Closed thansk closed 2 years ago
@thansk you can check the rules for this waf https://github.com/EnableSecurity/wafw00f/blob/master/wafw00f/plugins/siteground.py
my result:
[*] Checking https://riverdogdigital.com
[+] The site https://riverdogdigital.com is behind Wordfence (Defiant) WAF.
[~] Number of requests: 2
@thansk you can check the rules for this waf https://github.com/EnableSecurity/wafw00f/blob/master/wafw00f/plugins/siteground.py
my result:
[*] Checking https://riverdogdigital.com [+] The site https://riverdogdigital.com is behind Wordfence (Defiant) WAF. [~] Number of requests: 2
It seems to be IP dependent.
If I use the network of M247 (AS9009, commonly blocked) and open the website, I get redirected to /.well-known/captcha/
and see this:
If I try to detect it using wafw00f, I get the generic WAF response.
If I use another network that's not banned and open the website, the home page loads and if I try to detect it using wafw00f, I get the same response as you - Wordfence.
@thansk maybe wafw00f does not support redirecting if the response is 200 you can try creating a custom plugin and try
@thansk can't reproduce the issue since I don't have an IP that is on their disallow list. I get a similar result to @foozzi (hi btw).
I would like to see how https://riverdogdigital.com redirects. Can you share the headers and body you get when it redirects to the captcha URL please?
can be done as follows:
curl https://riverdogdigital.com/.well-known/captcha/ -i -o sharethis.txt
Hi,
I assume the IP/network was removed from the blacklist by Siteground as now I can't get to the captcha page at all. I've also tried on other websites that use Siteground and gave me the captcha before like blog.inspirock.com and I get send back to the home page (302 with location set to the home page).
I waited a few days before commenting to see if anything changes but no.
I will close this for now and will reopen if I find something.
I managed to reproduce it again on multiple websites. There is no particular header that indicates a WAF or in particular SiteGround's WAF but a meta redirect tag in the returned HTML is the clear sign there is one.
<html><meta http-equiv="refresh" content="0;/.well-known/captcha/"></meta></head></html>
I am not going to reopen the issue as you mentioned that wafw00f does not support redirects (although this might be considered content and possible with https://github.com/EnableSecurity/wafw00f/blob/master/wafw00f/main.py#L215 but I am not sure) but I thought it might be useful for @sandrogauci or anyone else reading this issue.
Here is another mention of that same WAF in an unrelated context: https://community.cloudflare.com/t/apo-and-our-system-thinks-you-might-be-a-robot-siteground-message/232361/3
Describe the bug Using the base domain of a Siteground protected application, wafw00f doesn't detect it. Opening an URL with Siteground WAF redirects to /.well-known/captcha which if used in wafw00f detects Siteground
To Reproduce
wafw00f https://riverdogdigital.com
wafw00f https://riverdogdigital.com/.well-known/captcha/
Expected behavior Maybe redirects should be followed?
Screenshots N/A
Desktop (please complete the following information): Python 3.9.7
Debug output Paste the output that you get when passing
-vv
to wafw00f. Example:Additional context N/A