200 lines
7.4 KiB
HTML
200 lines
7.4 KiB
HTML
<!DOCTYPE html>
|
|
<html lang="en">
|
|
<head>
|
|
<meta charset="UTF-8">
|
|
<meta name="viewport" content="width=device-width, initial-scale=1.0">
|
|
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'; style-src 'self'; font-src 'self' data:; img-src 'self' data:; connect-src 'self'; base-uri 'self'; form-action 'self' https://defcon.social https://bsky.app;">
|
|
<meta http-equiv="X-Content-Type-Options" content="nosniff">
|
|
<link rel="stylesheet" href="../assets/css/style.css">
|
|
<link rel="icon" type="image/x-icon" href="../favicon.ico">
|
|
<script>
|
|
// Apply theme immediately to prevent flash
|
|
(function() {
|
|
const theme = localStorage.getItem('theme') ||
|
|
(window.matchMedia && window.matchMedia('(prefers-color-scheme: dark)').matches ? 'dark' : 'light');
|
|
document.documentElement.setAttribute('data-theme', theme);
|
|
})();
|
|
</script>
|
|
<title>wafw00f Cheatsheet - Cheatsheets - Launch Pad</title>
|
|
</head>
|
|
<body>
|
|
<button class="theme-toggle" id="themeToggle" aria-label="Toggle dark mode">
|
|
<svg class="theme-icon theme-icon-moon" xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M21 12.79A9 9 0 1 1 11.21 3 7 7 0 0 0 21 12.79z"></path></svg>
|
|
<svg class="theme-icon theme-icon-sun" xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" style="display: none;"><circle cx="12" cy="12" r="5"></circle><line x1="12" y1="1" x2="12" y2="3"></line><line x1="12" y1="21" x2="12" y2="23"></line><line x1="4.22" y1="4.22" x2="5.64" y2="5.64"></line><line x1="18.36" y1="18.36" x2="19.78" y2="19.78"></line><line x1="1" y1="12" x2="3" y2="12"></line><line x1="21" y1="12" x2="23" y2="12"></line><line x1="4.22" y1="19.78" x2="5.64" y2="18.36"></line><line x1="18.36" y1="5.64" x2="19.78" y2="4.22"></line></svg>
|
|
</button>
|
|
<br/><br/>
|
|
<div class="name">
|
|
__ _______________________ _________._________________________
|
|
\_ _____/ \______ \ / _ \ / _____/ / _____/ | | \_ _____/
|
|
| __) | _/ / /_\ \ / \ ___ / \ ___ | | | __)_
|
|
| \ | | \ / | \ \ \_\ \ \ \_\ \ | |___ | \
|
|
\___ / |____|_ / \____|__ / \______ / \______ / |_______ \ /_______ /
|
|
\/ \/ \/ \/ \/ \/ \/
|
|
</div>
|
|
<div class="blog-page-header">
|
|
<div class="blog-header-content">
|
|
<a href="/cheatsheets" class="back-link" title="Back to Cheatsheets">
|
|
<svg xmlns="http://www.w3.org/2000/svg" width="42" height="42" viewBox="0 0 24 24" class="home-icon"><path fill="currentColor" d="M10 20v-6h4v6h5v-8h3L12 3 2 12h3v8z"/></svg>
|
|
</a>
|
|
<h1 class="blog-page-title">wafw00f Cheatsheet</h1>
|
|
</div>
|
|
</div>
|
|
<div class="blog-post-container">
|
|
<div class="blog-posts-container" style="max-width: 900px; margin: 0 auto;">
|
|
<div class="blog-post">
|
|
<div class="blog-post-content">
|
|
<p><a href="index.html">← Back to cheatsheets</a></p>
|
|
<p><a href="../index.html">← Home</a></p>
|
|
<hr>
|
|
<p>WAFW00F (Web Application Firewall Detection Tool) identifies and fingerprints Web Application Firewalls (WAF) protecting a website. It can detect over 150 WAF products.</p>
|
|
<hr>
|
|
<h2>Basic Usage</h2>
|
|
<ul>
|
|
<li>wafw00f <url> - Detect WAF on target</li>
|
|
</ul>
|
|
<ul>
|
|
<li>wafw00f https://example.com - Scan single target</li>
|
|
</ul>
|
|
<hr>
|
|
<h2>Options</h2>
|
|
<ul>
|
|
<li>-a, --findall - Find all WAFs (don't stop at first match)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-i, --input <file> - Read targets from file</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-p, --proxy <proxy> - Use HTTP proxy</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-r, --random - Randomize User-Agent</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-t, --test <waf> - Test for specific WAF</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-o, --output <file> - Output to file</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-f, --format <format> - Output format (csv, json, txt)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-v, --verbose - Verbose output</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-l, --list - List all detectable WAFs</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-H, --headers <file> - Custom headers from file</li>
|
|
</ul>
|
|
<hr>
|
|
<h2>Common Examples</h2>
|
|
<h3>Basic Detection</h3>
|
|
<pre><code>wafw00f https://example.com</code></pre>
|
|
<p>Detect WAF on target.</p>
|
|
<h3>Find All WAFs</h3>
|
|
<pre><code>wafw00f -a https://example.com</code></pre>
|
|
<p>Don't stop at first detection.</p>
|
|
<h3>Multiple Targets</h3>
|
|
<pre><code>wafw00f -i targets.txt</code></pre>
|
|
<p>Scan multiple targets from file.</p>
|
|
<h3>Test Specific WAF</h3>
|
|
<pre><code>wafw00f -t Cloudflare https://example.com</code></pre>
|
|
<p>Check for specific WAF only.</p>
|
|
<h3>JSON Output</h3>
|
|
<pre><code>wafw00f -f json -o results.json https://example.com</code></pre>
|
|
<p>Save results as JSON.</p>
|
|
<h3>CSV Output</h3>
|
|
<pre><code>wafw00f -f csv -o results.csv https://example.com</code></pre>
|
|
<p>Save results as CSV.</p>
|
|
<h3>Verbose Mode</h3>
|
|
<pre><code>wafw00f -v https://example.com</code></pre>
|
|
<p>Show detailed detection process.</p>
|
|
<h3>Through Proxy</h3>
|
|
<pre><code>wafw00f -p http://127.0.0.1:8080 https://example.com</code></pre>
|
|
<p>Route through Burp Suite.</p>
|
|
<h3>List All Detectable WAFs</h3>
|
|
<pre><code>wafw00f -l</code></pre>
|
|
<p>Show all WAFs the tool can detect.</p>
|
|
<hr>
|
|
<h2>Common WAFs Detected</h2>
|
|
<ul>
|
|
<li>Cloudflare</li>
|
|
<li>Akamai</li>
|
|
<li>AWS WAF</li>
|
|
<li>ModSecurity</li>
|
|
<li>F5 BIG-IP</li>
|
|
<li>Imperva/Incapsula</li>
|
|
<li>Sucuri</li>
|
|
<li>Barracuda</li>
|
|
<li>Fortinet FortiWeb</li>
|
|
<li>Citrix NetScaler</li>
|
|
<li>DenyAll</li>
|
|
<li>Radware AppWall</li>
|
|
</ul>
|
|
<hr>
|
|
<h2>Detection Methods</h2>
|
|
<p>WAFW00F uses several techniques:</p>
|
|
<ul>
|
|
<li>Analyzing response headers</li>
|
|
<li>Analyzing response cookies</li>
|
|
<li>Sending malicious payloads and checking response</li>
|
|
<li>Checking for known WAF error messages</li>
|
|
<li>Timing analysis</li>
|
|
</ul>
|
|
<hr>
|
|
<h2>Output Example</h2>
|
|
<pre><code> ______
|
|
/ \
|
|
( W00f! )
|
|
\ ____/
|
|
,, __ 404 Conditions
|
|
|`-.__ / / _
|
|
/" _/ /_/ _ _ / |
|
|
( o ) o) / / / | / _ )
|
|
\_ _/ `"" | / / | / /
|
|
("`-"_.\_ / / / | /\_/
|
|
(____) \__/ | \_\
|
|
|
|
The site https://example.com is behind Cloudflare (Cloudflare Inc.) WAF.</code></pre>
|
|
<hr>
|
|
<h2>Tips</h2>
|
|
<ul>
|
|
<li>Use -a to detect multiple WAFs (some sites use layered protection)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Knowing the WAF helps choose bypass techniques</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Some WAFs are harder to detect than others</li>
|
|
</ul>
|
|
<ul>
|
|
<li>False positives can occur - verify findings</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Run early in recon to know what you're dealing with</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Check both HTTP and HTTPS endpoints</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Use JSON output for automation</li>
|
|
</ul>
|
|
<ul>
|
|
<li>WAF presence doesn't mean site is secure</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Always get authorization before scanning</li>
|
|
</ul>
|
|
<hr>
|
|
<p><a href="index.html">← Back to cheatsheets</a></p>
|
|
<p><a href="../index.html">← Home</a></p>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
<script async type="text/javascript" src="../blog/analytics.js"></script>
|
|
<script src="../theme.js"></script>
|
|
</body>
|
|
</html>
|