Re: http-waf-detect - Script to detect WAF/IDS/IPS solutions

[Paulino Calderon <paulino () calderonpale com>]

On 06/21/2011 04:02 PM, David Fifield wrote:
> On Wed, Jun 15, 2011 at 10:37:34PM -0700, Paulino Calderon wrote:
>    
> > Hello nmap-dev,
> >
> >      Here is my NSE script to determine if a http web server is
> > protected by a Web Application Firewall (WAF), Intrusion Detection
> > System (IDS) or Intrusion Prevention System (IPS). I'd be great if I
> > can get some feedback from users with access to other untested
> > WAF/IDS/IPS products.
> >
> > description = [[
> > Determines if a web server is protected by an IPS (Intrusion
> > Prevention System), IDS (Intrusion Detection System) or WAF (Web
> > Application Firewall)
> >
> > This script tries to determine if an IDS/IPS/WAF is protecting a
> > http server. To do this the script will send a "good" request and
> > record the
> > response, afterwards it will match this response against new
> > requests containing malicious payloads. In theory, web applications
> > shouldn't react to
> > malicious requests because we are storing the payloads in a variable
> > that is not used by the script/file and only WAF/IDS/IPS should
> > react to it.
> > If aggro mode is not on, the script will only do the minimum number
> > of requests (Most known/noisy vectors)
> >
> > This script has been tested against:
> >   * Apache ModSecurity
> >   * Barracuda Web Application Firewall
> >   * PHPIDS
> >      
> I think that this script will be prone to false positives as it is
> written. A detection is flagged whenever the body differs, which could
> be the case for every response on some web sites, like www.time.gov.
>
> $ ./nmap --script=http-waf-detect -p80 www.time.gov --script-args http-waf-detect.path="/timezone.cgi?Pacific/d/-8"
> Starting Nmap 5.52.IPv6.Beta2 ( http://nmap.org ) at 2011-06-21 15:56 PDT
> Nmap scan report for www.time.gov (129.6.13.35)
> Host is up (0.093s latency).
> Other addresses for www.time.gov (not scanned): 132.163.4.22
> rDNS record for 129.6.13.35: www-04.nist.gov
> PORT   STATE SERVICE
> 80/tcp open  http
> |_http-waf-detect: IDS/IPS/WAF detected
>
> In addition to testing against servers known to have an IDS, you also
> have to test against some known not to have an IDS.
>
> Take a look at the http.clean_404 function, which attempts to mitigate
> this problem by deleting things that look like dynamically generated
> text.
>
> David Fifield
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://seclists.org/nmap-dev/
>    

I think you brought up a solid point here, I missed that somehow. I 
added a call to clean_404 to address this meanwhile. I had to update 
http.lua to make that method accesible to the scripts.

On the other hand, after this update I tried it again and it turns out 
that time.gov is behind a WAF, you can test it manually by passing the 
string "/etc/passwd" :

It will block this request:
http://time.gov/timezone.cgi?Pacific/d/-8?p4yl04d=cat%20/etc/passwd
But not this one:
http://time.gov/timezone.cgi?Pacific/d/-8?p4yl04d=hello

Cheers.

--
Paulino Calderón Pale
Web: http://calderonpale.com
Twitter: http://www.twitter.com/paulinocaIderon

Attachment: http-waf-detect.nse.diff
Description:

Attachment: http.lua.diff
Description:

Attachment: http-waf-detect.nse
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/