Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: http-waf-detect - Script to detect WAF/IDS/IPS solutions
From: Richard Sammet <richard.sammet () googlemail com>
Date: Thu, 16 Jun 2011 08:59:49 +0200

Hey Paulino,

thanks for sharing this. Just one thing you should change in the
description: IDS Systems or IPS Systems which are only in detection
mode are not going to be identified by the script. The script can only
identify solutions which are actively altering the traffic.

Just to point this out before ppl start complaining about it ;)


Regards,
Richard


On Thu, Jun 16, 2011 at 7:37 AM, Paulino Calderon
<paulino () calderonpale com> wrote:
Hello nmap-dev,

   Here is my NSE script to determine if a http web server is protected by a
Web Application Firewall (WAF), Intrusion Detection System (IDS) or
Intrusion Prevention System (IPS). I'd be great if I can get some feedback
from users with access to other untested WAF/IDS/IPS products.

description = [[
Determines if a web server is protected by an IPS (Intrusion Prevention
System), IDS (Intrusion Detection System) or WAF (Web Application Firewall)

This script tries to determine if an IDS/IPS/WAF is protecting a http
server. To do this the script will send a "good" request and record the
response, afterwards it will match this response against new requests
containing malicious payloads. In theory, web applications shouldn't react
to
malicious requests because we are storing the payloads in a variable that is
not used by the script/file and only WAF/IDS/IPS should react to it.
If aggro mode is not on, the script will only do the minimum number of
requests (Most known/noisy vectors)

This script has been tested against:
 * Apache ModSecurity
 * Barracuda Web Application Firewall
 * PHPIDS

Since the majority of IDS/IPS/WAF's protect web applications in the same
way,
 it is likely that this script detects a lot more of these IDS/IPS/WAFs
solutions.
]]

---
-- @usage
-- nmap -p80 --script=../../http-waf-detect.nse
--script-args="http-waf-detect.aggro=2,http-waf-detect.path=/testphp.vulnweb.com/artists.php"
www.modsecurity.org
--
-- @output
-- PORT   STATE SERVICE
-- 80/tcp open  http
-- |_http-waf-detect: IDS/IPS/WAF detected
--
-- @args http-waf-detect.path Path to target. It is more effective if you
specify a path that doesn't return a redirect
-- @args http-waf-detect.aggro true/false . If aggro mode is on, script will
try all attack vectors to trigger the IDS/IPS/WAF
--
-- Other useful args when running this script
-- http.useragent User Agent for HTTP requests
-- http.pipeline Number of requests sent in the single request

Cheers.


--
Paulino Calderón Pale
Web: http://calderonpale.com
Twitter: http://www.twitter.com/paulinocaIderon


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]