Nmap Development mailing list archives
Re: http-waf-detect - Script to detect WAF/IDS/IPS solutions
From: Paulino Calderon <paulino () calderonpale com>
Date: Mon, 15 Aug 2011 21:16:25 -0700
On 06/15/2011 10:37 PM, Paulino Calderon wrote:
Hello nmap-dev,Here is my NSE script to determine if a http web server is protected by a Web Application Firewall (WAF), Intrusion Detection System (IDS) or Intrusion Prevention System (IPS). I'd be great if I can get some feedback from users with access to other untested WAF/IDS/IPS products.description = [[Determines if a web server is protected by an IPS (Intrusion Prevention System), IDS (Intrusion Detection System) or WAF (Web Application Firewall)This script tries to determine if an IDS/IPS/WAF is protecting a http server. To do this the script will send a "good" request and record the response, afterwards it will match this response against new requests containing malicious payloads. In theory, web applications shouldn't react to malicious requests because we are storing the payloads in a variable that is not used by the script/file and only WAF/IDS/IPS should react to it. If aggro mode is not on, the script will only do the minimum number of requests (Most known/noisy vectors)This script has been tested against: * Apache ModSecurity * Barracuda Web Application Firewall * PHPIDSSince the majority of IDS/IPS/WAF's protect web applications in the same way, it is likely that this script detects a lot more of these IDS/IPS/WAFs solutions.]] --- -- @usage-- nmap -p80 --script=../../http-waf-detect.nse --script-args="http-waf-detect.aggro=2,http-waf-detect.path=/testphp.vulnweb.com/artists.php" www.modsecurity.org_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Hi list,I've submitted this script as rev25906. I made it detect body changes only when specified and now it also shows you the url that triggered the IDS in the results.
Cheers. -- Paulino Calderón Pale Web: http://calderonpale.com Twitter: http://www.twitter.com/paulinocaIderon _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: http-waf-detect - Script to detect WAF/IDS/IPS solutions Paulino Calderon (Aug 15)