Multiple WAF identification

Ekultek commented 6 years ago

What's the problem (or question)?

Not entirely sure if this is an issue, but it is somewhat of an annoyance, identifying multiple WAF's in one run

Do you have an idea for a solution?

Only identify a single WAF at a time instead of multiple, since only one is going to be blocking the request, and the other will be a backup for further requests

How can we reproduce the issue?

n/a

What are the running context details?

Installation method (e.g. pip, apt-get, git clone or zip/tar.gz):
Client OS (e.g. Microsoft Windows 10) Ubuntu 17.04
Program version (python sqlmap.py --version or sqlmap --version depending on installation): Latest
Target DBMS (e.g. Microsoft SQL Server): n/a
Detected WAF/IDS/IPS protection (e.g. ModSecurity or unknown): BIG-IP, URL scan
SQLi techniques found by sqlmap (e.g. error-based and boolean-based blind): n/a
Results of manual target assessment (e.g. found that the payload query=test' AND 4113 IN ((SELECT 'foobar'))-- qKLV works): n/a

Relevant console output (if any): (the IP address is to a proxy, not the application)

[11:24:40] [DEBUG] checking for WAF/IPS/IDS product 'CloudFront (Amazon)'
[11:24:40] [DEBUG] checking for WAF/IPS/IDS product 'FortiWeb Web Application Firewall (Fortinet)'
[11:24:40] [DEBUG] checking for WAF/IPS/IDS product 'TrafficShield (F5 Networks)'
[11:24:40] [DEBUG] checking for WAF/IPS/IDS product 'Safedog Web Application Firewall (Safedog)'
[11:24:40] [DEBUG] checking for WAF/IPS/IDS product 'Comodo Web Application Firewall (Comodo)'
[11:24:40] [DEBUG] checking for WAF/IPS/IDS product 'Safe3 Web Application Firewall'
[11:24:40] [DEBUG] checking for WAF/IPS/IDS product 'Barracuda Web Application Firewall (Barracuda Networks)'
[11:24:40] [DEBUG] checking for WAF/IPS/IDS product 'KONA Security Solutions (Akamai Technologies)'
[11:24:40] [DEBUG] checking for WAF/IPS/IDS product 'ExpressionEngine (EllisLab)'
[11:24:40] [DEBUG] checking for WAF/IPS/IDS product 'SecureIIS Web Server Security (BeyondTrust)'
[11:24:40] [DEBUG] checking for WAF/IPS/IDS product 'CloudProxy WebSite Firewall (Sucuri)'
[11:24:40] [DEBUG] checking for WAF/IPS/IDS product '360 Web Application Firewall (360)'
[11:24:40] [DEBUG] checking for WAF/IPS/IDS product 'DOSarrest (DOSarrest Internet Security)'
[11:24:40] [DEBUG] checking for WAF/IPS/IDS product 'UTM Web Protection (Sophos)'
[11:24:40] [DEBUG] checking for WAF/IPS/IDS product 'dotDefender (Applicure Technologies)'
[11:24:40] [DEBUG] checking for WAF/IPS/IDS product 'Amazon Web Services Web Application Firewall (Amazon)'
[11:24:40] [DEBUG] checking for WAF/IPS/IDS product 'webApp.secure (webScurity)'
|S-chain|-<>-127.0.0.1:9050-<><>-181.174.103.130:1080-<><>-OK
|S-chain|-<>-127.0.0.1:9050-<><>-181.174.103.130:1080-<><>-OK
[11:24:46] [DEBUG] checking for WAF/IPS/IDS product 'IBM WebSphere DataPower (IBM)'
[11:24:46] [DEBUG] checking for WAF/IPS/IDS product 'Teros/Citrix Application Firewall Enterprise (Teros/Citrix Systems)'
[11:24:46] [DEBUG] checking for WAF/IPS/IDS product 'Cisco ACE XML Gateway (Cisco Systems)'
[11:24:46] [DEBUG] checking for WAF/IPS/IDS product 'UrlScan (Microsoft)'
** [11:24:46] [CRITICAL] WAF/IPS/IDS identified as 'UrlScan (Microsoft)'
[11:24:46] [DEBUG] checking for WAF/IPS/IDS product 'USP Secure Entry Server (United Security Providers)'
[11:24:46] [DEBUG] checking for WAF/IPS/IDS product 'ISA Server (Microsoft)'
[11:24:46] [DEBUG] checking for WAF/IPS/IDS product 'AppWall (Radware)'
[11:24:46] [DEBUG] checking for WAF/IPS/IDS product 'BlockDoS'
[11:24:46] [DEBUG] checking for WAF/IPS/IDS product 'BinarySEC Web Application Firewall (BinarySEC)'
[11:24:46] [DEBUG] checking for WAF/IPS/IDS product 'SEnginx (Neusoft Corporation)'
[11:24:46] [DEBUG] checking for WAF/IPS/IDS product 'SonicWALL (Dell)'
[11:24:46] [DEBUG] checking for WAF/IPS/IDS product 'Hyperguard Web Application Firewall (art of defence)'
[11:24:46] [DEBUG] checking for WAF/IPS/IDS product 'Armor Protection (Armor Defense)'
[11:24:46] [DEBUG] checking for WAF/IPS/IDS product 'Proventia Web Application Security (IBM)'
|S-chain|-<>-127.0.0.1:9050-<><>-181.174.103.130:1080-<><>-OK
[11:24:49] [DEBUG] checking for WAF/IPS/IDS product 'NAXSI (NBS System)'
[11:24:49] [DEBUG] checking for WAF/IPS/IDS product 'Yunjiasu Web Application Firewall (Baidu)'
[11:24:49] [DEBUG] checking for WAF/IPS/IDS product 'Yundun Web Application Firewall (Yundun)'
[11:24:49] [DEBUG] checking for WAF/IPS/IDS product 'KS-WAF (Knownsec)'
[11:24:49] [DEBUG] checking for WAF/IPS/IDS product 'Deny All Web Application Firewall (DenyAll)'
[11:24:49] [DEBUG] checking for WAF/IPS/IDS product 'ASP.NET RequestValidationMode (Microsoft)'
[11:24:49] [DEBUG] checking for WAF/IPS/IDS product 'Varnish FireWall (OWASP)'
[11:24:49] [DEBUG] checking for WAF/IPS/IDS product 'NetScaler (Citrix Systems)'
[11:24:49] [DEBUG] checking for WAF/IPS/IDS product 'Palo Alto Firewall (Palo Alto Networks)'
[11:24:49] [DEBUG] checking for WAF/IPS/IDS product 'EdgeCast WAF (Verizon)'
[11:24:49] [DEBUG] checking for WAF/IPS/IDS product 'CloudFlare Web Application Firewall (CloudFlare)'
[11:24:49] [DEBUG] checking for WAF/IPS/IDS product 'Wordfence (Feedjit)'
[11:24:49] [DEBUG] checking for WAF/IPS/IDS product 'Profense Web Application Firewall (Armorlogic)'
[11:24:49] [DEBUG] checking for WAF/IPS/IDS product 'WebKnight Application Firewall (AQTRONIX)'
[11:24:49] [DEBUG] checking for WAF/IPS/IDS product 'NSFOCUS Web Application Firewall (NSFOCUS)'
[11:24:49] [DEBUG] checking for WAF/IPS/IDS product 'Jiasule Web Application Firewall (Jiasule)'
[11:24:49] [DEBUG] checking for WAF/IPS/IDS product 'Stingray Application Firewall (Riverbed / Brocade)'
[11:24:49] [DEBUG] checking for WAF/IPS/IDS product 'ModSecurity: Open Source Web Application Firewall (Trustwave)'
[11:24:49] [DEBUG] checking for WAF/IPS/IDS product 'TrueShield Web Application Firewall (SiteLock)'
[11:24:49] [DEBUG] checking for WAF/IPS/IDS product 'Newdefend Web Application Firewall (Newdefend)'
[11:24:49] [DEBUG] checking for WAF/IPS/IDS product 'Wallarm Web Application Firewall (Wallarm)'
[11:24:49] [DEBUG] checking for WAF/IPS/IDS product 'Tencent Cloud Web Application Firewall (Tencent Cloud Computing)'
[11:24:49] [DEBUG] checking for WAF/IPS/IDS product 'Yunsuo Web Application Firewall (Yunsuo)'
[11:24:49] [DEBUG] checking for WAF/IPS/IDS product 'BIG-IP Application Security Manager (F5 Networks)'
** [11:24:49] [CRITICAL] WAF/IPS/IDS identified as 'BIG-IP Application Security Manager (F5 Networks)'
[11:24:49] [DEBUG] checking for WAF/IPS/IDS product 'Anquanbao Web Application Firewall (Anquanbao)'

Exception traceback (if any): n/a

My idea is to only identify the WAF that is blocking the request at that time, and identify the secondary WAF if one exists when it starts blocking the requests (might be somewhat ambiguous)

stamparm commented 6 years ago

With the latest patch solved the issue with "BIG-IP". As of "multiple WAF" identification, some users prefer to find out which protection layers are in between.

I agree with you that only the reactive one should be identified. Please report back if you see any other case (like the BIG-IP) in future and I'll try to "patch" it accordingly.

Ekultek commented 6 years ago

On top of this, what if you checked the length of the retval before outputting and warned that multiple firewall instances have been found, and only output the first tested? del retval[retval.index(retval[1])] so that only one is considered (you also have the PRIORITY so you could use that to your advantage?

On second thought this might be a lot of work, not sure if you're WAF retval is a list or string..

stamparm commented 6 years ago

You are over-complicating this. Those tests are just indicators. Not sure what's the current problem, if any.

Sorry, stays as it is.

Ekultek commented 6 years ago

Fair enough, thank man

On Nov 27, 2017, at 5:04 PM, Miroslav Stampar notifications@github.com wrote:

You are over-complicating this. Those tests are just indicators. Not sure what's the current problem, if any.

Sorry, stays as it is.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

sqlmapproject / sqlmap