Nmap Development mailing list archives

Re: http-waf-detect - Script to detect WAF/IDS/IPS solutions

From: Patrik Karlsson <patrik () cqure net>
Date: Thu, 16 Jun 2011 08:10:12 +0200

Cool script and great idea!

//Patrik
On Jun 16, 2011, at 8:15 AM, Paulino Calderon wrote:

Erm... I had a typo on that last file. Here is the fixed version.

Cheers

On 06/15/2011 10:37 PM, Paulino Calderon wrote:

Hello nmap-dev,

   Here is my NSE script to determine if a http web server is protected by a Web Application Firewall (WAF), 
Intrusion Detection System (IDS) or Intrusion Prevention System (IPS). I'd be great if I can get some feedback from 
users with access to other untested WAF/IDS/IPS products.

description = [[
Determines if a web server is protected by an IPS (Intrusion Prevention System), IDS (Intrusion Detection System) or 
WAF (Web Application Firewall)

This script tries to determine if an IDS/IPS/WAF is protecting a http server. To do this the script will send a 
"good" request and record the
response, afterwards it will match this response against new requests containing malicious payloads. In theory, web 
applications shouldn't react to
malicious requests because we are storing the payloads in a variable that is not used by the script/file and only 
WAF/IDS/IPS should react to it.
If aggro mode is not on, the script will only do the minimum number of requests (Most known/noisy vectors)

This script has been tested against:
* Apache ModSecurity
* Barracuda Web Application Firewall
* PHPIDS

Since the majority of IDS/IPS/WAF's protect web applications in the same way,
it is likely that this script detects a lot more of these IDS/IPS/WAFs solutions.
]]

---
-- @usage
-- nmap -p80 --script=../../http-waf-detect.nse 
--script-args="http-waf-detect.aggro=2,http-waf-detect.path=/testphp.vulnweb.com/artists.php" www.modsecurity.org


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/



-- 
Paulino Calderón Pale
Web: http://calderonpale.com
Twitter: http://www.twitter.com/paulinocaIderon

<http-waf-detect.nse>_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

http-waf-detect - Script to detect WAF/IDS/IPS solutions Paulino Calderon (Jun 15)
- Re: http-waf-detect - Script to detect WAF/IDS/IPS solutions Paulino Calderon (Jun 15)
  - Re: http-waf-detect - Script to detect WAF/IDS/IPS solutions Paulino Calderon (Jun 15)
  - Re: http-waf-detect - Script to detect WAF/IDS/IPS solutions Patrik Karlsson (Jun 15)
- Re: http-waf-detect - Script to detect WAF/IDS/IPS solutions Richard Sammet (Jun 15)
  - Re: http-waf-detect - Script to detect WAF/IDS/IPS solutions Paulino Calderon (Jun 16)
- Re: http-waf-detect - Script to detect WAF/IDS/IPS solutions David Fifield (Jun 21)
  - Re: http-waf-detect - Script to detect WAF/IDS/IPS solutions Paulino Calderon (Jun 21)