0xInfection
commented
5 years ago Thanks for pulling this up, the modsecurity part is a minor bug. It'll be resolved via #67.
Closed PacodiazDG closed 5 years ago
0xInfection
commented
5 years ago Thanks for pulling this up, the modsecurity part is a minor bug. It'll be resolved via #67.
0xInfection
commented
5 years ago For the Akamai WAF, it has already been included in #67, but for the Mod Security fingerprint I am not being able to reproduce the attack vector technique on 3+ sites running Mod Security. I do presume that the test GET request is supposed to trigger the WAF, but actually its not being reproduced on the sites found in the wild.
sandrogauci
commented
5 years ago 
duraki
commented
4 years ago Akamai is sometimes not detected. Ie. it is now obscured, since Apache takes a lead.
POST /getstorelocatoraddress.json HTTP/1.1
Host: *
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://www.superdrug.com/no-referrer
content-type: application/x-www-form-urlencoded; charset=UTF-8
x-csrf-token: 1849b727-47fe-402c-8a31-69af0a2487e2
Origin: https://www.superdrug.com
Content-Length: 23
Connection: close
Cookie: ...
DNT: 1
q=&country=GB&services=Response:
HTTP/1.1 200 OK
Server: Apache
X-Frame-Options: SAMEORIGIN
...
{"pagination":{"pageSize":0,"sort":...}In case when body payload is:
q=" and 1=1--&country=GB&services=AkamaiGhost is visible in the response, so it requires permutation on the given URL. Didn't open a new issue since I don't know if this is normal occurence.
Response:
HTTP/1.1 403 Forbidden
Server: AkamaiGHost
Mime-Version: 1.0
Content-Type: text/html
Content-Length: 298
Expires: Tue, 11 Aug 2020 19:47:03 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 11 Aug 2020 19:47:03 GMT
Connection: close
Server-Timing: cdn-cache; desc=HIT
Server-Timing: edge; dur=4
<HTML><HEAD>
<TITLE>Access Denied</TITLE>
</HEAD><BODY>
<H1>Access Denied</H1>
You don't have permission to access "http://www.*.com/*.json" on this server.<P>
Reference #18.745b6068.1597175223.24f2341c
</BODY>
</HTML>Hi @duraki, So far in my research I have observed that Akamai will trigger on GET requests too, so any non existent URLs with any random payload should also trigger the WAF. If this seems a new variant, I'll look into it. Thanks for this. =)
sandrogauci
commented
4 years ago @duraki could you provide us with the wafw00f command that you're running to reproduce the issue?
I'm using v2.1.0, running wafw00f https://yourtarget/getstorelocatoraddress.json and see the following:
[*] Checking https://yourtarget/getstorelocatoraddress.json
[+] The site https://yourtarget/getstorelocatoraddress.json is behind Kona SiteDefender (Akamai) WAF.
[~] Number of requests: 2Of course it is not sending a POST request like you are.
duraki
commented
4 years ago Ah crap! Forget it. Just did history | grep wafw00f and saw I passed a wrong DNS. Sorry guys, must be lack of caffeine.
0xInfection
commented
4 years ago No problem mate, happens to the best of us. Feel free to ping if you run into further problems. ;)
Akamai Waf:
https://www.paypal.com/mx/home?cds=ccds%3C%3Cscript%3E
modsecurity fingerprint based on the rules
/?phpsessid=asdfdasfadsads
https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/f844b8510beb619ebad0d17d23a6dac08c1bd62d/util/regression-tests/tests/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION/943110.yaml
https://github.com/EnableSecurity/wafw00f/blob/d0f0a2144426516d9c4a8e377526d5269098ee8f/wafw00f/plugins/modsecurity.py#L17
if response.reason == 'ModSecurity Action' and response.status == 403: