# Awesome WAF [![Awesome](https://cdn.rawgit.com/sindresorhus/awesome/d7305f38d29fed78fa85652e3a63e154dd8e8829/media/badge.svg "Awesome")](https://github.com/0xinfection/awesome-waf) > A curated list of awesome WAF stuff. 🔥 > > __Foreword:__ This was originally my own collection on WAFs. I am open-sourcing it in the hope that it will be useful for pentesters and researchers out there. You might want to keep this repo on a watch, since it will be updated regularly. "The community just learns from each other." __#SharingisCaring__ ![Main Logo](images/how-wafs-work.png 'How wafs work') __A Concise Definition:__ A web application firewall is a security policy enforcement point positioned between a web application and the client endpoint. This functionality can be implemented in software or hardware, running in an appliance device, or in a typical server running a common operating system. It may be a stand-alone device or integrated into other network components. *(Source: [PCI DSS IS 6.6](https://www.pcisecuritystandards.org/documents/information_supplement_6.6.pdf))* Feel free to [contribute](CONTRIBUTING.md). ### Contents: - [Introduction](#introduction) - [How WAFs Work](#how-wafs-work) - [Operation Modes](#operation-modes) - [Testing Methodology](#testing-methodology) - [Where To Look](#where-to-look) - [Detection Techniques](#detection-techniques) - [WAF Fingerprints](#waf-fingerprints) - [Evasion Techniques](#evasion-techniques) - [Fuzzing/Bruteforcing](#fuzzingbruteforcing) - [Regex Reversing](#regex-reversing) - [Obfuscation/Encoding](#obfuscation) - [Browser Bugs](#browser-bugs) - [HTTP Header Spoofing](#request-header-spoofing) - [Google Dorks Approach](#google-dorks-approach) - [Known Bypasses](#known-bypasses) - [Awesome Tooling](#awesome-tools) - [Fingerprinting](#fingerprinting) - [Testing](#testing) - [Evasion](#evasion) - [Blogs & Writeups](#blogs-and-writeups) - [Video Presentations](#video-presentations) - [Research Presentations & Papers](#presentations--research-papers) - [Research Papers](#research-papers) - [Presentation Slides](#presentations) - [Licensing & Credits](#credits--license) ## Introduction: ### How WAFs Work: - Using a set of rules to distinguish between normal requests and malicious requests. - Sometimes they use a learning mode to add rules automatically through learning about user behaviour. ### Operation Modes: - __Negative Model (Blacklist based)__ - A blacklisting model uses pre-set signatures to block web traffic that is clearly malicious, and signatures designed to prevent attacks which exploit certain website and web application vulnerabilities. Blacklisting model web application firewalls are a great choice for websites and web applications on the public internet, and are highly effective against an major types of DDoS attacks. Eg. Rule for blocking all `` inputs. - __Positive Model (Whitelist based)__ - A whitelisting model only allows web traffic according to specifically configured criteria. For example, it can be configured to only allow HTTP GET requests from certain IP addresses. This model can be very effective for blocking possible cyber-attacks, but whitelisting will block a lot of legitimate traffic. Whitelisting model firewalls are probably best for web applications on an internal network that are designed to be used by only a limited group of people, such as employees. - __Mixed/Hybrid Model (Inclusive model)__ - A hybrid security model is one that blends both whitelisting and blacklisting. Depending on all sorts of configuration specifics, hybrid firewalls could be the best choice for both web applications on internal networks and web applications on the public internet. ## Testing Methodology: ### Where To Look: - Always look out for common ports that expose that a WAF, namely `80`, `443`, `8000`, `8008`, `8080` and `8088` ports. > __Tip:__ You can use automate this easily by commandline using tools like like [cURL](https://github.com/curl/curl). - Some WAFs set their own cookies in requests (eg. Citrix Netscaler, Yunsuo WAF). - Some associate themselves with separate headers (eg. Anquanbao WAF, Amazon AWS WAF). - Some often alter headers and jumble characters to confuse attacker (eg. Netscaler, Big-IP). - Some expose themselves in the `Server` header (eg. Approach, WTS WAF). - Some WAFs expose themselves in the response content (eg. DotDefender, Armor, Sitelock). - Other WAFs reply with unusual response codes upon malicious requests (eg. WebKnight, 360 WAF). ### Detection Techniques: To identify WAFs, we need to (dummy) provoke it. 1. Make a normal GET request from a browser, intercept and record response headers (specifically cookies). 2. Make a request from command line (eg. cURL), and test response content and headers (no user-agent included). 3. Make GET requests to random open ports and grab banners which might expose the WAFs identity. 4. If there is a login page somewhere, try some common (easily detectable) payloads like `" or 1 = 1 --`. 5. If there is some input field somewhere, try with noisy payloads like ``. 6. Attach a dummy `../../../etc/passwd` to a random parameter at end of URL. 7. Append some catchy keywords like `' OR SLEEP(5) OR '` at end of URLs to any random parameter. 8. Make GET requests with outdated protocols like `HTTP/0.9` (`HTTP/0.9` does not support POST type queries). 9. Many a times, the WAF varies the `Server` header upon different types of interactions. 10. Drop Action Technique - Send a raw crafted FIN/RST packet to server and identify response. > __Tip:__ This method could be easily achieved with tools like [HPing3](http://www.hping.org) or [Scapy](https://scapy.net). 11. Side Channel Attacks - Examine the timing behaviour of the request and response content. ## WAF Fingerprints Wanna fingerprint WAFs? Lets see how. > __NOTE__: This section contains manual WAF detection techniques. You might want to switch over to [next section](#evasion-techniques).
WAF | Fingerprints |
360 Firewall |
|
aeSecure |
|
Airlock (Phion/Ergon) |
|
AlertLogic Firewall |
|
Aliyundun Firewall |
|
Anquanbao WAF |
|
Anyu Firewall |
|
Application Security Manager (F5 Networks) |
|
Approach Firewall |
|
Armor Defense |
|
ASP.NET Generic (IIS) |
|
AWS (Amazon) |
|
Baidu Yunjiasu |
|
Barikode Firewall |
|
Barracuda WAF |
|
Bekchy (Faydata) |
|
Better WP Security |
|
BitNinja Firewall |
|
Bluedon IST |
|
BIG-IP ASM (F5 Networks) |
|
BinarySec WAF |
|
BlockDos |
|
CDN NS Application Gateway |
|
Cerber (WordPress) |
|
ChinaCache Firewall |
|
Chuangyu WAF |
|
Cisco ACE XML Gateway |
|
Cloudbric Firewall |
|
Cloudflare |
|
Cloudfront (Amazon) |
|
Comodo Firewall |
|
CrawlProtect (Jean-Denis Brun) |
|
Deny-All Firewall |
|
Distil Firewall |
|
DoSArrest Internet Security |
|
dotDefender |
|
DynamicWeb Injection Check |
|
EdgeCast (Verizon) |
|
Expression Engine (EllisLab) |
|
FortiWeb Firewall |
|
GoDaddy Firewall |
|
GreyWizard Firewall |
|
HyperGuard Firewall |
|
IBM DataPower |
|
Incapsula (Imperva) |
|
Immunify360 (CloudLinux Inc.) |
|
ISAServer |
|
Janusec Application Gateway |
|
Jiasule Firewall |
|
KnownSec Firewall |
|
KONA Site Defender (Akamai) |
|
LiteSpeed Firewall |
|
Malcare (Inactiv) |
|
MissionControl WAF |
|
ModSecurity (Trustwave) |
|
NAXSI (NBS Systems) |
|
Netcontinuum (Barracuda) |
|
NevisProxy (AdNovum) |
|
NetScaler (Citrix) |
|
NewDefend Firewall |
|
NinjaFirewall (NinTechNet) |
|
NSFocus Firewall |
|
onMessage Shield (Blackbaud) |
|
Palo Alto Firewall |
|
PerimeterX Firewall |
|
Profense Firewall |
|
Proventia (IBM) |
|
pkSecurityModule IDS |
|
Radware Appwall |
|
Reblaze Firewall |
|
Request Validation Mode (ASP.NET) |
|
RSFirewall (RSJoomla) |
|
Sabre Firewall |
|
Safe3 Firewall |
|
SafeDog Firewall |
|
Secure Entry Firewall |
|
SecureIIS (eEye) |
|
SecureSphere (Imperva) |
|
SEnginx (Neusoft) |
|
Shadow Daemon WAF |
|
ShieldSecurity |
|
SiteGround Firewall |
|
SiteGuard (JP Secure) |
|
SiteLock TrueShield |
|
SonicWall (Dell) |
|
Sophos UTM Firewall |
|
SquareSpace Firewall |
|
StackPath (StackPath LLC) |
|
Stingray (RiverBed/Brocade) |
|
Sucuri CloudProxy |
|
Synology Cloud WAF |
|
Tencent Cloud WAF |
|
Teros WAF (Citrix) |
|
TrafficShield (F5 Networks) |
|
URLMaster SecurityCheck (iFinity/DotNetNuke) |
|
URLScan (Microsoft) |
|
USP Secure Entry |
|
Varnish (OWASP) |
|
Varnish Cache Firewall |
|
VirusDie Firewall |
|
WallArm (Nginx) |
|
WatchGuard IPS |
|
WebARX Firewall |
|
WebKnight (Aqtronix) |
|
West263 Firewall |
|
Wordfence (Feedjit) |
|
WTS Firewall |
|
XLabs Security WAF |
|
Xuanwudun WAF |
|
Yundun Firewall |
|
Yunsuo Firewall |
|
ZenEdge Firewall |
|
ZScaler (Accenture) |
|