WhatWaf is an advanced firewall detection tool who's goal is to give you the idea of "There's a WAF?". WhatWaf works by detecting a firewall on a web application, and attempting to detect a bypass (or two) for said firewall, on the specified target.
- WhatWafs Features
- Installing WhatWaf
whatwaf --wafs
,------.
' .--. '
,--. .--. ,--. .--.| | | |
| | | | | | | |'--' | |
| | | | | | | | __. |
| |.'.| | | |.'.| | | .'
| | | | |___|
| ,'. |hat| ,'. |af .---.
'--' '--' '--' '--' '---'
/><s/**/cript>alert("WhatWaf?<|>v1.8($stable)");</scrip/**/t>
[00:58:55][INFO] gathering a list of possible detectable wafs
360 Web Application Firewall (360)
aeSecure (WAF)
Airlock (Phion/Ergon)
AkamaiGHost Website Protection (Akamai Global Host)
Alert Logic (SIEMless Threat Management)
AliYunDun (WAF)
Anquanbao Web Application Firewall (Anquanbao)
AnYu Web Application Firewall (Anyu Technologies)
Apache Generic
Armor Protection (Armor Defense)
Application Security Manager (F5 Networks)
ASP.NET Generic Website Protection (MS)
Apache Traffic Server (ATS web proxy)
Amazon Web Services Web Application Firewall (Amazon)
Yunjiasu Web Application Firewall (Baidu)
Barikode Web Application Firewall
Barracuda Web Application Firewall (Barracuda Networks)
Bekchy (WAF)
BIG-IP (F5 Networks)
BinarySEC Web Application Firewall (BinarySEC)
Bitninja (WAF)
BlockDos DDoS protection (BlockDos)
Chuangyu top government cloud defense platform (WAF)
Cisco ACE XML Firewall (Cisco)
CloudFlare Web Application Firewall (CloudFlare)
CloudFront Firewall (Amazon)
XSS/CSRF Filtering Protection (CodeIgniter)
Comodo Web Application Firewall (Comodo)
IBM Websphere DataPower Firewall (IBM)
Deny All Web Application Firewall (DenyAll)
DiDiYun WAF (DiDi)
DoD Enterprise-Level Protection System (Department of Defense)
DOSarrest (DOSarrest Internet Security)
dotDefender (Applicure Technologies)
DynamicWeb Injection Check (DynamicWeb)
EdgeCast Web Application Firewall (Verizon)
ExpressionEngine (Ellislab WAF)
FortiWeb Web Application Firewall (Fortinet)
Gladius network WAF (Gladius)
Google Web Services
Grey Wizard Protection
Incapsula Web Application Firewall (Incapsula/Imperva)
INFOSAFE by https://7i24.com
Instart Logic (Palo Alto)
Janusec Application Gateway (WAF)
Jiasule (WAF)
Litespeed webserver Generic Protection
Malcare (MalCare Security WAF)
Open Source Web Application Firewall (Modsecurity)
Mod Security (OWASP CSR)
NexusGuard Security (WAF)
Nginx Generic Protection
Palo Alto Firewall (Palo Alto Networks)
Anti Bot Protection (PerimeterX)
pkSecurityModule (IDS)
Powerful Firewall (MyBB plugin)
Radware (AppWall WAF)
RSFirewall (Joomla WAF)
Sabre Firewall (WAF)
SafeDog WAF (SafeDog)
SecuPress (Wordpress WAF)
Shadow Daemon Opensource (WAF)
Shield Security
Website Security SiteGuard (Lite)
SonicWALL Firewall (Dell)
Squid Proxy (IDS)
Stingray Application Firewall (Riverbed/Brocade)
StrictHttpFirewall (WAF)
Sucuri Firewall (Sucuri Cloudproxy)
Teros Web Application Firewall (Citrix)
UEWaf (UCloud)
UrlScan (Microsoft)
Varnish/CacheWall WAF
Viettel WAF (Cloudrity)
Wallarm WAF
WebKnight Application Firewall (AQTRONIX)
IBM Security Access Manager (WebSEAL)
West236 Firewall
Wordfence (Feedjit)
WTS-WAF (Web Application Firewall)
Xuanwudun WAF
Yundun Web Application Firewall (Yundun)
Yunsuo Web Application Firewall (Yunsuo)
Zscaler Cloud Firewall (WAF)
[00:58:55][INFO] WhatWaf can detect a total of 86 web application protection systems
,------.
' .--. '
,--. .--. ,--. .--.| | | |
| | | | | | | |'--' | |
| | | | | | | | __. |
| |.'.| | | |.'.| | | .'
| | | | |___|
| ,'. |hat| ,'. |af .---.
'--' '--' '--' '--' '---'
\"/><sCRIPT>ALeRt(\"WhatWaf?<|>v1.6.2($dev)\");</scRiPT>
[15:02:29][INFO] gathering available tamper script load paths
---------------------------------------------------------------------------
Load path: | Description:
---------------------------------------------------------------------------
content.tampers.apostrephemask | hiding an apostrophe by its UTF equivalent
content.tampers.apostrephenullify | hiding the apostrophe by passing it with a NULL character
content.tampers.appendnull | appending a NULL byte to the end of the payload
content.tampers.base64encode | encoding the payload into its base64 equivalent
content.tampers.booleanmask | mask the booleans with their symbolic counterparts
content.tampers.doubleurlencode | double URL encoding the payload characters
content.tampers.enclosebrackets | enclosing numbers into brackets
content.tampers.escapequotes | escaping quotes with slashes
content.tampers.lowercase | turning the payload into its lowercase equivalent
content.tampers.maskenclosebrackets | enclosing brackets and masking an apostrophe around the character in the brackets
content.tampers.modsec | putting the payload in-between a comment with obfuscation in it
content.tampers.modsecspace2comment | obfuscating payload by passing it between comments with obfuscation and changing spaces to comments
content.tampers.obfuscatebyhtmlcomment | obfuscating script tags with HTML comments'
content.tampers.obfuscatebyhtmlentity | changing the payload characters into their HTML entities
content.tampers.obfuscatebyordinal | changing certain characters in the payload into their ordinal equivalent
content.tampers.prependnull | pre-pending a NULL character at the start of the payload
content.tampers.randomcase | changing the character case of the payload randomly with either upper or lower case
content.tampers.randomcomments | implanting random comments into the payload
content.tampers.randomdecoys | add decoy tags to the script
content.tampers.randomjunkcharacters | adding random junk characters into the payload to bypass regex based protection
content.tampers.randomtabify | replacing the spaces in the payload with either the tab character or eight spaces
content.tampers.randomunicode | inserting random UTF-8 characters into the payload
content.tampers.randomwildcard | changing characters into a wildcard
content.tampers.space2comment | changing the spaces in the payload into a comment
content.tampers.space2doubledash | changing the spaces in the payload into double dashes
content.tampers.space2hash | changing the payload spaces to obfuscated hashes with a newline
content.tampers.space2multicomment | change the payload spaces to a random amount of spaces obfuscated with a comment
content.tampers.space2null | changing the spaces in the payload into a NULL character
content.tampers.space2plus | changing the spaces in the payload into a plus sign
content.tampers.space2randomblank | changing the payload spaces to random ASCII blank characters
content.tampers.tabifyspacecommon | replacing the payloads spaces with tab character (\t)
content.tampers.tabifyspaceuncommon | replacing the spaces in the payload with 8 spaces to simulate a tab character
content.tampers.tripleurlencode | triple URL encoding the payload characters
content.tampers.uppercase | changing the payload into its uppercase equivalent
content.tampers.urlencode | encoding punctuation characters by their URL encoding equivalent
content.tampers.urlencodeall | encoding all characters in the payload into their URL encoding equivalent
---------------------------------------------------------------------------
[15:02:29][INFO] total of 36 tamper scripts available