WAF指紋探測及識別技術

時間  2019-12-04
標籤 waf 指紋 探測 識別 技術 欄目 系統安全 简体版
原文   原文鏈接

Web應用防禦系統(也稱:網站應用級入侵防護系統。英文:Web Application Firewall,簡稱: WAF)。利用國際上公認的一種說法:Web應用防火牆是經過執行一系列針對HTTP/HTTPS的安全策略來專門爲Web應用提供保護的一款產品。本文介紹了常見的WAF指紋識別的一些技術,詳見以下:javascript

WAF指紋php

 

Cookie值html

Citrix Netscaler

「Citrix Netscaler」會在HTTP返回頭部Cookie位置加入「ns_af」的值,能夠以此判斷爲Citrix Netscaler的WAF,國內此類WAF不多(這貨竟然是searchsecurity認定的2013最好的防火牆)。java

一個惡意的請求示例:python

GET / HTTP/1.1
Host: target.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: ASPSESSIONIDAQQSDCSC=HGJHINLDNMNFHABGPPBNGFKC; ns_af=31+LrS3EeEOBbxBV7AWDFIEhrn8A000;ns_af_.target.br_%2F_wat=QVNQU0VTU0lPTklEQVFRU0RDU0Nf?6IgJizHRbTRNuNoOpbBOiKRET2gA&
Connection: keep-alive
Cache-Control: max-age=0

F5 BIG IP ASM

F5 BiG IP ASM會在Cookie中加入「TS+隨機字符串」的Cookie信息,一個非惡意的請求以下:
GET / HTTP/1.1
Host: www.target.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: target_cem_tl=40FC2190D3B2D4E60AB22C0F9EF155D5; s_fid=77F8544DA30373AC-31AE8C79E13D7394; s_vnum=1388516400627%26vn%3D1; s_nr=1385938565978-New; s_nr2=1385938565979-New; s_lv=1385938565980; s_vi=[CS]v1|294DCEC0051D2761-40000143E003E9DC[CE]; fe_typo_user=7a64cc46ca253f9889675f9b9b79eb66; TSe3b54b=36f2896d9de8a61cf27aea24f35f8ee1abd1a43de557a25c529fe828; TS65374d=041365b3e678cba0e338668580430c26abd1a43de557a25c529fe8285a5ab5a8e5d0f299
Connection: keep-alive
Cache-Control: max-age=0

HTTP響應

Mod_Security

Mod_Security是爲Apache設計的開源Web防禦模塊,一個惡意的請求Mod_Security會在響應頭返回「406 Not acceptable」的信息。git

請求:github

GET /<script>alert(1);</script>HTTP/1.1
Host: www.target.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
響應:
HTTP/1.1 406 Not Acceptable
Date: Thu, 05 Dec 2013 03:33:03 GMT
Server: Apache
Content-Length: 226
Keep-Alive: timeout=10, max=30
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<head><title>Not Acceptable!</title></head><body><h1>Not Acceptable!</h1><p>An appropriate representation of the requested resource could not be found on this server. This error was generated by Mod_Security.</p></body></html>

WebKnight

WebKnight是用來設計在IIS下面使用的WAF設備,較爲常見。WebKnight會對惡意的請求返回「999 No Hacking」的信息。web

請求:sql

GET /?PageID=99<script>alert(1);</script>HTTP/1.1
Host: www.aqtronix.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
響應:
HTTP/1.1 999 No Hacking
Server: WWW Server/1.1
Date: Thu, 05 Dec 2013 03:14:23 GMT
Content-Type: text/html; charset=windows-1252
Content-Length: 1160
Pragma: no-cache
Cache-control: no-cache
Expires: Thu, 05 Dec 2013 03:14:23 GMT

F5 BIG IP

F5 BIG IP會對惡意請求返回「419 Unknown」的信息,以下:windows

GET /<script> HTTP/1.0
HTTP/1.1 419 Unknown
Cache-Control: no-cache
Content-Type: text/html; charset=iso-8859-15
Pragma: no-cache
Content-Length: 8140
Date: Mon, 25 Nov 2013 15:22:44 GMT
Connection: keep-alive
Vary: Accept-Encoding

dotDefender

dotDefender用來防禦.net的程序,也比較出名,會對惡意請求返回「dotDefender Blocked Your Request」的信息。

請求:

GET /---HTTP/1.1
Host: www.acc.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cache-Control: max-age=0

響應:

HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: text/html
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Thu, 05 Dec 2013 03:40:14 GMT
Content-Length: 2616
<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd"><htmlxmlns="http://www.w3.org/1999/xhtml"><head><title>dotDefender Blocked Your Request</title>

……

特定資源文件

部分特定WAF在返回的告警頁面含特定的CSS或者JS文件,能夠做爲判斷的依據,這類狀況在WAF類裏比較少,實際也能夠歸併到HTTP響應中。

看2個樣例:

<html><bodystyle="margin:0; padding:0"><center><iframewidth="100%"align="center"height="870"frameborder="0"scrolling="no"src="http://safe.webscan.360.cn/stopattack.html"></iframe></center></body></html>
HTTP/1.1 405 Not Allowed
Server: ASERVER/1.2.9-3
Date: Fri, 27 Dec 2013 14:15:14 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By-Anquanbao: MISS from uni-tj-ky-sb3
Content-Length: 7188
<divclass="wrapper"><divclass="titlelogo"></div><divclass="err_tips">因爲您訪問的URL有可能對網站形成安全威脅,您的訪問被阻斷。</div><divclass="feedback"><formaction="http://report.anquanbao.com/api.php"method="post"><inputtype="hidden"name="black_code"value=""class="hidden_rule_id"/><inputtype="hidden"name="deny_time"value=""class="hidden_intercept_time"/><inputtype="hidden"name="server_id"value=""class="hidden_server_title"/><inputtype="hidden"name="deny_url"value=""class="deny_url"/><inputtype="submit"class="submit_img"value=""/></form></div><divclass="detailcontent"><divclass="detailupimg"><ahref="javascript:;">站長點擊查看詳情</a></div><divclass="detaildownimg "><ahref="javascript:;">站長點擊查看詳情</a></div><divclass="hiddeninfo">
規則ID:<spanclass="rule_id">10384</span><spanstyle="margin-left:20px">攔截時間:</span><spanclass="intercept_time">2013/12/27 22:15:14</span><divclass="hiddeninfosecond"><spanstyle="padding-top:20px">ServerName:</span><spanclass="server_title"style="padding-top:20px">uni-tj-ky-sb3/1.2.9-3</span></div><divclass="hiddeninfothird">

WAF識別工具

 

一些WAF能夠自定義返回的消息內容,或者所有返回自定義的404頁面或200頁面,有一些工具會協助做爲WAF設備的識別。

Wafw00f

用python編寫的一個小工具,開源地址:

http://code.google.com/p/waffit/source/browse/trunk/wafw00f.py

Wafw00f用來判斷WAF設備的函數以下:

   AdminFolder = '/Admin_Files/'
    xssstring = '<script>alert(1)</script>'
    dirtravstring = '../../../../etc/passwd'
    cleanhtmlstring = '<invalid>hello'
    isaservermatch = 'Forbidden ( The server denied the specified Uniform Resource Locator (URL). Contact the server administrator.  )'

使用「python wafw00f.py -h」能夠查看工具的使用方法,運行示例:

python wafw00f.py http://www.victim.org/

基於Cookie的檢測

Wafw00f的探測大部分是基於Cookie的檢測。

F5asm的檢測規則以下:

def isf5asm(self):
        # credit goes to W3AF
        return self.matchcookie('^TS[a-zA-Z0-9]{3,6}=')

基於響應頭的檢測

Profense在響應頭會包含'server','profense'的信息。

    def isprofense(self):
        """
        Checks for server headers containing "profense"
        """
        return self.matchheader(('server','profense'))

sqlmap

Sqlmap是一款檢測和利用SQLi漏洞工具,也是基於python編寫,業內認同率較高,sqlmap用來探測WAF類型想比較Wafw00f來講還多一些。

參考:

https://github.com/sqlmapproject/sqlmap/tree/master/waf

Sqlmap用來探測每種WAF設備都是一個python文件,一樣是從cookie信息或者返回頭信息進行判斷。

以Mod_Security爲例

#!/usr/bin/env python
 
"""
Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
See the file 'doc/COPYING' for copying permission
"""
 
import re
 
from lib.core.enums import HTTP_HEADER
from lib.core.settings import WAF_ATTACK_VECTORS
 
__product__ = "ModSecurity: Open Source Web Application Firewall (Trustwave)"
 
def detect(get_page):
    retval = False
 
    for vector in WAF_ATTACK_VECTORS:
        page, headers, code = get_page(get=vector)
        retval = code == 501 and re.search(r"Reference #[0-9A-Fa-f.]+", page, re.I) is None
        retval |= re.search(r"Mod_Security|NOYB", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None
        if retval:
            break
    return retval

 

Sqlmap用來探測WAF的命令以下:

python sqlmap.py -u 「http://www.victim.org/ex.php?id=1」 --identify-waf

貌似必須是或本身修改的相似動態參數才能使用。

xenoitx

 

檢測和利用XSS漏洞的神器,WAF檢測也是其中的功能之一。

相關文章
相關標籤/搜索
每日一句
    每一个你不满意的现在,都有一个你没有努力的曾经。
本站公眾號
   歡迎關注本站公眾號,獲取更多信息
聯繫我們 最近搜索 最新文章 沪ICP备13005482号-10 MyBatis教程 SQL 教程 MySQL教程 Java 教程 Thymeleaf 教程 Hibernate教程 Spring教程 Redis教程