2.1.2 WAF Recon

What is WAF?

WAF stands for "Web Application Firewall." It is a security solution designed to protect web applications from a variety of online threats and attacks. Web applications are software applications that run on web servers and are accessible via web browsers. Examples of web applications include online stores, social media platforms, online banking sites, and more.

A Web Application Firewall works by analyzing incoming and outgoing HTTP/HTTPS requests to a web application. It aims to identify and mitigate various types of attacks that could exploit vulnerabilities in the application's code or configuration. Some of the common types of attacks that WAFs help prevent include:

• SQL Injection: Attackers attempt to insert malicious SQL statements into input fields to manipulate or extract data from a database.

• Cross-Site Scripting (XSS): Attackers inject malicious scripts into web pages viewed by other users, potentially leading to the theft of sensitive data or the hijacking of user sessions.

• Cross-Site Request Forgery (CSRF): Attackers trick users into performing actions on a web application without their consent or knowledge.

• Remote File Inclusion (RFI) and Local File Inclusion (LFI): Attackers attempt to include malicious files on the server to execute arbitrary code or access sensitive information.

• Brute Force Attacks: Attackers repeatedly try different username and password combinations to gain unauthorized access to an application.

• OWASP Top Ten Vulnerabilities: WAFs help address vulnerabilities listed in the OWASP Top Ten, a well-known list of the most critical web application security risks.

WAFW00F

The scope of WAFW00F is to help security professionals, penetration testers, and web developers identify whether a target website is behind a WAF and potentially gather information about the specific WAF being used. This information can be valuable for assessing the security posture of a web application and understanding its defensive measures.

WAFW00F works by sending specially crafted HTTP requests to a target website and analyzing the responses. Based on patterns, headers, and behavior in the responses, it attempts to determine whether a WAF is in place and, if possible, provide information about the WAF vendor or technology. It can also help identify bypass techniques that attackers might use to evade detection by the WAF.

wafw00f -h
Usage: wafw00f url1 [url2 [url3 ... ]]
example: wafw00f http://www.victim.org/

Options:
  -h, --help            show this help message and exit
  -v, --verbose         Enable verbosity, multiple -v options increase
                        verbosity
  -a, --findall         Find all WAFs which match the signatures, do not stop
                        testing on the first one
  -r, --noredirect      Do not follow redirections given by 3xx responses
  -t TEST, --test=TEST  Test for one specific WAF
  -o OUTPUT, --output=OUTPUT
                        Write output to csv, json or text file depending on
                        file extension. For stdout, specify - as filename.
  -f FORMAT, --format=FORMAT
                        Force output format to csv, json or text.
  -i INPUT, --input-file=INPUT
                        Read targets from a file. Input format can be csv,
                        json or text. For csv and json, a `url` column name or
                        element is required.
  -l, --list            List all WAFs that WAFW00F is able to detect
  -p PROXY, --proxy=PROXY
                        Use an HTTP proxy to perform requests, examples:
                        http://hostname:8080, socks5://hostname:1080,
                        http://user:pass@hostname:8080
  -V, --version         Print out the current version of WafW00f and exit.
  -H HEADERS, --headers=HEADERS
                        Pass custom headers via a text file to overwrite the
                        default header set.