def is_waf(respDict):
detected = False
if match_type.match_header(
respDict,
('Location', '\/my\.logon\.php3')) and match_type.match_header(
respDict, ('Set-Cookies', '^VHOST')):
return True
elif match_type.match_header(
respDict,
('Set-Cookies', '^MRHSession')) and (
match_type.match_header(respDict, ('Set-Cookies', '^VHOST'))
or match_type.match_header(respDict,
('Set-Cookies', '^uRoamTestCookie'))):
return True
elif match_type.match_header(
respDict,
('Set-Cookies', '^MRHSession')) and (match_type.match_header(
respDict, ('Set-Cookies', '^MRHCId')) or match_type.match_header(
respDict, ('Set-Cookies', '^MRHIntranetSession'))):
return True
elif match_type.match_header(
respDict,
('Set-Cookies', '^uRoamTestCookie')) or match_type.match_header(
respDict, ('Set-Cookies', '^VHOST')):
return True
else:
return False
def is_waf(respDict):
# credit goes to W3AF
if match_type.match_header(respDict,('Set-Cookie','^WODSESSION=')):
return True
if match_type.match_header(respDict,('Set-Cookie','^ODSESSION=')):
return True
return False
def is_waf(respDict):
if match_type.match_header(respDict, ("Server", "Safe3 Web Firewall")):
return True
if match_type.match_header(respDict,
("X-Powered-By", "Safe3WAF/\d\.\d\.\d")):
return True
return False
def is_waf(respDict):
if match_type.match_header(respDict, ("X-Via", "Cdn Cache Server V2.0")):
return True
if match_type.match_header(respDict, ("X-CDN-Forward", "ChinaNetCenter")):
return True
return False
def is_waf(respDict):
# credit goes to Charlie Campbell
if match_type.match_header(respDict, ('DrivedBy', '^RaySrv')):
return True
if match_type.match_header(respDict, ('RayEngine', '.')):
return True
return False
def is_waf(respDict):
if match_type.match_header(respDict, ("Server", "jiasule-WAF")):
return True
if match_type.match_header(respDict, ("Set-Cookie", "__jsluid=")):
return True
if match_type.match_content(
respDict, "static\.jiasule\.com/static/js/http_error\.js"):
return True
def is_waf(respDict):
detected = False
if match_type.match_header(respDict,('Set-Cookie','^BIGipServer')):
return True
elif match_type.match_header(respDict,('X-Cnection', '^close$')):
return True
else:
return False
def is_waf(respDict):
if match_type.match_header(respDict,
('Set-Cookie', '^safedog-flow-item=')):
return True
if match_type.match_header(respDict, ('Server', '^Safedog')):
return True
if match_type.match_header(respDict, ('X-Powered-By', '^WAF/\d\.\d')):
return True
return False
def is_waf(respDict):
# credit goes to Charlie Campbell
if match_type.match_header(respDict, ('Set-Cookie', '^.incap_ses')):
return True
if match_type.match_header(respDict, ('Set-Cookie', '^visid.*=')):
return True
# https://www.zoomeye.org/search?t=host&q=X-CDN+Incapsula
if match_type.match_header(respDict, ('X-CDN', 'Incapsula')):
return True
return False
def is_waf(respDict):
if match_type.match_header(respDict, ("Server", "DnionOS")):
return True
if match_type.match_header(respDict, ("Server-Info", "DnionATS")):
return True
if match_type.match_header(respDict, ("Via", ".+?(DLC-3.0),.+?(DLC-3.0)")):
return True
if match_type.match_header(respDict, ("Warning", "DLC-3.0 ")):
return True
return False
def is_waf(respDict):
# credit goes to W3AF
if match_type.match_header(respDict,('Server', 'BinarySec')):
return True
# the following based on nmap's http-waf-fingerprint.nse
elif match_type.match_header(respDict,('x-binarysec-via', '.')):
return True
# the following based on nmap's http-waf-fingerprint.nse
elif match_type.match_header(respDict,('x-binarysec-nocache', '.')):
return True
else:
return False
def is_waf(respDict):
if respDict["iis_shortname"] != None:
iis_shortname_resp = respDict["iis_shortname"]
if iis_shortname_resp.status_code == 200 and len(
iis_shortname_resp.content) == 929:
if re.findall(r"\<title\>(D).+?\</title\>",
iis_shortname_resp.content)[0] == "D":
return True
if match_type.match_header(respDict, ("Set-Cookie", "^_D_SID=")):
return True
if match_type.match_header(respDict, ("Cookie", "_D_SID=")):
return True
return False
def is_waf(respDict):
# credit goes to W3AF
if match_type.match_header(respDict,
('Set-Cookie', '^barra_counter_session=')):
return True
# credit goes to Charlie Campbell
if match_type.match_header(respDict,
('Set-Cookie', '^BNI__BARRACUDA_LB_COOKIE=')):
return True
# credit goes to yours truly
if match_type.match_header(respDict, ('Set-Cookie', '^BNI_persistence=')):
return True
if match_type.match_header(respDict, ('Set-Cookie', '^BN[IE]S_.*?=')):
return True
if match_type.match_status_content(
respDict,
(404, "The specified URL cannot be found<!--0123456789.+?-->")):
return True
return False
def is_waf(respDict):
if match_type.match_header(respDict, ("Server", "SonicWALL")):
return True
if match_type.match_content(respDict,
"This request is blocked by the SonicWALL"):
return True
if match_type.match_content(
respDict, "Web Site Blocked") and match_type.match_content(
respDict, "document.getElementById(\"nsa_banner"):
return True
return False
def is_waf(respDict):
# credit goes to W3AF
if match_type.match_header(respDict, ('Set-Cookie', '^sessioncookie=')):
return True
# credit goes to Sebastien Gioria
# Tested against a Rweb 3.8
# and modified by sandro gauci and someone else
if match_type.match_status_reason(respDict,
(200, 'Condition Intercepted')):
return True
return False
def is_waf(respDict):
# the following based on nmap's http-waf-fingerprint.nse
if match_type.match_header(
respDict,
('Server', '(mod_security|Mod_Security|NOYB)')): #from sqlmap waf
return True
if match_type.match_status_content(
respDict,
(501, "Reference #[0-9A-Fa-f.]+")): #from sqlmap waf modsecurity
return True
if match_type.match_content(respDict,
"This error was generated by Mod_Security"
): #from sqlmap waf modsecurity
return True
return False
def is_waf(respDict):
if match_type.match_header(
respDict, ('Location', 'Rejected-By-UrlScan')): #from sqlmap
return True
#refer to wafw00f
testheaders = dict()
testheaders['Translate'] = 'z' * 10
testheaders['If'] = 'z' * 10
testheaders['Lock-Token'] = 'z' * 10
testheaders['Transfer-Encoding'] = 'z' * 10
normalResp = respDict['normal']
try:
resp = requests.get(normalResp.url, headers=testheaders, verify=False)
if resp.status_code != normalResp.status_code:
if resp.status_code == 404:
return True
except:
pass
return False
def is_waf(respDict):
if match_type.match_header(respDict, ("x-amz-id-2", ".")):
return True
if match_type.match_header(respDict, ("x-amz-request-id", ".")):
return True
if match_type.match_header(respDict, ("Server", "Amazon")):
return True
if match_type.match_header(respDict, ("X-Amz-Cf-Id", ".")):
return True
if match_type.match_header(respDict, ("X-Cache", " from cloudfront")):
return True
if match_type.match_header(respDict,
("Via", "cloudfront.net (CloudFront)")):
return True
return False
def is_waf(respDict):
"""
First checks if a cookie associated with Netscaler is present,
if not it will try to find if a "Cneonction" or "nnCoection" is returned
for any of the attacks sent
"""
# NSC_ and citrix_ns_id come from David S. Langlands <dsl 'at' surfstar.com>
if match_type.match_header(respDict,
('Set-Cookie', '^(ns_af=|citrix_ns_id|NSC_)')):
return True
if match_type.match_header(respDict, ('Cneonction', 'close')):
return True
if match_type.match_header(respDict, ('nnCoection', 'close')):
return True
if match_type.match_header(respDict, ('Via', 'NS-CACHE')):
return True
if match_type.match_header(respDict, ('X-Client-IP', '.')):
return True
if match_type.match_header(respDict, ('Set-Cookie', '^pwcount')):
return True
return False
def is_waf(respDict):
if match_type.match_header(respDict, ("X-Varnish", ".")):
return True
if match_type.match_header(respDict, ("Via", "varnish\Z")):
return True
return False
def is_waf(respDict):
for g in [('cookie', '^ASINFO='), ('Server', 'F5-TrafficShield')]:
if match_type.match_header(respDict, g):
return True
# the following based on nmap's http-waf-fingerprint.nse
return False
def is_waf(respDict):
if match_type.match_header(respDict, ('Server', 'NSFocus')):
return True
return False
def is_waf(respDict):
if match_type.match_header(respDict, ('Server', 'cloudflare-nginx')):
return True
if match_type.match_header(respDict, ('Set-Cookie', '__cfduid')):
return True
return False
def is_waf(respDict):
return match_type.match_header(respDict,('X-Powered-By-360WZB', '.+'))
def is_waf(respDict):
"""
Checks for server headers containing "profense"
"""
return match_type.match_header(respDict, ('Server', 'profense'))
def is_waf(respDict):
# credit goes to W3AF
return match_type.match_header(respDict,('Set-Cookie','^AL[_-]?(SESS|LB))='))
def is_waf(respDict):
if match_type.match_header(respDict, ('Server', 'Secure Entry Server')):
return True
return False
def is_waf(respDict):
if match_type.match_header(respDict, ("Sever", "newdefend")):
return True
return False
def is_waf(respDict):
if match_type.match_header(respDict, ("Server", "BlockDos\.net")):
return True
return False
def is_waf(respDict):
return match_type.match_header(respDict, ('X-Powered-By-Anquanbao', '.+'))
