WAF detection - Githubissues

trailofbits / twa

A tiny web auditor with strong opinions.

https://trailofbits.github.io/twa

MIT License

585 stars 53 forks source link

WAF detection #69

Open woodruffw opened 5 years ago

woodruffw commented 5 years ago

It might be interesting to add some Web Application Firewall detection techniques. I don't know much about WAFs, but it looks like there are some common oracles:

Known cookies
Known weird HTTP codes (999 No Hacking)
Known HTML responses

Some potential resources:

https://www.owasp.org/images/b/bf/OWASP_Stammtisch_Frankfurt_WAF_Profiling_and_Evasion.pdf
https://www.securitynewspaper.com/2018/12/04/detect-web-application-firewall-waf-before-you-attack/ (looks like there's an nmap script for WAF detection)

karanb192 commented 4 years ago

Hi woodruffw,

I just tried the tool and it is pretty quick and I want to contribute to WAF detection.

woodruffw commented 4 years ago

Please do!

Sent from mobile. Please excuse my brevity.

On Jan 19, 2020, at 9:32 AM, Karan Bansal notifications@github.com wrote:

Hi woodruffw,

I just tried the tool and it is pretty quick and I want to contribute to WAF detection.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe.

rickconlee commented 4 years ago

I’d like to jump in on this too! I have some WAF experience from doing manual audits for site clients. I’ll take a look while I’m sitting here in quarantine.

rickconlee commented 4 years ago

What are everyone's thoughts on adding nmap to the stack? This would be a great tool and can open the door to other things in the future, yet will also keep this tool simple.

EDIT: Answered my own question. I'm going to give this a go with NMAP and see how it works.

woodruffw commented 4 years ago

What are everyone's thoughts on adding nmap to the stack? This would be a great tool and can open the door to other things in the future, yet will also keep this tool simple.

I have a slight preference for not adding nmap, since it's not HTTP-specific and takes us further away from twa being "tiny".

That being said, adding it as an optional dependency in the same way that we handle testssl would be fine. So, a user could do something like this:

twa -n

to run nmap-based checks.

MadhuMadhavanSridhar commented 3 years ago

Hi woodruffw, Good day! Some WAFs can be identified from the GET requests using the cookie details or the responses. But for detecting most of the WAFs I think you might need support of either Nmap or Wafw00f scripts. I can add a feature for identifying WAFs based on the cookie details or the responses but this will detect only a few WAFs.

woodruffw commented 3 years ago

@MadhuMadhavanSridhar That makes sense. I'm okay with only detecting a few (with cookies) for now -- allowing future contributors to add optional nmap based checks seems reasonable to me.