def is_waf(respDict): detected = False if match_type.match_header( respDict, ('Location', '\/my\.logon\.php3')) and match_type.match_header( respDict, ('Set-Cookies', '^VHOST')): return True elif match_type.match_header( respDict, ('Set-Cookies', '^MRHSession')) and ( match_type.match_header(respDict, ('Set-Cookies', '^VHOST')) or match_type.match_header(respDict, ('Set-Cookies', '^uRoamTestCookie'))): return True elif match_type.match_header( respDict, ('Set-Cookies', '^MRHSession')) and (match_type.match_header( respDict, ('Set-Cookies', '^MRHCId')) or match_type.match_header( respDict, ('Set-Cookies', '^MRHIntranetSession'))): return True elif match_type.match_header( respDict, ('Set-Cookies', '^uRoamTestCookie')) or match_type.match_header( respDict, ('Set-Cookies', '^VHOST')): return True else: return False
def is_waf(respDict): # credit goes to W3AF if match_type.match_header(respDict,('Set-Cookie','^WODSESSION=')): return True if match_type.match_header(respDict,('Set-Cookie','^ODSESSION=')): return True return False
def is_waf(respDict): if match_type.match_header(respDict, ("Server", "Safe3 Web Firewall")): return True if match_type.match_header(respDict, ("X-Powered-By", "Safe3WAF/\d\.\d\.\d")): return True return False
def is_waf(respDict): if match_type.match_header(respDict, ("X-Via", "Cdn Cache Server V2.0")): return True if match_type.match_header(respDict, ("X-CDN-Forward", "ChinaNetCenter")): return True return False
def is_waf(respDict): # credit goes to Charlie Campbell if match_type.match_header(respDict, ('DrivedBy', '^RaySrv')): return True if match_type.match_header(respDict, ('RayEngine', '.')): return True return False
def is_waf(respDict): if match_type.match_header(respDict, ("Server", "jiasule-WAF")): return True if match_type.match_header(respDict, ("Set-Cookie", "__jsluid=")): return True if match_type.match_content( respDict, "static\.jiasule\.com/static/js/http_error\.js"): return True
def is_waf(respDict): detected = False if match_type.match_header(respDict,('Set-Cookie','^BIGipServer')): return True elif match_type.match_header(respDict,('X-Cnection', '^close$')): return True else: return False
def is_waf(respDict): if match_type.match_header(respDict, ('Set-Cookie', '^safedog-flow-item=')): return True if match_type.match_header(respDict, ('Server', '^Safedog')): return True if match_type.match_header(respDict, ('X-Powered-By', '^WAF/\d\.\d')): return True return False
def is_waf(respDict): # credit goes to Charlie Campbell if match_type.match_header(respDict, ('Set-Cookie', '^.incap_ses')): return True if match_type.match_header(respDict, ('Set-Cookie', '^visid.*=')): return True # https://www.zoomeye.org/search?t=host&q=X-CDN+Incapsula if match_type.match_header(respDict, ('X-CDN', 'Incapsula')): return True return False
def is_waf(respDict): if match_type.match_header(respDict, ("Server", "DnionOS")): return True if match_type.match_header(respDict, ("Server-Info", "DnionATS")): return True if match_type.match_header(respDict, ("Via", ".+?(DLC-3.0),.+?(DLC-3.0)")): return True if match_type.match_header(respDict, ("Warning", "DLC-3.0 ")): return True return False
def is_waf(respDict): # credit goes to W3AF if match_type.match_header(respDict,('Server', 'BinarySec')): return True # the following based on nmap's http-waf-fingerprint.nse elif match_type.match_header(respDict,('x-binarysec-via', '.')): return True # the following based on nmap's http-waf-fingerprint.nse elif match_type.match_header(respDict,('x-binarysec-nocache', '.')): return True else: return False
def is_waf(respDict): if respDict["iis_shortname"] != None: iis_shortname_resp = respDict["iis_shortname"] if iis_shortname_resp.status_code == 200 and len( iis_shortname_resp.content) == 929: if re.findall(r"\<title\>(D).+?\</title\>", iis_shortname_resp.content)[0] == "D": return True if match_type.match_header(respDict, ("Set-Cookie", "^_D_SID=")): return True if match_type.match_header(respDict, ("Cookie", "_D_SID=")): return True return False
def is_waf(respDict): # credit goes to W3AF if match_type.match_header(respDict, ('Set-Cookie', '^barra_counter_session=')): return True # credit goes to Charlie Campbell if match_type.match_header(respDict, ('Set-Cookie', '^BNI__BARRACUDA_LB_COOKIE=')): return True # credit goes to yours truly if match_type.match_header(respDict, ('Set-Cookie', '^BNI_persistence=')): return True if match_type.match_header(respDict, ('Set-Cookie', '^BN[IE]S_.*?=')): return True if match_type.match_status_content( respDict, (404, "The specified URL cannot be found<!--0123456789.+?-->")): return True return False
def is_waf(respDict): if match_type.match_header(respDict, ("Server", "SonicWALL")): return True if match_type.match_content(respDict, "This request is blocked by the SonicWALL"): return True if match_type.match_content( respDict, "Web Site Blocked") and match_type.match_content( respDict, "document.getElementById(\"nsa_banner"): return True return False
def is_waf(respDict): # credit goes to W3AF if match_type.match_header(respDict, ('Set-Cookie', '^sessioncookie=')): return True # credit goes to Sebastien Gioria # Tested against a Rweb 3.8 # and modified by sandro gauci and someone else if match_type.match_status_reason(respDict, (200, 'Condition Intercepted')): return True return False
def is_waf(respDict): # the following based on nmap's http-waf-fingerprint.nse if match_type.match_header( respDict, ('Server', '(mod_security|Mod_Security|NOYB)')): #from sqlmap waf return True if match_type.match_status_content( respDict, (501, "Reference #[0-9A-Fa-f.]+")): #from sqlmap waf modsecurity return True if match_type.match_content(respDict, "This error was generated by Mod_Security" ): #from sqlmap waf modsecurity return True return False
def is_waf(respDict): if match_type.match_header( respDict, ('Location', 'Rejected-By-UrlScan')): #from sqlmap return True #refer to wafw00f testheaders = dict() testheaders['Translate'] = 'z' * 10 testheaders['If'] = 'z' * 10 testheaders['Lock-Token'] = 'z' * 10 testheaders['Transfer-Encoding'] = 'z' * 10 normalResp = respDict['normal'] try: resp = requests.get(normalResp.url, headers=testheaders, verify=False) if resp.status_code != normalResp.status_code: if resp.status_code == 404: return True except: pass return False
def is_waf(respDict): if match_type.match_header(respDict, ("x-amz-id-2", ".")): return True if match_type.match_header(respDict, ("x-amz-request-id", ".")): return True if match_type.match_header(respDict, ("Server", "Amazon")): return True if match_type.match_header(respDict, ("X-Amz-Cf-Id", ".")): return True if match_type.match_header(respDict, ("X-Cache", " from cloudfront")): return True if match_type.match_header(respDict, ("Via", "cloudfront.net (CloudFront)")): return True return False
def is_waf(respDict): """ First checks if a cookie associated with Netscaler is present, if not it will try to find if a "Cneonction" or "nnCoection" is returned for any of the attacks sent """ # NSC_ and citrix_ns_id come from David S. Langlands <dsl 'at' surfstar.com> if match_type.match_header(respDict, ('Set-Cookie', '^(ns_af=|citrix_ns_id|NSC_)')): return True if match_type.match_header(respDict, ('Cneonction', 'close')): return True if match_type.match_header(respDict, ('nnCoection', 'close')): return True if match_type.match_header(respDict, ('Via', 'NS-CACHE')): return True if match_type.match_header(respDict, ('X-Client-IP', '.')): return True if match_type.match_header(respDict, ('Set-Cookie', '^pwcount')): return True return False
def is_waf(respDict): if match_type.match_header(respDict, ("X-Varnish", ".")): return True if match_type.match_header(respDict, ("Via", "varnish\Z")): return True return False
def is_waf(respDict): for g in [('cookie', '^ASINFO='), ('Server', 'F5-TrafficShield')]: if match_type.match_header(respDict, g): return True # the following based on nmap's http-waf-fingerprint.nse return False
def is_waf(respDict): if match_type.match_header(respDict, ('Server', 'NSFocus')): return True return False
def is_waf(respDict): if match_type.match_header(respDict, ('Server', 'cloudflare-nginx')): return True if match_type.match_header(respDict, ('Set-Cookie', '__cfduid')): return True return False
def is_waf(respDict): return match_type.match_header(respDict,('X-Powered-By-360WZB', '.+'))
def is_waf(respDict): """ Checks for server headers containing "profense" """ return match_type.match_header(respDict, ('Server', 'profense'))
def is_waf(respDict): # credit goes to W3AF return match_type.match_header(respDict,('Set-Cookie','^AL[_-]?(SESS|LB))='))
def is_waf(respDict): if match_type.match_header(respDict, ('Server', 'Secure Entry Server')): return True return False
def is_waf(respDict): if match_type.match_header(respDict, ("Sever", "newdefend")): return True return False
def is_waf(respDict): if match_type.match_header(respDict, ("Server", "BlockDos\.net")): return True return False
def is_waf(respDict): return match_type.match_header(respDict, ('X-Powered-By-Anquanbao', '.+'))