Nmap Development mailing list archives

Re: http-waf-detect - Script to detect WAF/IDS/IPS solutions

From: David Fifield <david () bamsoftware com>
Date: Tue, 21 Jun 2011 16:02:20 -0700

On Wed, Jun 15, 2011 at 10:37:34PM -0700, Paulino Calderon wrote:

Hello nmap-dev,

    Here is my NSE script to determine if a http web server is
protected by a Web Application Firewall (WAF), Intrusion Detection
System (IDS) or Intrusion Prevention System (IPS). I'd be great if I
can get some feedback from users with access to other untested
WAF/IDS/IPS products.

description = [[
Determines if a web server is protected by an IPS (Intrusion
Prevention System), IDS (Intrusion Detection System) or WAF (Web
Application Firewall)

This script tries to determine if an IDS/IPS/WAF is protecting a
http server. To do this the script will send a "good" request and
record the
response, afterwards it will match this response against new
requests containing malicious payloads. In theory, web applications
shouldn't react to
malicious requests because we are storing the payloads in a variable
that is not used by the script/file and only WAF/IDS/IPS should
react to it.
If aggro mode is not on, the script will only do the minimum number
of requests (Most known/noisy vectors)

This script has been tested against:
 * Apache ModSecurity
 * Barracuda Web Application Firewall
 * PHPIDS


I think that this script will be prone to false positives as it is
written. A detection is flagged whenever the body differs, which could
be the case for every response on some web sites, like www.time.gov.

$ ./nmap --script=http-waf-detect -p80 www.time.gov --script-args http-waf-detect.path="/timezone.cgi?Pacific/d/-8"
Starting Nmap 5.52.IPv6.Beta2 ( http://nmap.org ) at 2011-06-21 15:56 PDT
Nmap scan report for www.time.gov (129.6.13.35)
Host is up (0.093s latency).
Other addresses for www.time.gov (not scanned): 132.163.4.22
rDNS record for 129.6.13.35: www-04.nist.gov
PORT   STATE SERVICE
80/tcp open  http
|_http-waf-detect: IDS/IPS/WAF detected

In addition to testing against servers known to have an IDS, you also
have to test against some known not to have an IDS.

Take a look at the http.clean_404 function, which attempts to mitigate
this problem by deleting things that look like dynamically generated
text.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

http-waf-detect - Script to detect WAF/IDS/IPS solutions Paulino Calderon (Jun 15)
- Re: http-waf-detect - Script to detect WAF/IDS/IPS solutions Paulino Calderon (Jun 15)
  - Re: http-waf-detect - Script to detect WAF/IDS/IPS solutions Paulino Calderon (Jun 15)
  - Re: http-waf-detect - Script to detect WAF/IDS/IPS solutions Patrik Karlsson (Jun 15)
- Re: http-waf-detect - Script to detect WAF/IDS/IPS solutions Richard Sammet (Jun 15)
  - Re: http-waf-detect - Script to detect WAF/IDS/IPS solutions Paulino Calderon (Jun 16)
- Re: http-waf-detect - Script to detect WAF/IDS/IPS solutions David Fifield (Jun 21)
  - Re: http-waf-detect - Script to detect WAF/IDS/IPS solutions Paulino Calderon (Jun 21)