From 5bff99159273de16b91cbf0a81006cd50032cdec Mon Sep 17 00:00:00 2001
From: 0xInfection <theinfecteddrake@gmail.com>
Date: Mon, 18 Mar 2019 20:57:01 +0530
Subject: [PATCH] Added more fingerprints to precisely detect firewalls

---
 README.md | 131 +++++++++++++++++++++++++++++++++++-------------------
 1 file changed, 85 insertions(+), 46 deletions(-)

diff --git a/README.md b/README.md
index b1ddb93..753a3e8 100644
--- a/README.md
+++ b/README.md
@@ -88,10 +88,10 @@ Wanna fingerprint WAFs? Lets see how.
                 <ul>
                     <li>Returns status code <code>493</code> upon unusual requests.</li>
                     <li>On viewing source-code of error page, you will find reference to <code>wzws-waf-cgi/</code> directory.</li>
-                    <li>Blocked response page source may contain:
+                    <li>Blocked response page source contains:
                     <ul>
                         <li>Reference to <code>wangshan.360.cn</code> URL.</li>
-                        <li><code>Sorry! Your access has been intercepted</code> text snippet.</li>
+                        <li><code>Sorry! Your access has been intercepted because your links may threaten website security.</code> text snippet.</li>
                     </ul>
                     <li>Response headers contain <code>X-Powered-By-360WZB</code> Header.</li>
                 </ul>
@@ -127,6 +127,30 @@ Wanna fingerprint WAFs? Lets see how.
                         <li><code>AL-SESS</code> cookie field name (case insensitive).</li>
                         <li><code>AL-LB</code> value (case insensitive).</li>
                     </ul>
+                    <li>Blocked response page contains:</li>
+                    <ul>
+                        <li><code>Server detected a syntax error in your request</code> text.</li>
+                        <li><code>Check your request and all parameters</code> text snippet.</li>
+                    </ul>
+                </ul>
+            </ul>
+        </td>
+    </tr>
+    <tr>
+        <td>
+            AlertLogic Firewall
+        </td>
+        <td>
+            <ul>
+                <li><b>Detectability:</b> Difficult</li>
+                <li><b>Detection Methodology:</b></li>
+                <ul>
+                    <li>Blocked response page contains:</li>
+                    <ul>
+                        <li><code>We are sorry, but the page you are looking for cannot be found</code> text snippet.</li>
+                        <li><code>The page has either been removed, renamed or temporarily unavailable</code> text.</li>
+                        <li><code>404 Not Found</code> in red letters.</li>
+                    </ul>
                 </ul>
             </ul>
         </td>
@@ -145,6 +169,7 @@ Wanna fingerprint WAFs? Lets see how.
                         <li><code>Sorry, your request has been blocked as it may cause potential threats to the server's security</code> text snippet.</li>
                         <li>Reference to <code>errors.aliyun.com</code> site URL.</li>
                     </ul>
+                    <li>Blocked response code returned is <code>405</code>.</li>
                 </ul>
             </ul>
         </td>
@@ -165,22 +190,6 @@ Wanna fingerprint WAFs? Lets see how.
             </ul>
         </td>
     </tr>
-    <tr>
-        <td>
-            Armor Defense
-        </td>
-        <td>
-            <ul>
-                <li><b>Detectability: </b>Easy</li>
-                <li><b>Detection Methodology:</b></li>
-                <ul>
-                    <li>Blocked response content contains warning<br>
-                        <code>This request has been blocked by website protection from Armor.</code>
-                    </li>
-                </ul>
-            </ul>
-        </td>
-    </tr>
     <tr>
         <td>
             Application Security Manager (F5 Networks)
@@ -208,12 +217,31 @@ Wanna fingerprint WAFs? Lets see how.
                 <ul>
                     <li>Blocked response page content may contain:</li>
                         <ul>
-                            <li><code>Approach Web Application Firewall</code> heading.</li>
+                            <li><code>Approach Web Application Firewall Framework</code> heading.</li>
                             <li><code>Your IP address has been logged and this information could be used by authorities to track you.</code> warning.</li>
                             <li><code>Sorry for the inconvenience!</code> keyword.</li>
-                            <li><code>If this was an legitimate request please contact us with details!</code> text snippet.</li>
+                            <li><code>Approach infrastructure team</code> text snippet.</li>
                         </ul>
-                    <li><code>Server</code> header has field value set to <code>Approach Web Application Firewall</code>.</li>
+                    <li><code>Server</code> header has field value set to <code>Approach</code>.</li>
+                </ul>
+            </ul>
+        </td>
+    </tr>
+    <tr>
+        <td>
+            Armor Defense
+        </td>
+        <td>
+            <ul>
+                <li><b>Detectability: </b>Easy</li>
+                <li><b>Detection Methodology:</b></li>
+                <ul>
+                    <li>Blocked response content contains:
+                        <ul>
+                            <li><code>This request has been blocked by website protection from Armor</code> text.</li>
+                            <li><code>If you manage this domain please create an Armor support ticket</code> snippet.</li>
+                        </ul>
+                    </li>
                 </ul>
             </ul>
         </td>
@@ -259,7 +287,8 @@ Wanna fingerprint WAFs? Lets see how.
                             <li><code>Access Denied</code> in their keyword.</li>
                             <li>Request token ID with length from 20 to 25 between <code>RequestId</code> tag.</li>
                         </ul>
-                    </li> 
+                    </li>
+                    <li><code>Server</code> header field may contain <code>awselb</code> value.</li>
                 </ul>
             </ul>
         </td>
@@ -309,6 +338,11 @@ Wanna fingerprint WAFs? Lets see how.
                     <li>Response cookies may contain <code>barra_counter_session</code> value.</li>
                     <li>Response headers may contain <code>barracuda_</code> keyword.</li>
                 </ul>
+                <li>Response page contains:</li>
+                <ul>
+                    <li><code>You have been blocked</code> heading.</li>
+                    <li><code>You are unable to access this website</code> text.</li>
+                </ul>
             </ul>
         </td>
     </tr>
@@ -357,6 +391,7 @@ Wanna fingerprint WAFs? Lets see how.
                         <li><code>Security check by BitNinja</code> text snippet.</li>
                         <li><code>your IP will be removed from BitNinja</code>.</li>
                         <li><code>Visitor anti-robot validation</code> text snippet.</li>
+                        <li><code>(You will be challenged by a reCAPTCHA page)</code> text.</li>
                     </ul>
                 </ul>
             </ul>
@@ -430,7 +465,25 @@ Wanna fingerprint WAFs? Lets see how.
                 <li><b>Detectability: </b>Easy</li>
                 <li><b>Detection Methodology:</b></li>
                 <ul>
-                    <li>Blocked response page contains <code>by CdnNsWAF Application Gateway</code> text snippet.</li>
+                    <li>Blocked response page contains <code>CdnNsWAF Application Gateway</code> text snippet.</li>
+                </ul>
+            </ul>
+        </td>
+    </tr>
+    <tr>
+        <td>
+            Cerber (WordPress)
+        </td>
+        <td>
+            <ul>
+                <li><b>Detectability: </b>Difficult</li>
+                <li><b>Detection Methodology:</b></li>
+                <ul>
+                    <li>Blocked response page contains:
+                    <ul>
+                        <li><code>We're sorry, you are not allowed to proceed</code> text snippet.</li>
+                        <li><code>Your request looks suspicious or similar to automated requests from spam posting software</code> warning.</li>
+                    </ul> 
                 </ul>
             </ul>
         </td>
@@ -485,14 +538,18 @@ Wanna fingerprint WAFs? Lets see how.
     </tr>
     <tr>
         <td>
-            Cloudbric
+            Cloudbric Firewall
         </td>
         <td>
             <ul>
                 <li><b>Detectability: </b>Moderate</li>
                 <li><b>Detection Methodology:</b></li>
                 <ul>
-                    <li>Response content has <code>Cloudbric</code> and <code>Malicious Code Detected</code> texts.</li>
+                    <li>Response content contains:</li>
+                    <ul>
+                        <li><code>Malicious Code Detected</code> heading.</li>
+                        <li><code>Your request was blocked by Cloudbric</code> text snippet.</li>
+                    </ul>
                 </ul>
             </ul>
         </td>
@@ -524,7 +581,7 @@ Wanna fingerprint WAFs? Lets see how.
                 <li><b>Detectability: </b>Easy</li>
                 <li><b>Detection Methodology:</b></li>
                 <ul>
-                    <li>Blocked response content contains <code>Error from cloudfront</code> error upon malicious request.</li>
+                    <li>Blocked response content contains <code>Generated by cloudfront (CloudFront)</code> error upon malicious request.</li>
                 </ul>
             </ul>
         </td>
@@ -538,7 +595,7 @@ Wanna fingerprint WAFs? Lets see how.
                 <li><b>Detectability: </b>Easy</li>
                 <li><b>Detection Methodology:</b></li>
                 <ul>
-                    <li>Response headers contain <code>Protected by COMODO WAF</code> value.</li>
+                    <li><code>Server</code> header contains <code>Protected by COMODO WAF</code> value.</li>
                 </ul>
             </ul>
         </td>
@@ -552,7 +609,7 @@ Wanna fingerprint WAFs? Lets see how.
                 <li><b>Detectability: </b>Easy</li>
                 <li><b>Detection Methodology:</b></li>
                 <ul>
-                    <li>Response content contains value<br> <code>This site is protected by CrawlProtect</code>.</li>
+                    <li>Blocked response content contains value<br> <code>This site is protected by CrawlProtect !!!</code> upon malicious request.</li>
                 </ul>
             </ul>
         </td>
@@ -1657,24 +1714,6 @@ Wanna fingerprint WAFs? Lets see how.
             </ul>
         </td>
     </tr>
-    <tr>
-        <td>
-            WordPress Cerber
-        </td>
-        <td>
-            <ul>
-                <li><b>Detectability: </b>Moderate</li>
-                <li><b>Detection Methodology:</b></li>
-                <ul>
-                    <li>Blocked response page contains:
-                    <ul>
-                        <li><code>We're sorry, you are not allowed to proceed</code> text snippet.</li>
-                        <li><code>Your request looks suspicious or similar to automated requests from spam posting software</code> warning.</li>
-                    </ul> 
-                </ul>
-            </ul>
-        </td>
-    </tr>
     <tr>
         <td>
             XLabs Security WAF