WhatWaf
WhatWaf Description
WhatWaf is an advanced web application security detection tool that aims to give you an answer to the question, “Does a web server use WAF, and which one?” WhatWaf works by detecting a firewall on a web application, and attempting to detect a bypass (or two) for said firewall, on the specified target.
Features:
- Ability to run on a single URL with the -u/--url flag
- Ability to run through a list of URL's with the -l/--list flag
- Ability to detect over 70+ different firewalls
- Ability to try over 30+ different tampering techniques
- Ability to pass your own payloads either from a file, from the terminal, or use the default payloads
- Default payloads that should produce at least one WAF triggering
- Ability to bypass firewalls using both SQLi techniques and cross site scripting techniques
- Ability to run behind any proxy type that matches this regex: (socks\d+)?(http(s)?)?:// (socks5, socks4, http, https)
- Ability to use a random user agent, personal user agent, or custom default user agent
- Auto assign protocol to HTTP or ability to force protocol to HTTPS
- A built in encoder so you can encode your payloads into the discovered bypasses
- Automatic issue creation if an unknown firewall is discovered
- Ability to send output to a JSON, CSV, or YAML file
- Ability to encode provided payloads using builtin tamper scripts
- Encoded payloads are then saved into a database file for future use
- Ability to export cached payloads from the database to a YAML, JSON, CSV, or textual file
- Ability to save all traffic into files for further analysis by passing the --traffic flag
- Ability to try and determine the backend webserver hosting the web application using -W
- Ability to send POST or GET requests
- Ability to pass in your own custom headers
- More to come…
List of all web application security systems supported for identification, WAF (89 in total):
- 360 Web Application Firewall (360)
- aeSecure (WAF)
- Airlock (Phion/Ergon)
- AkamaiGHost Website Protection (Akamai Global Host)
- Alert Logic (SIEMless Threat Management)
- AliYunDun (WAF)
- Anquanbao Web Application Firewall (Anquanbao)
- AnYu Web Application Firewall (Anyu Technologies)
- Apache Generic
- Armor Protection (Armor Defense)
- Application Security Manager (F5 Networks)
- ASP.NET Generic Website Protection (Microsoft)
- Apache Traffic Server (ATS web proxy)
- Amazon Web Services Web Application Firewall (Amazon)
- Yunjiasu Web Application Firewall (Baidu)
- Barikode Web Application Firewall
- Barracuda Web Application Firewall (Barracuda Networks)
- Bekchy (WAF)
- BIG-IP (F5 Networks)
- BinarySEC Web Application Firewall (BinarySEC)
- BitNinja (WAF)
- BlockDos DDoS protection (BlockDos)
- Chuangyu top government cloud defense platform (WAF)
- Cisco ACE XML Firewall (Cisco)
- CloudFlare Web Application Firewall (CloudFlare)
- CloudFront Firewall (Amazon)
- XSS/CSRF Filtering Protection (CodeIgniter)
- Comodo Web Application Firewall (Comodo)
- CSF (ConfigServer Security & Firewall)
- IBM Websphere DataPower Firewall (IBM)
- Deny All Web Application Firewall (DenyAll)
- DiDiYun WAF (DiDi)
- DoD Enterprise-Level Protection System (Department of Defense)
- DOSarrest (DOSarrest Internet Security)
- dotDefender (Applicure Technologies)
- DynamicWeb Injection Check (DynamicWeb)
- EdgeCast Web Application Firewall (Verizon)
- ExpressionEngine (Ellislab WAF)
- FortiWeb Web Application Firewall (Fortinet)
- Gladius network WAF (Gladius)
- Google Web Services (G-Cloud)
- Grey Wizard Protection
- Incapsula Web Application Firewall (Incapsula/Imperva)
- INFOSAFE by http://7i24.com
- Instart Logic (Palo Alto)
- Janusec Application Gateway (WAF)
- Jiasule (WAF)
- Litespeed webserver Generic Protection
- Malcare (MalCare Security WAF)
- Open Source Web Application Firewall (Modsecurity)
- Mod Security (OWASP CSR)
- NexusGuard Security (WAF)
- Nginx Generic Protection
- Palo Alto Firewall (Palo Alto Networks)
- Anti Bot Protection (PerimeterX)
- pkSecurityModule (IDS)
- Powerful Firewall (MyBB plugin)
- Radware (AppWall WAF)
- RSFirewall (Joomla WAF)
- Sabre Firewall (WAF)
- SafeDog WAF (SafeDog)
- SecuPress (WordPress WAF)
- Imperva SecureSphere (Imperva)
- Shadow Daemon Opensource (WAF)
- Shield Security
- Website Security SiteGuard (Lite)
- SonicWALL Firewall (Dell)
- Squid Proxy (IDS)
- Stackpath WAF (StackPath)
- Stingray Application Firewall (Riverbed/Brocade)
- StrictHttpFirewall (WAF)
- Sucuri Firewall (Sucuri Cloudproxy)
- Teros Web Application Firewall (Citrix)
- UEWaf (UCloud)
- UrlScan (Microsoft)
- Varnish/CacheWall WAF
- Viettel WAF (Cloudrity)
- Wallarm WAF
- WatchGuard WAF
- WebKnight Application Firewall (AQTRONIX)
- IBM Security Access Manager (WebSEAL)
- West236 Firewall
- Wordfence (Feedjit)
- WTS-WAF (Web Application Firewall)
- Xuanwudun WAF
- Yundun Web Application Firewall (Yundun)
- Yunsuo Web Application Firewall (Yunsuo)
- Zscaler Cloud Firewall (WAF)
GitHub: https://github.com/Ekultek/WhatWaf
Author: Ekultek
License: GPLv3
WhatWaf Help
Usage:
./whatwaf -[u|l|b|g] VALUE|PATH|PATH|PATH [-p|--pl] PAYLOAD,..|PATH [--args]
Options:
optional arguments: -h, --help show this help message and exit mandatory arguments: arguments that have to be passed for the program to run -u URL, --url URL Pass a single URL to detect the protection -l PATH, --list PATH, -f PATH, --file PATH Pass a file containing URL's (one per line) to detect the protection -b FILE-PATH, --burp FILE-PATH Pass a Burp Suite request file to perform WAF evaluation -g GOOGLER-JSON-FILE, --googler GOOGLER-JSON-FILE Pass a JSON file from the Googler CMD line tool (IE googler -n 100 --json >> googler.json) request arguments: arguments that will control your requests --pa USER-AGENT Provide your own personal agent to use it for the HTTP requests --ra Use a random user-agent for the HTTP requests (*default=whatwaf/2.0.3 (Language=3.9.2; Platform=Linux)) -H HEADER=VALUE,HEADER:VALUE.., --headers HEADER=VALUE,HEADER:VALUE.. Add your own custom headers to the request. To use multiple separate headers by comma. Your headers need to be exact(IE: Set-Cookie=a345ddsswe,X-Forwarded-For:127.0.0.1) (*default=None) --proxy PROXY Provide a proxy to run behind in the format type://address:port (IE socks5://10.54.127.4:1080) (*default=None) --tor Use Tor as the proxy to run behind, must have Tor installed (*default=False) --check-tor Check your Tor connection (default=False) -p PAYLOADS, --payloads PAYLOADS Provide your own payloads separated by a comma IE AND 1=1,AND 2=2 --pl PAYLOAD-LIST-PATH Provide a file containing a list of payloads 1 per line --force-ssl Force the assignment of HTTPS instead of HTTP while processing (*default=HTTP unless otherwise specified by URL) --throttle THROTTLE-TIME (seconds) Provide a sleep time per request (*default=0) --timeout TIMEOUT Control the timeout time of the requests (*default=15) -P, --post Send a POST request (*default=GET) -D POST-STRING, --data POST-STRING Send this data with the POST request (*default=random) -t threaded, --threads threaded Send requests in parallel (specify number of threads (*default=1) -tP CONFIGTORPORT, --tor-port CONFIGTORPORT Change the port that Tor runs on (*default=9050) -T, --test Test the connection to the website before starting (*default=True) encoding options: arguments that control the encoding of payloads -e PAYLOAD [TAMPER-SCRIPT-LOAD-PATH ...], --encode PAYLOAD [TAMPER-SCRIPT-LOAD-PATH ...] Encode a provided payload using provided tamper script(s) you are able to payy multiple tamper script load paths to this argument and the payload will be tampered as requested -el PATH TAMPER-SCRIPT-LOAD-PATH, --encode-list PATH TAMPER-SCRIPT-LOAD-PATH Encode a file containing payloads (one per line) by passing the path and load path, files can only encoded using a single tamper script load path output options: arguments that control how WhatWaf handles output -F, --format Format the output into a dict and display it -J, --json Send the output to a JSON file -Y, --yaml Send the output to a YAML file -C, --csv Send the output to a CSV file --fingerprint Save all fingerprints for further investigation --tamper-int INT Control the amount of tampers that are displayed (*default=5) --traffic FILENAME store all HTTP traffic headers into a file of your choice --force-file Force the creation of a file even if there is no protection identified -o DIR, --output DIR Save a copy of the file to an arbitrary directory database arguments: arguments that pertain to Whatwafs database -c, --url-cache Check against URL's that have already been cached into the database before running them saves some time on scanning multiple (*default=False) -uC, --view-url-cache Display all the URL cache inside of the database, this includes the netlock, tamper scripts, webserver, and identified protections -pC, --payload-cache View all payloads that have been cached inside of the database -vC, --view-cache View all the cache in the database, everything from URLs to payloads --export FILE-TYPE Export the already encoded payloads to a specified file type and save them under the home directory wizard arguments: arguments that have to do with building scripts misc arguments: arguments that don't fit in any other category --verbose Run in verbose mode (more output) --hide Hide the banner during the run --update Update WhatWaf to the newest development version --save FILENAME Save the encoded payloads into a file --skip Skip checking for bypasses and just identify the firewall --verify-num INT Change the request amount to verify if there really is not a WAF present(*default=5) -W, --determine-webserver Attempt to determine what web server is running on the backend (IE Apache, Nginx, etc.. *default=False) --wafs Output a list of possible firewalls that can be detected by WhatWaf --tampers Output a list of tamper script load paths with their description -M, --mine Pass this flag to mine XMR for you and the whatwaf development team
All available tamper scripts, 36 in total:
--------------------------------------------------------------------------- Load path: | Description: --------------------------------------------------------------------------- content.tampers.apostrephemask | hiding an apostrophe by its UTF equivalent content.tampers.apostrephenullify | hiding the apostrophe by passing it with a NULL character content.tampers.appendnull | appending a NULL byte to the end of the payload content.tampers.base64encode | encoding the payload into its base64 equivalent content.tampers.booleanmask | mask the booleans with their symbolic counterparts content.tampers.doubleurlencode | double URL encoding the payload characters content.tampers.enclosebrackets | enclosing numbers into brackets content.tampers.escapequotes | escaping quotes with slashes content.tampers.lowercase | turning the payload into its lowercase equivalent content.tampers.maskenclosebrackets | enclosing brackets and masking an apostrophe around the character in the brackets content.tampers.modsec | putting the payload in-between a comment with obfuscation in it content.tampers.modsecspace2comment | obfuscating payload by passing it between comments with obfuscation and changing spaces to comments content.tampers.obfuscatebyhtmlcomment | obfuscating script tags with HTML comments' content.tampers.obfuscatebyhtmlentity | changing the payload characters into their HTML entities content.tampers.obfuscatebyordinal | changing certain characters in the payload into their ordinal equivalent content.tampers.prependnull | pre-pending a NULL character at the start of the payload content.tampers.randomcase | changing the character case of the payload randomly with either upper or lower case content.tampers.randomcomments | implanting random comments into the payload content.tampers.randomdecoys | add decoy tags to the script content.tampers.randomjunkcharacters | adding random junk characters into the payload to bypass regex based protection content.tampers.randomtabify | replacing the spaces in the payload with either the tab character or eight spaces content.tampers.randomunicode | inserting random UTF-8 characters into the payload content.tampers.randomwildcard | changing characters into a wildcard content.tampers.space2comment | changing the spaces in the payload into a comment content.tampers.space2doubledash | changing the spaces in the payload into double dashes content.tampers.space2hash | changing the payload spaces to obfuscated hashes with a newline content.tampers.space2multicomment | change the payload spaces to a random amount of spaces obfuscated with a comment content.tampers.space2null | changing the spaces in the payload into a NULL character content.tampers.space2plus | changing the spaces in the payload into a plus sign content.tampers.space2randomblank | changing the payload spaces to random ASCII blank characters content.tampers.tabifyspacecommon | replacing the payloads spaces with tab character (\t) content.tampers.tabifyspaceuncommon | replacing the spaces in the payload with 8 spaces to simulate a tab character content.tampers.tripleurlencode | triple URL encoding the payload characters content.tampers.uppercase | changing the payload into its uppercase equivalent content.tampers.urlencode | encoding punctuation characters by their URL encoding equivalent content.tampers.urlencodeall | encoding all characters in the payload into their URL encoding equivalent ---------------------------------------------------------------------------
Argument descriptions
Optional arguments
These arguments aren't really important, but they're good to mention
-
-h/--help
Prints the help menu and exits. This will also be the default if no other flags are passed
Mandatory arguments
These arguments have to be passed in order for whatwaf to run
-
-u URL, --url URL
Pass a single URL to detect the protection
-
-l PATH, --list PATH, -f PATH, --file PATH
Pass a file containing URL's (one per line) to detect the protection
-
-b FILE-PATH, --burp FILE-PATH
Pass a Burp Suite request file to perform WAF evaluation
Request arguments
These arguments control your HTTP requests, along with your headers
-
--pa
Pass a personal User-Agent in the form of a string to replace the default User-Agent. It's up to you to make sure your User-Agent is in the right format or not
-
--ra
Passing this flag will grab a random User-Agent out of content/files/user_agents.txt
, there are a total of 4,195 User-Agents available to be chosen from
-
--proxy
Pass a proxy to run behind. Whatwaf is compatible with most proxy types such as:
- socks5
- socks4
- http
- https
-
--tor
Pass this flag to use Tor as your proxy. Please be advised that this requires you to have Tor installed on your system and running. It will assume that Tor is on port 9050
and try to connect there as well.
-
-p/--payloads
Provide your own payloads for the detection requests. Payloads must be separated by a comma. IE -p="AND 1=1,OR 2=2"
. This way whatwaf will be able to determine the list by a common denominator.
-
--pl
Pass a textual file containing payloads (one per line) whatwaf will enumerate these payloads and use each one for detection requests. It is advised to run behind a proxy or use proxychains
if you are going to use this method.
-
--force-ssl
Passing this flag will force the URL to run behind HTTPS instead of HTTP.
Encoding options
Arguments that control the encoding of payloads
-
-e PAYLOAD TAMPER-SCRIPT-LOAD-PATH, --encode PAYLOAD TAMPER-SCRIPT-LOAD-PATH
Encode a provided payload using a provided tamper script
-
-el PATH TAMPER-SCRIPT-LOAD-PATH, --encode-list PATH TAMPER-SCRIPT-LOAD-PATH
Encode a file containing payloads (one per line) by passing the path and load path
Output options
Arguments that control how WhatWaf handles output
-
-F, --format
Format the output into a dict and display it
-
-J, --json
Send the output to a JSON file
-
-Y, --yaml
Send the output to a YAML file
-
-C, --csv
Send the output to a CSV file
Database arguments
Arguments that have to do with WhatWafs database
-
-c, --url-cache
Check against URL's that have already been cached into the database before running them saves some time on scanning multiple (*default=False)
-
-uC, --view-url-cache
Display all the URL cache inside of the database, this includes the netlock, tamper scipts, webserver, and identified protections
-
-pC, --payload-cache
View all payloads that have been cached inside of the database
-
-vC, --view-cache
View all the cache in the database, everything from URLs to payloads
-
--export FILE-TYPE
Export the already encoded payloads to a specified file type and save them under the home directory
Misc arguments
Arguments that don't really fit into any other category
-
--verbose
Run in verbose mode (more output)
-
--hide
Hide the banner during the run
-
--update
Update WhatWaf to the newest development version
-
--save FILENAME
Save the encoded payloads into a file
-
--skip
Skip checking for bypasses and just identify the firewall
-
--verify-num INT
Change the default amount (5) to verify if there really is not a WAF present
WhatWaf Usage Example
Identify the web application firewall and find bypasses for apple.com (-u https://apple.com):
python3 ./whatwaf -u https://apple.com
Identify the web application firewall and find ways to bypass the specified site (-u https://wise.com) using the Tor network as a proxy server (--tor):
sudo systemctl start tor python3 ./whatwaf -u https://wise.com --tor
Determine the protection of the web application of the specified site (-u https://www.ebay.com), try to determine the type of web server (-W), use the specified User Agent for requests (--pa 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36'):
python3 ./whatwaf -u https://www.ebay.com -W --pa 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36'
How to install WhatWaf
Installation on Kali Linux
sudo apt install python3-pip git clone https://github.com/ekultek/whatwaf cd whatwaf sudo pip3 install -r requirements.txt
At launch, you can specify an executable file without a Python version:
./whatwaf --help
But it is recommended to explicitly specify the Python version, since we did not install dependencies for Python 2:
python3 ./whatwaf --help
Installation on Debian, Linux Mint, Ubuntu
sudo apt update sudo apt install git python3-pip git clone https://github.com/ekultek/whatwaf cd whatwaf sudo pip3 install -r requirements.txt
It is not necessary to specify the Python version at launch:
./whatwaf --help
But it is recommended to explicitly specify the Python version, since we did not install dependencies for Python 2:
python3 ./whatwaf --help
Installation on BlackArch
The program is pre-installed on BlackArch. To install in minimal builds run:
sudo pacman -S whatwaf
WhatWaf Screenshots
WhatWaf Tutorials
Coming soon…
Comments are Closed