WAF指紋探測(cè)及識(shí)別技術(shù)
Web應(yīng)用防護(hù)系統(tǒng)(也稱:網(wǎng)站應(yīng)用級(jí)入侵防御系統(tǒng)。英文:Web Application Firewall,簡(jiǎn)稱: WAF)。利用國(guó)際上公認(rèn)的一種說(shuō)法:Web應(yīng)用防火墻是通過(guò)執(zhí)行一系列針對(duì)HTTP/HTTPS的安全策略來(lái)專門(mén)為Web應(yīng)用提供保護(hù)的一款產(chǎn)品。本文介紹了常見(jiàn)的WAF指紋識(shí)別的一些技術(shù),詳見(jiàn)如下:
一、WAF指紋
Cookie值
Citrix Netscaler
“Citrix Netscaler”會(huì)在HTTP返回頭部Cookie位置加入“ns_af”的值,可以以此判斷為Citrix Netscaler的WAF,國(guó)內(nèi)此類WAF很少(這貨居然是searchsecurity認(rèn)定的2013最好的防火墻)。
一個(gè)惡意的請(qǐng)求示例:
GET / HTTP/1.1 Host: target.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: ASPSESSIONIDAQQSDCSC=HGJHINLDNMNFHABGPPBNGFKC; ns_af=31+LrS3EeEOBbxBV7AWDFIEhrn8A000;ns_af_.target.br_%2F_wat=QVNQU0VTU0lPTklEQVFRU0RDU0Nf?6IgJizHRbTRNuNoOpbBOiKRET2gA& Connection: keep-alive Cache-Control: max-age=0
F5 BIG IP ASM
F5 BiG IP ASM會(huì)在Cookie中加入“TS+隨機(jī)字符串”的Cookie信息,一個(gè)非惡意的請(qǐng)求如下: GET / HTTP/1.1 Host: www.target.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: target_cem_tl=40FC2190D3B2D4E60AB22C0F9EF155D5; s_fid=77F8544DA30373AC-31AE8C79E13D7394; s_vnum=1388516400627%26vn%3D1; s_nr=1385938565978-New; s_nr2=1385938565979-New; s_lv=1385938565980; s_vi=[CS]v1|294DCEC0051D2761-40000143E003E9DC[CE]; fe_typo_user=7a64cc46ca253f9889675f9b9b79eb66; TSe3b54b=36f2896d9de8a61cf27aea24f35f8ee1abd1a43de557a25c529fe828; TS65374d=041365b3e678cba0e338668580430c26abd1a43de557a25c529fe8285a5ab5a8e5d0f299 Connection: keep-alive Cache-Control: max-age=0
HTTP響應(yīng)
Mod_Security
Mod_Security是為Apache設(shè)計(jì)的開(kāi)源Web防護(hù)模塊,一個(gè)惡意的請(qǐng)求Mod_Security會(huì)在響應(yīng)頭返回“406 Not acceptable”的信息。
請(qǐng)求:
GET /<script>alert(1);</script>HTTP/1.1 Host: www.target.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive
響應(yīng):
HTTP/1.1 406 Not Acceptable Date: Thu, 05 Dec 2013 03:33:03 GMT Server: Apache Content-Length: 226 Keep-Alive: timeout=10, max=30 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 <head><title>Not Acceptable!</title></head><body><h1>Not Acceptable!</h1><p>An appropriate representation of the requested resource could not be found on this server. This error was generated by Mod_Security.</p></body></html>
WebKnight
WebKnight是用來(lái)設(shè)計(jì)在IIS下面使用的WAF設(shè)備,較為常見(jiàn)。WebKnight會(huì)對(duì)惡意的請(qǐng)求返回“999 No Hacking”的信息。
請(qǐng)求:
GET /?PageID=99<script>alert(1);</script>HTTP/1.1 Host: www.aqtronix.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive
響應(yīng):
HTTP/1.1 999 No Hacking Server: WWW Server/1.1 Date: Thu, 05 Dec 2013 03:14:23 GMT Content-Type: text/html; charset=windows-1252 Content-Length: 1160 Pragma: no-cache Cache-control: no-cache Expires: Thu, 05 Dec 2013 03:14:23 GMT
F5 BIG IP
F5 BIG IP會(huì)對(duì)惡意請(qǐng)求返回“419 Unknown”的信息,如下:
GET /<script> HTTP/1.0 HTTP/1.1 419 Unknown Cache-Control: no-cache Content-Type: text/html; charset=iso-8859-15 Pragma: no-cache Content-Length: 8140 Date: Mon, 25 Nov 2013 15:22:44 GMT Connection: keep-alive Vary: Accept-Encoding
dotDefender
dotDefender用來(lái)防護(hù).net的程序,也比較出名,會(huì)對(duì)惡意請(qǐng)求返回“dotDefender Blocked Your Request”的信息。
請(qǐng)求:
GET /---HTTP/1.1 Host: www.acc.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Cache-Control: max-age=0
響應(yīng):
HTTP/1.1 200 OK Cache-Control: no-cache Content-Type: text/html Vary: Accept-Encoding Server: Microsoft-IIS/7.5 X-Powered-By: ASP.NET Date: Thu, 05 Dec 2013 03:40:14 GMT Content-Length: 2616 <!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>dotDefender Blocked Your Request</title>
特定資源文件
部分特定WAF在返回的告警頁(yè)面含特定的CSS或者JS文件,可以作為判斷的依據(jù),這類情況在WAF類里比較少,實(shí)際也可以歸并到HTTP響應(yīng)中。
看2個(gè)樣例:
- <html> <body style="margin:0; padding:0"> <center><iframe width="100%" align="center" height="870" frameborder="0" scrolling="no" src="http://safe.webscan.360.cn/stopattack.html"></iframe></center> </body> </html>
- HTTP/1.1 405 Not Allowed
- Server: ASERVER/1.2.9-3
- Date: Fri, 27 Dec 2013 14:15:14 GMT
- Content-Type: text/html
- Connection: keep-alive
- X-Powered-By-Anquanbao: MISS from uni-tj-ky-sb3
- Content-Length: 7188
- <div class="wrapper">
- <div class="titlelogo"></div>
- <div class="err_tips">由于您訪問(wèn)的URL有可能對(duì)網(wǎng)站造成安全威脅,您的訪問(wèn)被阻斷。</div>
- <div class="feedback">
- <form action="http://report.anquanbao.com/api.php" method="post">
- <input type="hidden" name="black_code" value="" class="hidden_rule_id" />
- <input type="hidden" name="deny_time" value="" class="hidden_intercept_time" />
- <input type="hidden" name="server_id" value="" class="hidden_server_title" />
- <input type="hidden" name="deny_url" value="" class="deny_url" />
- <input type="submit" class="submit_img" value="" />
- </form>
- </div>
- <div class="detailcontent">
- <div class="detailupimg">
- <a href="javascript:;">站長(zhǎng)點(diǎn)擊查看詳情</a>
- </div>
- <div class="detaildownimg ">
- <a href="javascript:;">站長(zhǎng)點(diǎn)擊查看詳情</a>
- </div>
- <div class="hiddeninfo">
- 規(guī)則ID:<span class="rule_id">10384</span>
- <span style="margin-left:20px">攔截時(shí)間:</span><span class="intercept_time">2013/12/27 22:15:14</span>
- <div class="hiddeninfosecond">
- <span style="padding-top:20px">ServerName:</span><span class="server_title" style="padding-top:20px">uni-tj-ky-sb3/1.2.9-3</span>
- </div>
- <div class="hiddeninfothird">
#p#
二、WAF識(shí)別工具
一些WAF可以自定義返回的消息內(nèi)容,或者全部返回自定義的404頁(yè)面或200頁(yè)面,有一些工具會(huì)協(xié)助作為WAF設(shè)備的識(shí)別。
Wafw00f
用python編寫(xiě)的一個(gè)小工具,開(kāi)源地址:
http://code.google.com/p/waffit/source/browse/trunk/wafw00f.py
Wafw00f用來(lái)判斷WAF設(shè)備的函數(shù)如下:
AdminFolder = '/Admin_Files/' xssstring = '<script>alert(1)</script>' dirtravstring = '../../../../etc/passwd' cleanhtmlstring = '<invalid>hello' isaservermatch = 'Forbidden ( The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. )'
使用“python wafw00f.py -h”可以查看工具的使用方法,運(yùn)行示例:
python wafw00f.py http://www.victim.org/
基于Cookie的檢測(cè)
Wafw00f的探測(cè)大部分是基于Cookie的檢測(cè)。
F5asm的檢測(cè)規(guī)則如下:
def isf5asm(self):
# credit goes to W3AF
return self.matchcookie('^TS[a-zA-Z0-9]{3,6}=')
基于響應(yīng)頭的檢測(cè)
Profense在響應(yīng)頭會(huì)包含'server','profense'的信息。
def isprofense(self):
"""
Checks for server headers containing "profense"
"""
return self.matchheader(('server','profense'))
sqlmap
Sqlmap是一款檢測(cè)和利用SQLi漏洞工具,也是基于python編寫(xiě),業(yè)內(nèi)認(rèn)同率較高,sqlmap用來(lái)探測(cè)WAF類型想比較Wafw00f來(lái)說(shuō)還多一些。
參考:
https://github.com/sqlmapproject/sqlmap/tree/master/waf
Sqlmap用來(lái)探測(cè)每種WAF設(shè)備都是一個(gè)python文件,同樣是從cookie信息或者返回頭信息進(jìn)行判斷。
以Mod_Security為例
#!/usr/bin/env python """ Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/) See the file 'doc/COPYING' for copying permission """ import re from lib.core.enums import HTTP_HEADER from lib.core.settings import WAF_ATTACK_VECTORS __product__ = "ModSecurity: Open Source Web Application Firewall (Trustwave)" def detect(get_page): retval = False for vector in WAF_ATTACK_VECTORS: page, headers, code = get_page(get=vector) retval = code == 501 and re.search(r"Reference #[0-9A-Fa-f.]+", page, re.I) is None retval |= re.search(r"Mod_Security|NOYB", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None if retval: break return retval
Sqlmap用來(lái)探測(cè)WAF的命令如下:
python sqlmap.py -u “http://www.victim.org/ex.php?id=1” --identify-waf
貌似必須是或自己修改的類似動(dòng)態(tài)參數(shù)才能使用。
xenoitx
檢測(cè)和利用XSS漏洞的神器,WAF檢測(cè)也是其中的功能之一。
