Web Application Firewall (WAF) protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet.
It inspect & filter malicious traffic coming to server from internet.
It typically protects web applications from attacks like cross-site forgery, cross-site-scripting (XSS), file inclusion, SQL injection, brufe-force, API Attacks, Application DDoS, Bot Protections, Credential harvesting & others.
Nowadays, majority of applications are migrated to web so it’s security becomes crucial as well as challenge for Security Professionals.
Deploying WAF places shield between Web Application & Internet.
WAF is typically reverse web proxy, as it hides exposure of original web server from client.
WAF operates through set of rules called policies. These policies aim to protect against vulnerability in the application by filtering out malicious traffic.
WAF(Web Application Firewalls) Implementations?
WAF can be implemented one of three different ways i.e., Network Based, Host Based or Cloud Based respectively.
1. Network based WAF
It is generally hardware based, as they are installed locally they minimise latency, but are expensive & also they require storage & maintenance. It is convenient to implement this if you have large numbers of Web Application Servers in your Data Center.
2. Host based WAF
It is fully integrated with Web Application & this solution is less expensive than Network based. It utilises lot of local resources & it is not scalable solutions. Difficult for maintenance & administration.
3. Cloud based WAF
It is easy to implement, just you have to change your DNS Name Server to redirect the traffic & enforce users to come through cloud based WAF. Cost effective, scalable, easy administration & no maintenance. Beside this they offer newer threat update & vulnerability protection.
How to Detect & Fingerprint Website running WAF (Web Application Firewall) using Nmap Scripting Engine (NSE)?
We can detect & fingerprint whether the website is WAF protected or not & which WAF it is using.
In order to perform scan you need to have Nmap installed on your system & then follow below mentioned steps
i. For WAF Detection using Nmap Scripting Engine (NSE)
In this case, I’ll target my Website i.e., https://saraswatirepository.com for WAF Detection
iamvsm@SaraswatiRepository:~$ nmap --script http-waf-detect saraswatirepository.com
Starting Nmap 7.90 ( https://nmap.org ) at 2020-10-12 05:40 UTC
Nmap scan report for saraswatirepository.com (104.24.102.173)
Host is up (0.13s latency).
Other addresses for saraswatirepository.com (not scanned): 104.24.103.173 172.67.181.107 2
606:4700:3036::6818:66ad 2606:4700:3030::6818:67ad 2606:4700:3030::ac43:b56b
Not shown: 996 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
| http-waf-detect: IDS/IPS/WAF detected:
|_saraswatirepository.com:443/?p4yl04d3=<script>alert(document.cookie)</script>
8080/tcp open http-proxy
8443/tcp open https-alt
Nmap done: 1 IP address (1 host up) scanned in 14.66 seconds
As we can see from above Script Scan Report that this website i.e., saraswatirepository.com is using WAF (Web Application Firewall) to protect website from malicious traffic requests & bots.
Nmap Script will send javascript in form of request to detect the WAF of website.
Now, we’ll check which WAF (Web Application Firewall) it is using. In order to fingerprint use below script scan
ii. For WAF Fingerprint using Nmap Scripting Engine (NSE)
iamvsm@SaraswatiRepository:~$ nmap --script http-waf-fingerprint saraswatirepository.com
Starting Nmap 7.90 ( https://nmap.org ) at 2020-10-12 05:42 UTC
Nmap scan report for saraswatirepository.com (172.67.181.107)
Host is up (0.13s latency).
Other addresses for saraswatirepository.com (not scanned): 104.24.103.173 104.24.102.173 2
606:4700:3030::ac43:b56b 2606:4700:3030::6818:67ad 2606:4700:3036::6818:66ad
Not shown: 996 filtered ports
PORT STATE SERVICE
80/tcp open http
| http-waf-fingerprint:
| Detected WAF
|_ Cloudflare
443/tcp open https
8080/tcp open http-proxy
8443/tcp open https-alt
Nmap done: 1 IP address (1 host up) scanned in 10.04 seconds
As from above Script Scan Report we can see that this website i.e., saraswatirepository.com
is using Cloudflare WAF (Web Application Firewall).
Note: Cloudflare is Cloud based WAF Service.
Similarly, you can detect & fingerprint WAF (Web Application Firewall) by targeting any website as a part of reconnaissance.
Recommendation
In the era of fastest growing internet threats, I personally recommend to use WAF (Web Application Firewall) in order to protect your website from malicious request, vulnerability & automated bots.
