# Awesome WAF [![Awesome](https://cdn.rawgit.com/sindresorhus/awesome/d7305f38d29fed78fa85652e3a63e154dd8e8829/media/badge.svg "Awesome")](https://github.com/0xinfection/awesome-waf) > A curated list of awesome WAF stuff. 🔥 > > __Foreword:__ This was originally my own collection on WAFs. I am open-sourcing it in the hope that it will be useful for pentesters and researchers out there. You might want to keep this repo on a watch, since it will be updated regularly. "The community just learns from each other." __#SharingisCaring__ ![Main Logo](images/how-wafs-work.png 'How wafs work') __A Concise Definition:__ A web application firewall is a security policy enforcement point positioned between a web application and the client endpoint. This functionality can be implemented in software or hardware, running in an appliance device, or in a typical server running a common operating system. It may be a stand-alone device or integrated into other network components. *(Source: [PCI DSS IS 6.6](https://www.pcisecuritystandards.org/documents/information_supplement_6.6.pdf))* Feel free to [contribute](CONTRIBUTING.md). ### Contents: - [Introduction](#introduction) - [How WAFs Work](#how-wafs-work) - [Operation Modes](#operation-modes) - [Testing Methodology](#testing-methodology) - [Where To Look](#where-to-look) - [Detection Techniques](#detection-techniques) - [WAF Fingerprints](#waf-fingerprints) - [Evasion Techniques](#evasion-techniques) - [Fuzzing/Bruteforcing](#fuzzingbruteforcing) - [Regex Reversing](#regex-reversing) - [Obfuscation/Encoding](#obfuscation) - [Browser Bugs](#browser-bugs) - [HTTP Header Spoofing](#request-header-spoofing) - [Google Dorks Approach](#google-dorks-approach) - [Known Bypasses](#known-bypasses) - [Awesome Tooling](#awesome-tools) - [Fingerprinting](#fingerprinting) - [Testing](#testing) - [Evasion](#evasion) - [Blogs & Writeups](#blogs-and-writeups) - [Video Presentations](#video-presentations) - [Research Presentations & Papers](#presentations--research-papers) - [Research Papers](#research-papers) - [Presentation Slides](#presentations) - [Licensing & Credits](#credits--license) ## Introduction: ### How WAFs Work: - Using a set of rules to distinguish between normal requests and malicious requests. - Sometimes they use a learning mode to add rules automatically through learning about user behaviour. ### Operation Modes: - __Negative Model (Blacklist based)__ - A blacklisting model uses pre-set signatures to block web traffic that is clearly malicious, and signatures designed to prevent attacks which exploit certain website and web application vulnerabilities. Blacklisting model web application firewalls are a great choice for websites and web applications on the public internet, and are highly effective against an major types of DDoS attacks. Eg. Rule for blocking all `` inputs. - __Positive Model (Whitelist based)__ - A whitelisting model only allows web traffic according to specifically configured criteria. For example, it can be configured to only allow HTTP GET requests from certain IP addresses. This model can be very effective for blocking possible cyber-attacks, but whitelisting will block a lot of legitimate traffic. Whitelisting model firewalls are probably best for web applications on an internal network that are designed to be used by only a limited group of people, such as employees. - __Mixed/Hybrid Model (Inclusive model)__ - A hybrid security model is one that blends both whitelisting and blacklisting. Depending on all sorts of configuration specifics, hybrid firewalls could be the best choice for both web applications on internal networks and web applications on the public internet. ## Testing Methodology: ### Where To Look: - Always look out for common ports that expose that a WAF `80`, `443`, `8000`, `8008`, `8080`, `8088`. > __Tip:__ You can use automate this easily by commandline using a screenshot taker like [WebScreenShot](https://github.com/maaaaz/webscreenshot). - Some WAFs set their own cookies in requests (eg. Citrix Netscaler, Yunsuo WAF). - Some associate themselves with separate headers (eg. Anquanbao WAF, Amazon AWS WAF). - Some often alter headers and jumble characters to confuse attacker (eg. Citrix Netscaler, F5 Big IP). - Some (often rare) expose themselves in the `Server` header (eg. Approach, WTS WAF). - Some WAFs expose themselves in the response content (eg. DotDefender, Armor, Sitelock). - Other WAFs reply with unusual response codes upon malicious requests (eg. WebKnight, 360 WAF). ### Detection Techniques: 1. Make a normal GET request from a browser, intercept and test response headers (specifically cookies). 2. Make a request from command line (eg. cURL), and test response content and headers (no user-agent included). 3. If there is a login page somewhere, try some common (easily detectable) payloads like `' or 1 = 1 --`. 4. If there is some input field somewhere, try with noisy payloads like ``. 5. Make GET requests with outdated protocols like `HTTP/0.9` (`HTTP/0.9` does not support POST type queries). 6. Many a times, the WAF varies the `Server` header upon different types of interactions. 7. Drop Action Technique - Send a raw crafted FIN/RST packet to server and identify response. > __Tip:__ This method could be easily achieved with tools like [HPing3](http://www.hping.org) or [Scapy](https://scapy.net). 8. Side Channel Attacks - Examine the timing behaviour of the request and response content. ## WAF Fingerprints Wanna detect WAFs? Lets see how. > __NOTE__: This section contains manual WAF detection techniques. You might want to switch over to [next section](#evasion-techniques).
360 Firewall |
|
aeSecure |
|
Airlock (Phion/Ergon) |
|
Aliyundun Firewall |
|
Anquanbao WAF |
|
Armor Defense |
|
Application Security Manager (F5 Networks) |
|
Approach Firewall |
|
Amazon AWS WAF |
|
Baidu Yunjiasu |
|
Barracuda WAF |
|
Bekchy (Faydata) |
|
BitNinja Firewall |
|
Bluedon IST |
|
BIG-IP ASM (F5 Networks) |
|
BinarySec WAF |
|
BlockDos |
|
CDN NS Application Gateway |
|
ChinaCache Firewall |
|
Cisco ACE XML Gateway |
|
Cloudbric |
|
Cloudflare |
|
Cloudfront (Amazon) |
|
Comodo Firewall |
|
CrawlProtect (Jean-Denis Brun) |
|
GoDaddy Firewall |
|
IBM WebSphere DataPower |
|
Deny-All Firewall |
|
Distil Firewall |
|
DoSArrest Internet Security |
|
dotDefender |
|
EdgeCast (Verizon) |
|
Expression Engine (EllisLab) |
|
FortiWeb Firewall |
|
GreyWizard Firewall |
|
HyperGuard Firewall |
|
Imperva SecureSphere |
|
Immunify360 (CloudLinux Inc.) |
|
ISAServer |
|
Janusec Application Gateway |
|
Jiasule Firewall |
|
KnownSec Firewall |
|
KONA Site Defender (Akamai) |
|
Malcare (Inactiv) |
|
ModSecurity (Trustwave) |
|
NAXSI (NBS Systems) |
|
Netcontinuum (Barracuda) |
|
NinjaFirewall (NinTechNet) |
|
NetScaler (Citrix) |
|
NewDefend Firewall |
|
NSFocus Firewall |
|
onMessage Shield (Blackbaud) |
|
Palo Alto Firewall |
|
PerimeterX Firewall |
|
Profense Firewall |
|
Proventia (IBM) |
|
Radware Appwall |
|
Reblaze Firewall |
|
Request Validation Mode (ASP.NET) |
|
RSFirewall (RSJoomla) |
|
Safe3 Firewall |
|
SafeDog Firewall |
|
SecureIIS (BeyondTrust) |
|
SEnginx (Neusoft) |
|
ShieldSecurity |
|
SiteGround Firewall |
|
SiteGuard (JP Secure) |
|
SiteLock TrueShield |
|
SonicWall (Dell) |
|
Sophos UTM Firewall |
|
SquareSpace Firewall |
|
StackPath (StackPath LLC) |
|
Stingray (RiverBed/Brocade) |
|
Sucuri CloudProxy |
|
Tencent Cloud WAF |
|
TrafficShield (F5 Networks) |
|
URLMaster SecurityCheck (iFinity/DotNetNuke) |
|
URLScan (Microsoft) |
|
USP Secure Entry |
|
Varnish (OWASP) |
|
VirusDie Firewall |
|
WallArm (Nginx) |
|
WatchGuard Firewall |
|
WebKnight (Aqtronix) |
|
WP Cerber Firewall |
|
Yundun Firewall |
|
Yunsuo Firewall |
|
ZenEdge Firewall |
|