WAF Detection
ID: waf-detect
Severity: info
Author: dwisiswant0,lu4nx
Tags: waf,tech,misc
Description
Section titled “Description”A web application firewall was detected.
YAML Source
Section titled “YAML Source”id: waf-detect
info: name: WAF Detection author: dwisiswant0,lu4nx severity: info description: A web application firewall was detected. reference: - https://github.com/Ekultek/WhatWaf classification: cwe-id: CWE-200 metadata: max-request: 1 tags: waf,tech,misc
http: - raw: - | POST / HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded
_=<script>alert(1)</script>
matchers: - type: regex name: instart regex: - '(?i)instartrequestid' part: body
- type: regex name: perimx regex: - '(?i)access.to.this.page.has.been.denied.because.we.believe.you.are.using.automation.tool' - '(?i)http(s)?://(www.)?perimeterx.\w+.whywasiblocked' - '(?i)perimeterx' - '(?i)(..)?client.perimeterx.*/[a-zA-Z]{8,15}/*.*.js' condition: or part: response
- type: regex name: webknight regex: - '(?i)\bwebknight' - '(?i)webknight' condition: or part: response
- type: regex name: zscaler regex: - '(?i)zscaler(.\d+(.\d+)?)?' - '(?i)zscaler' condition: or part: response
- type: regex name: fortigate regex: - '(?i).>powered.by.fortinet<.' - '(?i).>fortigate.ips.sensor<.' - '(?i)fortigate' - '(?i).fgd_icon' - '(?i)\AFORTIWAFSID=' - '(?i)application.blocked.' - '(?i).fortiGate.application.control' - '(?i)(http(s)?)?://\w+.fortinet(.\w+:)?' - '(?i)fortigate.hostname' - '(?i)the.page.cannot.be.displayed..please.contact.[^@]+@[^@]+\.[^@]+.for.additional.information' condition: or part: response
- type: regex name: teros regex: - '(?i)st8(id|.wa|.wf)?.?(\d+|\w+)?=' condition: or part: header
- type: regex name: stricthttp regex: - '(?i)the.request.was.rejected.because.the.url.contained.a.potentially.malicious.string' condition: or part: response
- type: regex name: stricthttp regex: - '(?i)rejected.by.url.scan' - '(?i)/rejected.by.url.scan' condition: or part: response
- type: regex name: shadowd regex: - '(?i)<h\d>\d{3}.forbidden<.h\d>' - '(?i)request.forbidden.by.administrative.rules.' condition: and part: response
- type: regex name: bigip regex: - '(?i)\ATS\w{4,}=' - '(?i)bigipserver(.i)?|bigipserverinternal' - '(?i)^TS[a-zA-Z0-9]{3,8}=' - '(?i)BigIP|BIG-IP|BIGIP' - '(?i)bigipserver' condition: or part: response
- type: regex name: edgecast regex: - '(?i)\Aecdf' condition: or part: response
- type: regex name: radware regex: - '(?i).\bcloudwebsec.radware.com\b.' - '(?i).>unauthorized.activity.has.been.detected<.' - '(?i)with.the.following.case.number.in.its.subject:.\d+.' condition: or part: response
- type: regex name: varnish regex: - '(?i)varnish' - '(?i).>.?security.by.cachewall.?<.' - '(?i)cachewall' - '(?i).>access.is.blocked.according.to.our.site.security.policy.<+' condition: or part: response
- type: regex name: infosafe regex: - '(?i)infosafe' - '(?i)by.(http(s)?(.//)?)?7i24.(com|net)' - '(?i)infosafe.\d.\d' - '(?i)var.infosafekey=' condition: or part: response
- type: regex name: aliyundun regex: - '(?i)error(s)?.aliyun(dun)?.(com|net)' - '(?i)http(s)?://(www.)?aliyun.(com|net)' condition: or part: response
- type: regex name: malcare regex: - '(?i)malcare' - '(?i).>login.protection<.+.><.+>powered.by<.+.>(<.+.>)?(.?malcare.-.pro|blogvault)?' - '(?i).>firewall<.+.><.+>powered.by<.+.>(<.+.>)?(.?malcare.-.pro|blogvault)?' condition: or part: response
- type: regex name: wts regex: - '(?i)(<title>)?wts.wa(f)?(\w+(\w+(\w+)?)?)?' part: response
- type: regex name: dw regex: - '(?i)dw.inj.check' part: response
- type: regex name: denyall regex: - '(?i)\Acondition.intercepted' - '(?i)\Asessioncookie=' condition: or part: response
- type: regex name: yunsuo regex: - '(?i)<img.class=.yunsuologo.' - '(?i)yunsuo.session' condition: or part: response
- type: regex name: litespeed regex: - '(?i)litespeed.web.server' part: response
- type: regex name: cloudfront regex: - '(?i)[a-zA-Z0-9]{,60}.cloudfront.net' - '(?i)cloudfront' - '(?i)x.amz.cf.id|nguardx' condition: or part: response
- type: regex name: anyu regex: - '(?i)sorry.{1,2}your.access.has.been.intercept(ed)?.by.anyu' - '(?i)anyu' - '(?i)anyu-?.the.green.channel' condition: or part: response
- type: regex name: googlewebservices regex: - '(?i)your.client.has.issued.a.malformed.or.illegal.request' - '(?i)our.systems.have.detected.unusual.traffic' - '(?i)block(ed)?.by.g.cloud.security.policy.+' condition: or part: response
- type: regex name: didiyun regex: - '(?i)(http(s)?://)(sec-waf.|www.)?didi(static|yun)?.com(/static/cloudwafstatic)?' - '(?i)didiyun' condition: or part: response
- type: regex name: blockdos regex: - '(?i)blockdos\.net' part: response
- type: regex name: codeigniter regex: - '(?i)the.uri.you.submitted.has.disallowed.characters' part: response
- type: regex name: stingray regex: - '(?i)\AX-Mapping-' part: response
- type: regex name: west263 regex: - '(?i)wt\d*cdn' part: response
- type: regex name: aws regex: - '(?i)<RequestId>[0-9a-zA-Z]{16,25}<.RequestId>' - '(?i)<Error><Code>AccessDenied<.Code>' - '(?i)x.amz.id.\d+' - '(?i)x.amz.request.id' condition: or part: response
- type: regex name: yundun regex: - '(?i)YUNDUN' - '(?i)^yd.cookie=' - '(?i)http(s)?.//(www\.)?(\w+.)?yundun(.com)?' - '(?i)<title>.403.forbidden:.access.is.denied.{0,2}<.{0,2}title>' condition: or part: response
- type: regex name: barracuda regex: - '(?i)\Abarra.counter.session=?' - '(?i)(\A|\b)?barracuda.' - '(?i)barracuda.networks.{1,2}inc' condition: or part: response
- type: regex name: dodenterpriseprotection regex: - '(?i)dod.enterprise.level.protection.system' part: response
- type: regex name: secupress regex: - '(?i)<h\d*>secupress<.' - '(?i)block.id.{1,2}bad.url.contents.<.' condition: or part: response
- type: regex name: aesecure regex: - '(?i)aesecure.denied.png' part: response
- type: regex name: incapsula regex: - '(?i)incap_ses|visid_incap' - '(?i)incapsula' - '(?i)incapsula.incident.id' condition: or part: response
- type: regex name: nexusguard regex: - '(?i)nexus.?guard' - '(?i)((http(s)?://)?speresources.)?nexusguard.com.wafpage' condition: or part: response
- type: regex name: cloudflare regex: - '(?i)cloudflare.ray.id.|var.cloudflare.' - '(?i)cloudflare.nginx' - '(?i)..cfduid=([a-z0-9]{43})?' - '(?i)cf[-|_]ray(..)?([0-9a-f]{16})?[-|_]?(dfw|iad)?' - '(?i).>attention.required!.\|.cloudflare<.+' - '(?i)http(s)?.//report.(uri.)?cloudflare.com(/cdn.cgi(.beacon/expect.ct)?)?' - '(?i)ray.id' - '(?i)__cfduid' condition: or part: response
- type: regex name: akamai regex: - '(?i).>access.denied<.' - '(?i)akamaighost' - '(?i)ak.bmsc.' condition: or part: response
- type: regex name: webseal regex: - '(?i)webseal.error.message.template' - '(?i)webseal.server.received.an.invalid.http.request' condition: or part: response
- type: regex name: dotdefender regex: - '(?i)dotdefender.blocked.your.request' part: response
- type: regex name: pk regex: - '(?i).>pkSecurityModule\W..\WSecurity.Alert<.' - '(?i).http(s)?.//([w]{3})?.kitnetwork.\w' - '(?i).>A.safety.critical.request.was.discovered.and.blocked.<.' condition: or part: response
- type: regex name: expressionengine regex: - '(?i).>error.-.expressionengine<.' - '(?i).>:.the.uri.you.submitted.has.disallowed.characters.<.' - '(?i)invalid.(get|post).data' condition: or part: response
- type: regex name: comodo regex: - '(?i)protected.by.comodo.waf' part: response
- type: regex name: ciscoacexml regex: - '(?i)ace.xml.gateway' part: response
- type: regex name: barikode regex: - '(?i).>barikode<.' - '(?i)<h\d{1}>forbidden.access<.h\d{1}>' condition: or part: response
- type: regex name: watchguard regex: - '(?i)(request.denied.by.)?watchguard.firewall' - '(?i)watchguard(.technologies(.inc)?)?' condition: or part: response
- type: regex name: binarysec regex: - '(?i)x.binarysec.via' - '(?i)x.binarysec.nocache' - '(?i)binarysec' condition: or part: response
- type: regex name: bekchy regex: - '(?i)bekchy.(-.)?access.denied' - '(?i)(http(s)?://)(www.)?bekchy.com(/report)?' condition: or part: response
- type: regex name: bitninja regex: - '(?i)bitninja' - '(?i)security.check.by.bitninja' - '(?i).>visitor.anti(\S)?robot.validation<.' condition: or part: response
- type: regex name: apachegeneric regex: - '(?i)apache' - '(?i).>you.don.t.have.permission.to.access+' - '(?i)was.not.found.on.this.server' - '(?i)<address>apache/([\d+{1,2}](.[\d+]{1,2}(.[\d+]{1,3})?)?)?' - '(?i)<title>403 Forbidden</title>' condition: or part: response
- type: regex name: greywizard regex: - '(?i)greywizard(.\d.\d(.\d)?)?' - '(?i)grey.wizard.block' - '(?i)(http(s)?.//)?(\w+.)?greywizard.com' - '(?i)grey.wizard' condition: or part: response
- type: regex name: configserver regex: - '(?i).>the.firewall.on.this.server.is.blocking.your.connection.<+' part: response
- type: regex name: viettel regex: - '(?i)<title>access.denied(...)?viettel.waf</title>' - '(?i)viettel.waf.system' - '(?i)(http(s).//)?cloudrity.com(.vn)?' condition: or part: response
- type: regex name: safedog regex: - '(?i)(http(s)?)?(://)?(www|404|bbs|\w+)?.safedog.\w' - '(?i)waf(.?\d+.?\d+)' condition: or part: response
- type: regex name: baidu regex: - '(?i)yunjiasu.nginx' part: response
- type: regex name: alertlogic regex: - '(?i).>requested.url.cannot.be.found<.' - '(?i)proceed.to.homepage' - '(?i)back.to.previous.page' - "(?i)we('re|.are)?sorry.{1,2}but.the.page.you.are.looking.for.cannot" - '(?i)reference.id.?' - '(?i)page.has.either.been.removed.{1,2}renamed' condition: or part: response
- type: regex name: armor regex: - '(?i)blocked.by.website.protection.from.armour' part: response
- type: regex name: dosarrest regex: - '(?i)dosarrest' - '(?i)x.dis.request.id' condition: or part: response
- type: regex name: paloalto regex: - 'has.been.blocked.in.accordance.with.company.policy' - '.>Virus.Spyware.Download.Blocked<.' condition: or part: response
- type: regex name: aspgeneric regex: - '(?i)this.generic.403.error.means.that.the.authenticated' - '(?i)request.could.not.be.understood' - '(?i)<.+>a.potentially.dangerous.request(.querystring)?.+' - '(?i)runtime.error' - '(?i).>a.potentially.dangerous.request.path.value.was.detected.from.the.client+' - '(?i)asp.net.sessionid' - '(?i)errordocument.to.handle.the.request' - '(?i)an.application.error.occurred.on.the.server' - '(?i)error.log.record.number' - '(?i)error.page.might.contain.sensitive.information' - "(?i)<.+>server.error.in.'/'.application.+" - '(?i)\basp.net\b' condition: or part: response
- type: regex name: powerful regex: - '(?i)Powerful Firewall' - '(?i)http(s)?...tiny.cc.powerful.firewall' condition: or part: response
- type: regex name: uewaf regex: - '(?i)http(s)?.//ucloud' - '(?i)uewaf(.deny.pages)' condition: or part: response
- type: regex name: janusec regex: - '(?i)janusec' - '(?i)(http(s)?\W+(www.)?)?janusec.(com|net|org)' condition: or part: response
- type: regex name: siteguard regex: - '(?i)>Powered.by.SiteGuard.Lite<' - '(?i)refuse.to.browse' condition: or part: response
- type: regex name: sonicwall regex: - '(?i)This.request.is.blocked.by.the.SonicWALL' - '(?i)Dell.SonicWALL' - '(?i)Web.Site.Blocked.+\bnsa.banner' - '(?i)SonicWALL' - '(?i).>policy.this.site.is.blocked<.' condition: or part: response
- type: regex name: jiasule regex: - '(?i)^jsl(_)?tracking' - '(?i)(__)?jsluid(=)?' - '(?i)notice.jiasule' - '(?i)(static|www|dynamic).jiasule.(com|net)' condition: or part: response
- type: regex name: nginxgeneric regex: - '(?i)nginx' - '(?i)you.do(not|n.t)?.have.permission.to.access.this.document' condition: or part: response
- type: regex name: stackpath regex: - '(?i)action.that.triggered.the.service.and.blocked' - '(?i)<h2>sorry,.you.have.been.blocked.?<.h2>' condition: or part: response
- type: regex name: sabre regex: part: response
- type: regex name: wordfence regex: - '(?i)generated.by.wordfence' - '(?i)your.access.to.this.site.has.been.limited' - '(?i).>wordfence<.' condition: or part: response
- type: regex name: '360' regex: - '(?i).wzws.waf.cgi.' - '(?i)wangzhan\.360\.cn' - '(?i)qianxin.waf' - '(?i)360wzws' - '(?i)transfer.is.blocked' condition: or part: response
- type: regex name: asm regex: - '(?i)the.requested.url.was.rejected..please.consult.with.your.administrator.' condition: or part: response
- type: regex name: rsfirewall regex: - '(?i)com.rsfirewall.403.forbidden' - '(?i)com.rsfirewall.event' - '(?i)(\b)?rsfirewall(\b)?' - '(?i)rsfirewall' condition: or part: response
- type: regex name: sucuri regex: - '(?i)access.denied.-.sucuri.website.firewall' - '(?i)sucuri.webSite.firewall.-.cloudProxy.-.access.denied' - '(?i)questions\?.+cloudproxy@sucuri\.net' - '(?i)http(s)?.\/\/(cdn|supportx.)?sucuri(.net|com)?' condition: or part: response
- type: regex name: airlock regex: - '(?i)\Aal[.-]?(sess|lb)=?' part: response
- type: regex name: xuanwudun regex: - '(?i)class=.(db)?waf.?(-row.)?>' part: response
- type: regex name: chuangyudun regex: - '(?i)(http(s)?.//(www.)?)?365cyd.(com|net)' part: response
- type: regex name: securesphere regex: - '(?i)<h2>error<.h2>' - '(?i)<title>error<.title>' - '(?i)<b>error<.b>' - '(?i)<td.class="(errormessage|error)".height="[0-9]{1,3}".width="[0-9]{1,3}">' - '(?i)the.incident.id.(is|number.is).' - '(?i)page.cannot.be.displayed' - '(?i)contact.support.for.additional.information' condition: or part: response
- type: regex name: anquanbao regex: - '(?i).aqb_cc.error.' part: response
- type: regex name: modsecurity regex: - '(?i)ModSecurity|NYOB' - '(?i)mod_security' - '(?i)this.error.was.generated.by.mod.security' - '(?i)web.server at' - '(?i)page.you.are.(accessing|trying)?.(to|is)?.(access)?.(is|to)?.(restricted)?' - '(?i)blocked.by.mod.security' condition: or part: response
- type: regex name: modsecurityowasp regex: - '(?i)not.acceptable' - '(?i)additionally\S.a.406.not.acceptable' condition: or part: response
- type: regex name: squid regex: - '(?i)squid' - '(?i)Access control configuration prevents' - '(?i)X.Squid.Error' condition: or part: response
- type: regex name: shieldsecurity regex: - '(?i)blocked.by.the.shield' - '(?i)transgression(\(s\))?.against.this' - '(?i)url.{1,2}form.or.cookie.data.wasn.t.appropriate' condition: or part: response
- type: regex name: wallarm regex: - '(?i)nginix.wallarm' part: response
- type: regex part: response name: huaweicloud condition: and regex: - '(?)content="CloudWAF"' - 'Server: CloudWAF' - 'Set-Cookie: HWWAFSESID='
- type: word name: safe3webfirewall part: header words: - "safe3 Web Firewall"
- type: word name: safedog part: header words: - "X-Safe-Firewall" - "safedog-flow" condition: or
- type: word name: squarespace part: header words: - "Squarespace" - "Firewall_action" condition: and
- type: word name: yunsuo part: body words: - "yunsuologo"
- type: word name: godaddywebprotection part: body words: - "GoDaddy Security" - "seal.godaddy.com" - "GoDaddy security" condition: or
- type: word name: transipwebfirewall part: header words: - "X-TransIP-Balancer"
- type: word name: xlabssecuritywaf part: header words: - "Secured: By XLabs Security"
- type: word name: shieldonfirewall part: header words: - "X-Protected-By: shieldon.io"# digest: 490a00463044022039bf0948c5b4367c6955e389fa039464d3d988e34124e676c1301afd85bd2078022040b67db73df9498cd3e7158ab9ca342099d085958cd8468e8124241d7fc84019:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/technologies/waf-detect.yaml"