Closed PacodiazDG closed 5 years ago
Thanks for pulling this up, the modsecurity part is a minor bug. It'll be resolved via #67.
For the Akamai WAF, it has already been included in #67, but for the Mod Security fingerprint I am not being able to reproduce the attack vector technique on 3+ sites running Mod Security. I do presume that the test GET request is supposed to trigger the WAF, but actually its not being reproduced on the sites found in the wild.
Akamai is sometimes not detected. Ie. it is now obscured, since Apache takes a lead.
POST /getstorelocatoraddress.json HTTP/1.1
Host: *
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://www.superdrug.com/no-referrer
content-type: application/x-www-form-urlencoded; charset=UTF-8
x-csrf-token: 1849b727-47fe-402c-8a31-69af0a2487e2
Origin: https://www.superdrug.com
Content-Length: 23
Connection: close
Cookie: ...
DNT: 1
q=&country=GB&services=
Response:
HTTP/1.1 200 OK
Server: Apache
X-Frame-Options: SAMEORIGIN
...
{"pagination":{"pageSize":0,"sort":...}
In case when body payload is:
q=" and 1=1--&country=GB&services=
AkamaiGhost is visible in the response, so it requires permutation on the given URL. Didn't open a new issue since I don't know if this is normal occurence.
Response:
HTTP/1.1 403 Forbidden
Server: AkamaiGHost
Mime-Version: 1.0
Content-Type: text/html
Content-Length: 298
Expires: Tue, 11 Aug 2020 19:47:03 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 11 Aug 2020 19:47:03 GMT
Connection: close
Server-Timing: cdn-cache; desc=HIT
Server-Timing: edge; dur=4
<HTML><HEAD>
<TITLE>Access Denied</TITLE>
</HEAD><BODY>
<H1>Access Denied</H1>
You don't have permission to access "http://www.*.com/*.json" on this server.<P>
Reference #18.745b6068.1597175223.24f2341c
</BODY>
</HTML>
Hi @duraki, So far in my research I have observed that Akamai will trigger on GET requests too, so any non existent URLs with any random payload should also trigger the WAF. If this seems a new variant, I'll look into it. Thanks for this. =)
@duraki could you provide us with the wafw00f command that you're running to reproduce the issue?
I'm using v2.1.0, running wafw00f https://yourtarget/getstorelocatoraddress.json
and see the following:
[*] Checking https://yourtarget/getstorelocatoraddress.json
[+] The site https://yourtarget/getstorelocatoraddress.json is behind Kona SiteDefender (Akamai) WAF.
[~] Number of requests: 2
Of course it is not sending a POST request like you are.
Ah crap! Forget it. Just did history | grep wafw00f
and saw I passed a wrong DNS. Sorry guys, must be lack of caffeine.
No problem mate, happens to the best of us. Feel free to ping if you run into further problems. ;)
Akamai Waf:
https://www.paypal.com/mx/home?cds=ccds%3C%3Cscript%3E
modsecurity fingerprint based on the rules
/?phpsessid=asdfdasfadsads
https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/f844b8510beb619ebad0d17d23a6dac08c1bd62d/util/regression-tests/tests/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION/943110.yaml
https://github.com/EnableSecurity/wafw00f/blob/d0f0a2144426516d9c4a8e377526d5269098ee8f/wafw00f/plugins/modsecurity.py#L17
if response.reason == 'ModSecurity Action' and response.status == 403: