Nmap Development mailing list archives

Re: [NSE] http-waf-fingerprint.nse

From: Hani Benhabiles <kroosec () gmail com>
Date: Tue, 19 Jun 2012 13:24:22 +0100

On 06/12/2012 12:55 PM, Hani Benhabiles wrote:

On 06/10/2012 11:06 PM, Hani Benhabiles wrote:
On 06/10/2012 02:17 PM, Djalal Harouni wrote:
Hi,

Thanks for the script.
You have probably discussed this with Henri, but I just want tobring it
here:
Why fingerprints are included in the script ?
Because there wouldn't be as many fingerprints for WAFs as forsomething like http-enum and outside of the fingerprints, the scriptis nothing fancy.
Perhaps adding an 'author' field will bring new fingerprints ?
It could be added as a comment for the fingerprints (see theModSecurity ones).
On Fri, Jun 08, 2012 at 11:44:07AM +0100, Hani Benhabiles wrote:
netscaler = {
     name = "Citrix Netscaler",
     detected = false,
     version = nil,

     match = function(responses)
         for _, response in pairs(responses) do

             -- TODO Check for other version detection possibilities
             -- based on fingerprint difference
if response.header.via andstring.find(response.header.via, 'NS-CACHE') then --stdnse.print_debug("%s Citrix Netscaler detectedthrough Via Header.", SCRIPT_NAME)netscaler.version =string.sub(response.header.server, 10, 12)
In other places you have the checks, but here the check that
response.header.server is set is missing...

Another quick review ?
It should get the version from the via header, I corrected that. Thanks.
Thanks.
Cheers,
Hani.
I have committed http-waf-fingerprint as r28912.

Cheers,
Hani.

I am attaching a patch which adds support for intensive mode. Nothingfancy, just an additional function and a script argument. At the moment,only Naxsi WAF has intensive mode fingerprints.


Cheers,
Hani.

--
Hani Benhabiles

Twitter: https://twitter.com/#!/kroosec
Blog: http://kroosec.blogspot.com

Attachment: http-waf-fingerprint.patch
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

[NSE] http-waf-fingerprint.nse Hani Benhabiles (Jun 07)
- Re: [NSE] http-waf-fingerprint.nse Hani Benhabiles (Jun 07)
  - Re: [NSE] http-waf-fingerprint.nse Brendan Coles (Jun 07)
    - Re: [NSE] http-waf-fingerprint.nse Hani Benhabiles (Jun 08)
    - Re: [NSE] http-waf-fingerprint.nse Djalal Harouni (Jun 10)
    - Re: [NSE] http-waf-fingerprint.nse Hani Benhabiles (Jun 10)
    - Re: [NSE] http-waf-fingerprint.nse Hani Benhabiles (Jun 12)
    - Re: [NSE] http-waf-fingerprint.nse Hani Benhabiles (Jun 19)
    - Re: [NSE] http-waf-fingerprint.nse Hani Benhabiles (Jun 20)