Wafw00f (Web Application Firewall Detection)

Wafw00f (Web Application Firewall Detection)

Web Application Firewalls (WAFs) can be detected through stimulus/response testing scenarios. Here is a short listing of possible detection methods:

• Cookies: Some WAF products add their own cookie in the HTTP communication.
• Server Cloaking: Altering URLs and Response Headers
• Response Codes: Different error codes for hostile pages/parameters values
• Drop Action: Sending a FIN/RST packet (technically could also be an IDS/IPS)
• Pre Built-In Rules: Each WAF has different negative security signatures

WafW00f is based on these assumptions to determine remote WAFs.