected keys
-- as well as a match function.
-- HTTP Responses are passed to match function which will alter detected
-- and version values after analyzing responses if adequate fingerprints
-- are found.
local bigip
bigip = {
name = "F5 BigIP",
detected = false,
version = nil,
match = function(responses)
for _, response in pairs(responses) do
if response.header['x-cnection'] then
stdnse.print_debug("%s BigIP detected through X-Cnection header.", SCRIPT_NAME)
bigip.detected = true
return
end
if response.header.server == 'BigIP' then --
stdnse.print_debug("%s BigIP detected through Server header.", SCRIPT_NAME)
bigip.detected = true
return
end
for _, cookie in pairs(response.cookies) do --
if string.find(cookie.name, "BIGipServer") then
stdnse.print_debug("%s BigIP detected through cookies.", SCRIPT_NAME)
bigip.detected = true
return
end
-- Application Security Manager module
if string.match(cookie.name, 'TS%w+') and string.len(cookie.name) <= 8 then
stdnse.print_debug("%s F5 ASM detected through cookies.", SCRIPT_NAME)
bigip.detected = true
return
end
end
end
end,
intensive = function(host, port, root, responses)
end,
}
local webknight
webknight = {
name = "Webknight",
detected = false,
version = nil,
match = function(responses)
for name, response in pairs(responses) do
if response.header.server and string.find(response.header.server, 'WebKnight/') then --
stdnse.print_debug("%s WebKnight detected through Server Header.", SCRIPT_NAME)
webknight.version = string.sub(response.header.server, 11)
webknight.detected = true
return
end
if response.status == 999 then
if not webknight.detected then stdnse.print_debug("%s WebKnight detected through 999 response status code.", SCRIPT_NAME) end
webknight.detected = true
end
end
end,
intensive = function(host, port, root, responses)
end,
}
local isaserver
isaserver = {
name = "ISA Server",
detected = false,
version = nil,
-- TODO Check if version detection is possible
-- based on the response reason
reason = {"Forbidden %( The server denied the specified Uniform Resource Locator %(URL%). Contact the server administrator. %)",
"Forbidden %( The ISA Server denied the specified Uniform Resource Locator %(URL%)"
},
match = function(responses)
for _, response in pairs(responses) do
for _, reason in pairs(isaserver.reason) do --
if http.response_contains(response, reason, true) then -- TODO Replace with something more performant
stdnse.print_debug("%s ISA Server detected through response reason.", SCRIPT_NAME)
isaserver.detected = true
return
end
end
end
end,
intensive = function(host, port, root, responses)
end,
}
local airlock
airlock = {
name = "Airlock",
detected = false,
version = nil,
match = function(responses)
for _, response in pairs(responses) do
for _, cookie in pairs(response.cookies) do --
-- TODO Check if version detection is possible
-- based on the difference in cookies name
if cookie.name == "AL_LB" and string.sub(cookie.value, 1, 4) == '$xc/' then
stdnse.print_debug("%s Airlock detected through AL_LB cookies.", SCRIPT_NAME)
airlock.detected = true
return
end
if cookie.name == "AL_SESS" and (string.sub(cookie.value, 1, 5) == 'AAABL'
or string.sub(cookie.value, 1, 5) == 'LgEAA' )then
stdnse.print_debug("%s Airlock detected through AL_SESS cookies.", SCRIPT_NAME)
airlock.detected = true
return
end
end
end
end,
intensive = function(host, port, root, responses)
end,
}
local barracuda
barracuda = {
name = "Barracuda",
detected = false,
version = nil,
match = function(responses)
for _, response in pairs(responses) do
for _, cookie in pairs(response.cookies) do
if cookie.name == "barra_counter_session" then
stdnse.print_debug("%s Barracuda detected through cookies.", SCRIPT_NAME)
barracuda.detected = true
return
end
end
end
end,
intensive = function(host, port, root, responses)
end,
}
local denyall
denyall = {
name = "Denyall",
detected = false,
version = nil,
match = function(responses)
for _, response in pairs(responses) do
for _, cookie in pairs(response.cookies) do
-- TODO Check accuracy
if cookie.name == "sessioncookie" then
stdnse.print_debug("%s Denyall detected through cookies.", SCRIPT_NAME)
denyall.detected = true
return
end
end
end
end,
intensive = function(host, port, root, responses)
end,
}
local f5trafficshield
f5trafficshield = {
name = "F5 Traffic Shield",
detected = false,
version = nil,
match = function(responses)
for _, response in pairs(responses) do
-- TODO Check for version detection possibility
-- based on the cookie name / server header presence
if response.header.server == "F5-TrafficShield" then
stdnse.print_debug("%s F5 Traffic Shield detected through Server header.", SCRIPT_NAME)
f5trafficshield.detected = true
return
end
for _, cookie in pairs(response.cookies) do
if cookie.name == "ASINFO" then
stdnse.print_debug("%s F5 Traffic Shield detected through cookies.", SCRIPT_NAME)
f5trafficshield.detected = true
return
end
end
end
end,
intensive = function(host, port, root, responses)
end,
}
local teros
teros = {
name = "Teros / Citrix Application Firewall Enterprise", -- CAF EX, according to citrix documentation
detected = false,
version = nil,
match = function(responses)
for _, response in pairs(responses) do
for _, cookie in pairs(response.cookies) do
if cookie.name == "st8id" or cookie.name == "st8_wat" or cookie.name == "st8_wlf" then
stdnse.print_debug("%s Teros / CAF detected through cookies.", SCRIPT_NAME)
teros.detected = true
return
end
end
end
end,
intensive = function(host, port, root, responses)
end,
}
local binarysec
binarysec = {
name = "BinarySec",
detected = false,
version = nil,
match = function(responses)
for _, response in pairs(responses) do
if response.header.server and string.find(response.header.server, 'BinarySEC/') then --
stdnse.print_debug("%s BinarySec detected through Server Header.", SCRIPT_NAME)
binarysec.version = string.sub(response.header.server, 11)
binarysec.detected = true
return
end
if response.header['x-binarysec-via'] or response.header['x-binarysec-nocache']then
if not binarysec.detected then stdnse.print_debug("%s BinarySec detected through header.", SCRIPT_NAME) end
binarysec.detected = true
end
end
end,
intensive = function(host, port, root, responses)
end,
}
local profense
profense = {
name = "Profense",
detected = false,
version = nil,
match = function(responses)
for _, response in pairs(responses) do
if response.header.server == 'Profense' then
stdnse.print_debug("%s Profense detected through Server header.", SCRIPT_NAME)
profense.detected = true
return
end
for _, cookie in pairs(response.cookies) do
if cookie.name == "PLBSID" then
stdnse.print_debug("%s Profense detected through cookies.", SCRIPT_NAME)
profense.detected = true
return
end
end
end
end,
intensive = function(host, port, root, responses)
end,
}
local netscaler
netscaler = {
name = "Citrix Netscaler",
detected = false,
version = nil,
match = function(responses)
for _, response in pairs(responses) do
-- TODO Check for other version detection possibilities
-- based on fingerprint difference
if response.header.via and string.find(response.header.via, 'NS%-CACHE') then --
stdnse.print_debug("%s Citrix Netscaler detected through Via Header.", SCRIPT_NAME)
netscaler.version = string.sub(response.header.via, 10, 12)
netscaler.detected = true
return
end
if response.header.cneonction == "close" or response.header.nncoection == "close" then
if not netscaler.detected then stdnse.print_debug("%s Netscaler detected through Cneoction/nnCoection header.", SCRIPT_NAME) end
netscaler.detected = true
end
-- TODO Does X-CLIENT-IP apply to Citrix Application Firewall too ?
if response.header['x-client-ip'] then
if not netscaler.detected then stdnse.print_debug("%s Netscaler detected through X-CLIENT-IP header.", SCRIPT_NAME) end
netscaler.detected = true
end
for _, cookie in pairs(response.cookies) do
if cookie.name == "ns_af" or cookie.name == "citrix_ns_id" or
string.find(cookie.name, "NSC_") then
if not netscaler.detected then stdnse.print_debug("%s Netscaler detected through cookies.", SCRIPT_NAME) end
netscaler.detected = true
end
end
end
end,
intensive = function(host, port, root, responses)
end,
}
local dotdefender
dotdefender = {
name = "dotDefender",
detected = false,
version = nil,
match = function(responses)
for _, response in pairs(responses) do
if response.header['X-dotdefender-denied'] == "1" then
stdnse.print_debug("%s dotDefender detected through X-dotDefender-denied header.", SCRIPT_NAME)
dotdefender.detected = true
return
end
end
end,
intensive = function(host, port, root, responses)
end,
}
local ibmdatapower
ibmdatapower = {
name = "IBM DataPower",
detected = false,
version = nil,
match = function(responses)
for _, response in pairs(responses) do
if response.header['x-backside-transport'] then
stdnse.print_debug("%s IBM DataPower detected through X-Backside-Transport header.", SCRIPT_NAME)
ibmdatapower.detected = true
return
end
end
end,
intensive = function(host, port, root, responses)
end,
}
local cloudflare
cloudflare = {
name = "Cloudflare",
detected = false,
version = nil,
match = function(responses)
for _, response in pairs(responses) do
if response.header.server == 'cloudflare-nginx' then
stdnse.print_debug("%s Cloudflare detected through Server header.", SCRIPT_NAME)
cloudflare.detected = true
return
end
for _, cookie in pairs(response.cookies) do
if cookie.name == "__cfduid" then
stdnse.print_debug("%s Cloudflare detected through cookies.", SCRIPT_NAME)
cloudflare.detected = true
return
end
end
end
end,
intensive = function(host, port, root, responses)
end,
}
local incapsula
incapsula = {
name = "Incapsula WAF",
detected = false,
version = nil,
match = function(responses)
for _, response in pairs(responses) do
for _, cookie in pairs(response.cookies) do
if string.find(cookie.name, 'incap_ses') or string.find(cookie.name, 'visid_incap') then
stdnse.print_debug("%s Incapsula WAF detected through cookies.", SCRIPT_NAME)
incapsula.detected = true
return
end
end
end
end,
intensive = function(host, port, root, responses)
end,
}
local uspses
uspses = {
name = "USP Secure Entry Server",
detected = false,
version = nil,
match = function(responses)
for _, response in pairs(responses) do
if response.header.server == 'Secure Entry Server' then
stdnse.print_debug("%s USP-SES detected through Server header.", SCRIPT_NAME)
uspses.detected = true
return
end
end
end,
intensive = function(host, port, root, responses)
end,
}
local ciscoacexml
ciscoacexml = {
name = "Cisco ACE XML Gateway",
detected = false,
version = nil,
match = function(responses)
for _, response in pairs(responses) do
if response.header.server == 'ACE XML Gateway' then
stdnse.print_debug("%s Cisco ACE XML Gateway detected through Server header.", SCRIPT_NAME)
ciscoacexml.detected = true
return
end
end
end,
intensive = function(host, port, root, responses)
end,
}
local modsecurity
modsecurity = {
-- Credit to Brendan Coles
name = "ModSecurity",
detected = false,
version = nil,
match = function(responses)
for _, response in pairs(responses) do
if response.header.server and string.find(response.header.server, 'mod_security/') then
stdnse.print_debug("%s Modsecurity detected through Server Header.", SCRIPT_NAME)
local pos = string.find(response.header.server, 'mod_security/')
modsecurity.version = string.sub(response.header.server, pos + 13, pos + 18)
modsecurity.detected = true
return
end
if response.header.server and string.find(response.header.server, 'Mod_Security') then
stdnse.print_debug("%s Modsecurity detected through Server Header.", SCRIPT_NAME)
modsecurity.version = string.sub(response.header.server, 13, -9)
modsecurity.detected = true
return
end
-- The default SecServerSignature value is "NOYB" <= TODO For older versions, so we could
-- probably do some version detection out of it.
if response.header.server == 'NOYB' then
stdnse.print_debug("%s modsecurity detected through Server header.", SCRIPT_NAME)
modsecurity.detected = true
end
end
end,
intensive = function(host, port, root, responses)
end,
}
local naxsi
naxsi = {
name = "Naxsi",
detected = false,
version = nil,
match = function(responses)
end,
intensive = function(host, port, root, responses)
-- Credit to Henri Doreau
local response = http.get(host, port, root .. "?a=[") -- This shouldn't trigget the rules
local response2 = http.get(host, port, root .. "?a=[[[]]]][[[]") -- This should trigger the score based rules
if response.status ~= response2.status then
stdnse.print_debug("%s Naxsi detected through intensive scan.", SCRIPT_NAME)
naxsi.detected = true
end
return
end,
}
local wafs = {
-- WAFs that are commented out don't have reliable fingerprints
-- with no false positives yet.
bigip = bigip,
webknight = webknight,
isaserver = isaserver,
airlock = airlock,
barracuda = barracuda,
denyall = denyall,
f5trafficshield = f5trafficshield,
teros = teros,
binarysec = binarysec,
profense = profense,
netscaler = netscaler,
dotdefender = dotdefender,
ibmdatapower = ibmdatapower,
cloudflare = cloudflare,
incapsula = incapsula,
uspses = uspses,
ciscoacexml = ciscoacexml,
modsecurity = modsecurity,
naxsi = naxsi,
-- netcontinuum = netcontinuum,
-- secureiis = secureiis,
-- urlscan = urlscan,
-- beeware = beeware,
-- hyperguard = hyperguard,
-- websecurity = websecurity,
-- imperva = imperva,
-- ibmwas = ibmwas,
-- nevisProxy = nevisProxy,
-- genericwaf = genericwaf,
}
local send_requests = function(host, port, root)
local requests, all, responses = {}, {}, {}
local dirtraversal = "../../../etc/passwd"
local cleanhtml = "hello"
local xssstring = ""
local cmdexe = "cmd.exe"
-- Normal index
all = http.pipeline_add(root, nil, all, "GET")
table.insert(requests,"normal")
-- Normal inexisting
all = http.pipeline_add(root .. "asofKlj", nil, all, "GET")
table.insert(requests,"inexisting")
-- Invalid Method
all = http.pipeline_add(root, nil, all, "ASDE")
table.insert(requests,"invalidmethod")
-- Directory traversal
all = http.pipeline_add(root .. "?parameter=" .. dirtraversal, nil, all, "GET")
table.insert(requests,"invalidmethod")
-- Invalid Host
all = http.pipeline_add(root , {header= {Host = "somerandomsite.com"}}, all, "GET")
table.insert(requests,"invalidhost")
--Clean HTML encoded
all = http.pipeline_add(root .. "?parameter=" .. cleanhtml , nil, all, "GET")
table.insert(requests,"cleanhtml")
--Clean HTML
all = http.pipeline_add(root .. "?parameter=" .. url.escape(cleanhtml), nil, all, "GET")
table.insert(requests,"cleanhtmlencoded")
-- XSS
all = http.pipeline_add(root .. "?parameter=" .. xssstring, nil, all, "GET")
table.insert(requests,"xss")
-- XSS encoded
all = http.pipeline_add(root .. "?parameter=" .. url.escape(xssstring), nil, all, "GET")
table.insert(requests,"xssencoded")
-- cmdexe
all = http.pipeline_add(root .. "?parameter=" .. cmdexe, nil, all, "GET")
table.insert(requests,"cmdexe")
-- send all requests
local pipeline_responses = http.pipeline_go(host, port, all)
if not pipeline_responses then
stdnse.print_debug("%s No response from pipelined requests", SCRIPT_NAME)
return nil
end
-- Associate responses with requests names
for i, response in pairs(pipeline_responses) do
responses[requests[i]] = response
end
return responses
end
action = function(host, port)
local root = stdnse.get_script_args(SCRIPT_NAME .. '.root') or "/"
local intensive = stdnse.get_script_args(SCRIPT_NAME .. '.intensive')
local result = {"Detected WAF", {}}
-- We send requests
local responses = send_requests(host, port, root)
if not responses then
return nil
end
-- We iterate over wafs table passing the responses list to each function to analyze
-- the presence of any fingerprints.
for _, waf in pairs(wafs) do
waf.match(responses)
if intensive then waf.intensive(host, port, root, responses) end
if waf.detected then
if waf.version then
table.insert(result[2], waf.name .. " version " .. waf.version)
else
table.insert(result[2], waf.name)
end
end
end
if #result[2] > 0 then
return stdnse.format_output(true, result)
end
end