WAF指纹探测及识别技术

Web应用防护系统（也称：网站应用级入侵防御系统。英文：Web Application Firewall，简称： WAF）。利用国际上公认的一种说法：Web应用防火墙是通过执行一系列针对HTTP/HTTPS的安全策略来专门为Web应用提供保护的一款产品。本文介绍了常见的WAF指纹识别的一些技术，详见如下：

WAF指纹

Cookie值

Citrix Netscaler

“Citrix Netscaler”会在HTTP返回头部Cookie位置加入“ns_af”的值，可以以此判断为Citrix Netscaler的WAF，国内此类WAF很少（这货居然是searchsecurity认定的2013最好的防火墙）。

一个恶意的请求示例：

1 GET / HTTP/1.1
2 Host: target.com
3 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
5 Accept-Language: en-US,en;q=0.5
6 Accept-Encoding: gzip, deflate
7 Cookie: ASPSESSIONIDAQQSDCSC=HGJHINLDNMNFHABGPPBNGFKC; ns_af=31+LrS3EeEOBbxBV7AWDFIEhrn8A000;ns_af_.target.br_%2F_wat=QVNQU0VTU0lPTklEQVFRU0RDU0Nf?6IgJizHRbTRNuNoOpbBOiKRET2gA&
8 Connection: keep-alive
9 Cache-Control: max-age=0

F5 BIG IP ASM

 1 F5 BiG IP ASM会在Cookie中加入“TS+随机字符串”的Cookie信息，一个非恶意的请求如下：
 2 GET / HTTP/1.1
 3 Host: www.target.com
 4 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
 5 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 6 Accept-Language: en-US,en;q=0.5
 7 Accept-Encoding: gzip, deflate
 8 Cookie: target_cem_tl=40FC2190D3B2D4E60AB22C0F9EF155D5; s_fid=77F8544DA30373AC-31AE8C79E13D7394; s_vnum=1388516400627%26vn%3D1; s_nr=1385938565978-New; s_nr2=1385938565979-New; s_lv=1385938565980; s_vi=[CS]v1|294DCEC0051D2761-40000143E003E9DC[CE]; fe_typo_user=7a64cc46ca253f9889675f9b9b79eb66; TSe3b54b=36f2896d9de8a61cf27aea24f35f8ee1abd1a43de557a25c529fe828; TS65374d=041365b3e678cba0e338668580430c26abd1a43de557a25c529fe8285a5ab5a8e5d0f299
 9 Connection: keep-alive
10 Cache-Control: max-age=0

HTTP响应

Mod_Security

Mod_Security是为Apache设计的开源Web防护模块，一个恶意的请求Mod_Security会在响应头返回“406 Not acceptable”的信息。

 1 请求：
 2 GET /<script>alert(1);</script>HTTP/1.1
 3 Host: www.target.com
 4 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
 5 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 6 Accept-Language: en-US,en;q=0.5
 7 Accept-Encoding: gzip, deflate
 8 Connection: keep-alive
 9 响应：
10 HTTP/1.1 406 Not Acceptable
11 Date: Thu, 05 Dec 2013 03:33:03 GMT
12 Server: Apache
13 Content-Length: 226
14 Keep-Alive: timeout=10, max=30
15 Connection: Keep-Alive
16 Content-Type: text/html; charset=iso-8859-1
17 <head><title>Not Acceptable!</title></head><body><h1>Not Acceptable!</h1><p>An appropriate representation of the requested resource could not be found on this server. This error was generated by Mod_Security.</p></body></html>

WebKnight

WebKnight是用来设计在IIS下面使用的WAF设备，较为常见。WebKnight会对恶意的请求返回“999 No Hacking”的信息。

 1 请求：
 2 GET /?PageID=99<script>alert(1);</script>HTTP/1.1
 3 Host: www.aqtronix.com
 4 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
 5 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 6 Accept-Language: en-US,en;q=0.5
 7 Accept-Encoding: gzip, deflate
 8 Connection: keep-alive
 9 响应：
10 HTTP/1.1 999 No Hacking
11 Server: WWW Server/1.1
12 Date: Thu, 05 Dec 2013 03:14:23 GMT
13 Content-Type: text/html; charset=windows-1252
14 Content-Length: 1160
15 Pragma: no-cache
16 Cache-control: no-cache
17 Expires: Thu, 05 Dec 2013 03:14:23 GMT

F5 BIG IP

F5 BIG IP会对恶意请求返回“419 Unknown”的信息，如下：

1 GET /<script> HTTP/1.0
2 HTTP/1.1 419 Unknown
3 Cache-Control: no-cache
4 Content-Type: text/html; charset=iso-8859-15
5 Pragma: no-cache
6 Content-Length: 8140
7 Date: Mon, 25 Nov 2013 15:22:44 GMT
8 Connection: keep-alive
9 Vary: Accept-Encoding

dotDefender

dotDefender用来防护.net的程序，也比较出名，会对恶意请求返回“dotDefender Blocked Your Request”的信息。

请求：

1 GET /---HTTP/1.1
2 Host: www.acc.com
3 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
5 Accept-Language: en-US,en;q=0.5
6 Accept-Encoding: gzip, deflate
7 Connection: keep-alive
8 Cache-Control: max-age=0

响应：

 1 HTTP/1.1 200 OK
 2 Cache-Control: no-cache
 3 Content-Type: text/html
 4 Vary: Accept-Encoding
 5 Server: Microsoft-IIS/7.5
 6 X-Powered-By: ASP.NET
 7 Date: Thu, 05 Dec 2013 03:40:14 GMT
 8 Content-Length: 2616
 9 <!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd">
10 <html xmlns="http://www.w3.org/1999/xhtml">
11 <head>
12 <title>dotDefender Blocked Your Request</title>
13 ……

特定资源文件

部分特定WAF在返回的告警页面含特定的CSS或者JS文件，可以作为判断的依据，这类情况在WAF类里比较少，实际也可以归并到HTTP响应中。

看2个样例：

 1 <html><center><iframe width="100%" align="center" height="870" frameborder="0" scrolling="no" src="http://safe.webscan.360.cn/stopattack.html"></iframe></center>  </body>  </html>
 2 HTTP/1.1 405 Not Allowed
 3 Server: ASERVER/1.2.9-3
 4 Date: Fri, 27 Dec 2013 14:15:14 GMT
 5 Content-Type: text/html
 6 Connection: keep-alive
 7 X-Powered-By-Anquanbao: MISS from uni-tj-ky-sb3
 8 Content-Length: 7188
 9 <div class="wrapper">
10 <div class="titlelogo"></div>
11 <div class="err_tips">由于您访问的URL有可能对网站造成安全威胁，您的访问被阻断。</div>
12 <div class="feedback">
13 <form action="http://report.anquanbao.com/api.php" method="post">
14 <input type="hidden" name="black_code" value="" class="hidden_rule_id" />
15 <input type="hidden" name="deny_time" value="" class="hidden_intercept_time" />
16 <input type="hidden" name="server_id" value="" class="hidden_server_title" />
17 <input type="hidden" name="deny_url" value="" class="deny_url" />
18 <input type="submit" class="submit_img" value="" />
19 </form>
20 </div>
21 <a href="javascript:;">站长点击查看详情</a>
22 <a href="javascript:;">站长点击查看详情</a>
23 规则ID:10384
24 拦截时间：2013/12/27 22:15:14
25 ServerName：uni-tj-ky-sb3/1.2.9-3

WAF识别工具

一些WAF可以自定义返回的消息内容，或者全部返回自定义的404页面或200页面，有一些工具会协助作为WAF设备的识别。

Wafw00f

用python编写的一个小工具，开源地址：

http://code.google.com/p/waffit/source/browse/trunk/wafw00f.py

Wafw00f用来判断WAF设备的函数如下：

AdminFolder = '/Admin_Files/'

xssstring = '<script>alert(1)</script>'
dirtravstring = '../../../../etc/passwd'
cleanhtmlstring = '<invalid>hello'
isaservermatch = 'Forbidden ( The server denied the specified Uniform Resource Locator (URL). Contact the server administrator.  )'

使用“python wafw00f.py -h”可以查看工具的使用方法，运行示例：

python wafw00f.py http://www.91ri.org/

基于Cookie的检测

Wafw00f的探测大部分是基于Cookie的检测。

F5asm的检测规则如下：

1 def isf5asm(self):
2         # credit goes to W3AF
3         return self.matchcookie('^TS[a-zA-Z0-9]{3,6}=')

基于响应头的检测

Profense在响应头会包含’server’,'profense’的信息。

1 def isprofense(self):
2     """
3     Checks for server headers containing "profense"
4     """
5     return self.matchheader(('server','profense'))

sqlmap

Sqlmap是一款检测和利用SQLi漏洞工具，也是基于python编写，业内认同率较高，sqlmap用来探测WAF类型想比较Wafw00f来说还多一些。

参考：

https://github.com/sqlmapproject/sqlmap/tree/master/waf

Sqlmap用来探测每种WAF设备都是一个python文件，同样是从cookie信息或者返回头信息进行判断。

以Mod_Security为例

 1 #!/usr/bin/env python
 2 
 3 """
 4 Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
 5 See the file 'doc/COPYING' for copying permission
 6 """
 7 
 8 import re
 9 
10 from lib.core.enums import HTTP_HEADER
11 from lib.core.settings import WAF_ATTACK_VECTORS
12 
13 __product__ = "ModSecurity: Open Source Web Application Firewall (Trustwave)"
14 
15 def detect(get_page):
16     retval = False
17 
18     for vector in WAF_ATTACK_VECTORS:
19         page, headers, code = get_page(get=vector)
20         retval = code == 501 and re.search(r"Reference #[0-9A-Fa-f.]+", page, re.I) is None
21         retval |= re.search(r"Mod_Security|NOYB", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None
22         if retval:
23             break
24     return retval

Sqlmap用来探测WAF的命令如下：

python sqlmap.py -u “http://www.victim.org/ex.php?id=1” --identify-waf

貌似必须是或自己修改的类似动态参数才能使用。

xenoitx

检测和利用XSS漏洞的神器，WAF检测也是其中的功能之一。

[via@freebuf]

转载请注明：404‘s blog http://www.cnblogs.com/im404/p/3506186.html

posted @ 2014-01-05 19:48 安全大可阅读(2688) 评论(0) 编辑收藏举报

刷新页面返回顶部

安全大可

多学一样本事，少说一句求人的话