Nmap Development mailing list archives
Re: http-waf-detect - Script to detect WAF/IDS/IPS solutions
From: Paulino Calderon <paulino () calderonpale com>
Date: Tue, 21 Jun 2011 18:56:47 -0700
On 06/21/2011 04:02 PM, David Fifield wrote:
On Wed, Jun 15, 2011 at 10:37:34PM -0700, Paulino Calderon wrote:Hello nmap-dev, Here is my NSE script to determine if a http web server is protected by a Web Application Firewall (WAF), Intrusion Detection System (IDS) or Intrusion Prevention System (IPS). I'd be great if I can get some feedback from users with access to other untested WAF/IDS/IPS products. description = [[ Determines if a web server is protected by an IPS (Intrusion Prevention System), IDS (Intrusion Detection System) or WAF (Web Application Firewall) This script tries to determine if an IDS/IPS/WAF is protecting a http server. To do this the script will send a "good" request and record the response, afterwards it will match this response against new requests containing malicious payloads. In theory, web applications shouldn't react to malicious requests because we are storing the payloads in a variable that is not used by the script/file and only WAF/IDS/IPS should react to it. If aggro mode is not on, the script will only do the minimum number of requests (Most known/noisy vectors) This script has been tested against: * Apache ModSecurity * Barracuda Web Application Firewall * PHPIDSI think that this script will be prone to false positives as it is written. A detection is flagged whenever the body differs, which could be the case for every response on some web sites, like www.time.gov. $ ./nmap --script=http-waf-detect -p80 www.time.gov --script-args http-waf-detect.path="/timezone.cgi?Pacific/d/-8" Starting Nmap 5.52.IPv6.Beta2 ( http://nmap.org ) at 2011-06-21 15:56 PDT Nmap scan report for www.time.gov (129.6.13.35) Host is up (0.093s latency). Other addresses for www.time.gov (not scanned): 132.163.4.22 rDNS record for 129.6.13.35: www-04.nist.gov PORT STATE SERVICE 80/tcp open http |_http-waf-detect: IDS/IPS/WAF detected In addition to testing against servers known to have an IDS, you also have to test against some known not to have an IDS. Take a look at the http.clean_404 function, which attempts to mitigate this problem by deleting things that look like dynamically generated text. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
I think you brought up a solid point here, I missed that somehow. I added a call to clean_404 to address this meanwhile. I had to update http.lua to make that method accesible to the scripts.
On the other hand, after this update I tried it again and it turns out that time.gov is behind a WAF, you can test it manually by passing the string "/etc/passwd" :
It will block this request: http://time.gov/timezone.cgi?Pacific/d/-8?p4yl04d=cat%20/etc/passwd But not this one: http://time.gov/timezone.cgi?Pacific/d/-8?p4yl04d=hello Cheers. -- Paulino Calderón Pale Web: http://calderonpale.com Twitter: http://www.twitter.com/paulinocaIderon
Attachment:
http-waf-detect.nse.diff
Description:
Attachment:
http.lua.diff
Description:
Attachment:
http-waf-detect.nse
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- http-waf-detect - Script to detect WAF/IDS/IPS solutions Paulino Calderon (Jun 15)
- Re: http-waf-detect - Script to detect WAF/IDS/IPS solutions Paulino Calderon (Jun 15)
- Re: http-waf-detect - Script to detect WAF/IDS/IPS solutions Paulino Calderon (Jun 15)
- Re: http-waf-detect - Script to detect WAF/IDS/IPS solutions Patrik Karlsson (Jun 15)
- Re: http-waf-detect - Script to detect WAF/IDS/IPS solutions Richard Sammet (Jun 15)
- Re: http-waf-detect - Script to detect WAF/IDS/IPS solutions Paulino Calderon (Jun 16)
- Re: http-waf-detect - Script to detect WAF/IDS/IPS solutions David Fifield (Jun 21)
- Re: http-waf-detect - Script to detect WAF/IDS/IPS solutions Paulino Calderon (Jun 21)
- Re: http-waf-detect - Script to detect WAF/IDS/IPS solutions Paulino Calderon (Jun 15)