How to Detect Which WAF is Protecting a Website: An Ethical Hacker‘s Guide

Hey friend! I‘m so glad you‘re here. πŸ‘‹ As an ethical hacker, knowing whether a website is protected by a Web Application Firewall (WAF) can make or break your ability to conduct accurate security testing.

Content Navigation show

These defensive systems actively analyze traffic, blocking attacks targeting vulnerabilities. They can also passively log threats for future investigation. Identifying and fingerprinting the specific WAF used by a site allows us to better adapt our penetration testing methodologies.

By the end of this guide, you‘ll be able to determine which WAF solution (if any!) stands as sentinel guarding web apps and APIs. I‘ll cover:

  • Exactly what purpose WAFs serve and why detecting them matters
  • Manual techniques to spot WAF fingerprints during reconnaissance
  • Open source and commercial tools that automate WAF identification
  • Methods for evading or bypassing WAF defenses
  • Ethical considerations for testing permission and reporting

Let‘s dig in! This knowledge will serve you well grasshopper πŸ˜‰

Understanding Web Application Firewalls

A WAF serves as an intermediary security layer designed explicitly to protect web apps, APIs, and websites from exploits that target common vulnerabilities.

For example, a WAF can analyze all HTTP requests to a web server for malicious payloads designed to trigger SQL injection, cross-site scripting (XSS), and other attacks targeting known weaknesses.

WAF solutions like Cloudflare, Akamai, Barracuda, Imperva, and others give site owners powerful filtering capabilities tailored to their unique stack:

Cloudflare WAF Dashboard

  • Virtual patching for unpatched vulnerabilities
  • IP reputation monitoring for requests from suspicious addresses
  • Signature detection for known malicious scripts and programs
  • Heuristic analysis for signals of emerging threats

Having a WAF provides immediate protection against automated attacks and buying time to fix coding errors.

Some statistics showing the growing WAF adoption:

  • Over 30% of major sites use a WAF according to WAF stress testing vendor ImmuniWeb
  • Market revenue for WAF projected to exceed $4 billion by 2025 according to Fortune Business Insights
  • WAF leader Cloudflare blocks an average of 77 billion cyber threats per day

Why Detecting WAFs Matters for Penetration Testing

The presence and choice of a site‘s WAF gives us tremendous insight during security assessments:

  • Enumerate filtering rules to avoid detection and blocking
  • Identify areas protected vs unprotected by WAF
  • Focus testing on vulnerabilities still exposed
  • Avoid wasting time attacking known protected inputs
  • Customize evasion techniques based on WAF capabilities

Essentially, identifying and fingerprinting the WAF sets the stage for smarter penetration testing focused on uncovered weak points vs just brute forcing every input.

Now let‘s examine some manual analysis techniques to spot clues indicating use of a protective WAF…

Manual Techniques to Identify WAFs

Carefully inspecting traffic and behavior often exposes clues if a WAF is present without triggering alarms.

Check HTTP Response Headers

Many WAF solutions append custom HTTP response headers allowing easy recognition, for example:

X-CDN: Incapsula Content Delivery Network 
Server: Barracuda NextGen Firewall 
Set-Cookie: AWSELB=<alphanumeric>;Secure;HttpOnly

Using the telnet command we can manually connect and examine headers:

$ telnet example.com 80
GET / HTTP/1.1
Host: example.com

Analyze the response for any headers indicating a defensive intermediary.

I‘ll demonstrate with a sample HTTP exchange:

HTTP/1.1 200 OK
Date: Mon, 16 Jan 2023 21:33:41 GMT
Content-Type: text/html; charset=UTF-8
Set-Cookie: __cfduid=<alphanumeric>; expires=Wed, 15-Feb-23 21:33:41 GMT; path=/; domain=.example.com; HttpOnly; SameSite=Lax
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: public, max-age=61
Pragma: public
Expires: Mon, 16 Jan 2023 21:34:42 GMT
X-Frame-Options: SAMEORIGIN
Server: cloudflare
CF-RAY: 783fd278ab302f48-BOS
Content-Encoding: br
Content-Length: 78

Here the Server response header and Set-Cookie name show this site runs behind Cloudflare WAF protection! πŸ›‘οΈ

Investigate Error Page Content

Intentionally triggering application exceptions can reveal the underlying WAF based on generated error page content.

For example, an SQL injection attack like OR 1=1-- may be blocked by the WAF which displays its branded error handling page:

Imperva Incapsula WAF Error

Use manual probing inputs and closely observe application behavior – errors often expose the WAF!

Review JavaScript Files

Browser embedded JavaScript files served from the website for metadata and code comments indicating a protective WAF. Often these solutions tag custom added JS configs.

For example:

// Added by Cloudflare Rocket Loader during optimization and minification 
// https://www.cloudflare.com/rocket-loader/

Carefully examine sources for any evidence of intermediary fingerprinting.

Analyze Responses From Suspicious Requests

Craft a sequence of requests with suspicious elements like malicious payloads or patterns that could trigger a WAF rule. Study the HTTP response codes, content changes, errors, or timeouts.

Compare against a baseline benign request to identify variances indicative of an intermediary WAF inspecting traffic.

This method essentially probes to uncover what kinds of requests produce application behavior changes so you can match to known WAF rule criteria.

For example you may send malicious XSS payloads and find they return 500 errors vs 200 OK on harmless requests. This points to regex pattern blocking of suspicious inputs.

Leveraging Automated Scanners and Tools

Manually detecting subtle signs of a WAF in raw traffic can prove difficult and time consuming. Thankfully there are great open source and commercial tools to help!

WAFW00F Scanner

WAFW00F is an extremely popular WAF detection utility included in Kali Linux and many other pen testing distros.

It fingerprints based on response variance analysis from benign vs. potentially malicious requests. Basic usage: 

wafw00f www.example.com

WAFW00F automatically tests behavior changes upon suspicious requests and matches identified patterns against a database of known WAF signatures.

I highly recommend running WAFW00F scans early in reconnaissance to quickly confirm any intermediary filters.

Here‘s a sample report output:

Detectify | WAFW00F v2.1.0 
[+] The site www.example.com is behind KnownSec KS-WAF (Knownsec)
[#] Number of requests: 9

Easy to install, run, and automate – fantastic tool!

WhatWaf Scanner

For more extensive WAF detection capabilities I suggest WhatWaf.

This utility actively probes environments for protected resources and fights back with ruthless determination to identify the intermediary firewall. 😎WhatWaf leverages tamper-proof payloads designed specifically to trigger common WAF filtering rules.

Basic usage:

python whatwaf.py www.example.com

Here‘s a sample report output showing granular detail on the identified firewall software:

WhatWaf Sample Report

WhatWaf can generate heavy traffic so use judiciously and only with clear permission!

Many other excellent open source or commercial WAF scanners exist as well – do your research for more options!

Consider Commercial Alternatives

While open source scanners are fantastic, commercial solutions like Barracuda‘s WSSON or Detectify provide additional capabilities:

  • Updated vulnerability signatures
  • Extensive WAF rule databases
  • Advanced evasion techniques
  • User friendly reporting

For critical infrastructure or regulated environments, commercial tools may prove a wise investment.

Bypassing WAF Protection

Once we‘ve confirmed requests filtered by an intermediary WAF, the next logical pen testing step is attempting to bypass or circumvent its protection.

Common tactics include:

IP Rotation – WAFs often block suspect IPs after limited malicious requests. Rotating source IP or proxying via a VPN/Tor allows further probing.

Payload Encoding – Transforming malicious payloads avoids matches against WAF banned lists and regex patterns. Encoding, encryption, obfuscation, and polymorphism are key!

Traffic Routing – Route through an authorized fuzzer appliance or proxy service to appear as authorized security scanning vs an outright attack.

Request Tampering – Modifying data fields, cookies, headers, and parameters can bypass rules expecting attack patterns.

However, I cannot repeat this enough – only attempt bypassing security controls if you have explicit written permission!

Provide a complete report including any identified vulnerabilities or misconfigurations to the site owner.

WAF evasion is extremely delicate work – move slow and tread lightly friend. 😊

Ethical Hacking Begins With Permission

I want to briefly cover the legal and ethical considerations when WAF fingerprinting and penetration testing:

  • Always get signed permission in scope statements before any security testing
  • Alert infrastructure owners beforehand to avoid outages
  • Use rate limiting and throttles to minimize disruption
  • Report all identified vulnerabilities responsibly

Also know that actively working to bypass security controls without permission counts as unlawful hacking in many jurisdictions.

I strongly encourage pursuing formal certifications like the EC-Council‘s Certified Ethical Hacker credential which covers best practices.

Ultimately we must empower defenders, not undermine them!

Now go forth young padawan! πŸ§™β€β™‚οΈ I wish you success detecting those elusive WAFs! Ping me if you have any other questions on responsible testing.

Jaldi karo! 😎

Tags: