Detecting a web application firewall

Network-based firewalls are not the only type of firewall you may discover along the way. Web Application Firewalls, or WAFs, are very commonly used to protect web-based applications. If you are unfamiliar with an environment, detecting a WAF can help lay out the web application infrastructure. To help us figure out this bit of information, we are going to utilize a tool called WAFW00F. WAFW00F can help you determine whether there is that extra layer of security prior to the web servers.

WAFW00F can detect the presence of a lot of different WAF types. By running the wafw00f command with the -l flag, you can see list of currently defined WAFs. Here is the current list from my lab. If one of these is not detected, don't fret; the wafw00f command will still inform you that a generic WAF has been detected:

Profense
NetContinuum
Incapsula WAF
CloudFlare
USP Secure Entry Server
Cisco ACE XML Gateway
Barracuda Application Firewall
Art of DefenceHyperGuard
BinarySec
Teros WAF
F5 BIG-IP LTM
F5 BIG-IP APM
F5 BIG-IP ASM
F5 FirePass
F5 Trafficshield
InfoGuard Airlock
Citrix NetScaler
TrustwaveModSecurity
IBM Web Application Security
IBM DataPower
DenyALL WAF
Applicure dotDefender
Juniper WebApp Secure
Microsoft URLScan
AqtronixWebKnight
eEye Digital Security SecureIIS
ImpervaSecureSphere
Microsoft ISA Server

The wafw00f command is extremely straightforward to run. You just need to specify the URL that you would like to check. I have run two examples, to show you a site that matches one of the preceding WAF types, as well as one that just lets you know that one exists.

In this example, you can see that a WAF was detected, and the actual type was determined:

In the next example, wafw00t was unable to figure out the exact WAF being used but still lets you know one exists: