identYwaf is an identification tool that can recognize web protection type (i.e. WAF) based on blind inference. Blind inference is being done by inspecting responses provoked by a set of predefined offensive (non-destructive) payloads, where those are used only to trigger the web protection system in between (e.g. http://<host>?aeD0oowi=1 AND 2>1
). Currently it supports more than 80 different protection products (e.g. aeSecure
, Airlock
, CleanTalk
, CrawlProtect
, Imunify360
, MalCare
, ModSecurity
, Palo Alto
, SiteGuard
, UrlScan
, Wallarm
, WatchGuard
, Wordfence
, etc.), while the knowledge-base is constantly growing.
For more information you can check slides for a talk "Blind WAF identification" held at Sh3llCON 2019 (Santander / Spain).
Note: as part of this project, screenshots of characteristic responses for different web protection systems are being gathered (manually) for the future reference.
Screenshots
Installation
You can download the latest zipball by clicking here.
Preferably, you can download identYwaf by cloning the Git repository:
git clone --depth 1 https://github.com/stamparm/identYwaf.git
identYwaf works out of the box with any Python version from 2.6.x to 3.7.x on any platform.
Usage
$ python identYwaf.py
__ __
____ ___ ___ ____ ______ | T T __ __ ____ _____
l j| \ / _]| \ | T| | || T__T T / T| __|
| T | \ / [_ | _ Yl_j l_j| ~ || | | |Y o || l_
| | | D YY _]| | | | | |___ || | | || || _|
j l | || [_ | | | | | | ! \ / | | || ]
|____jl_____jl_____jl__j__j l__j l____/ \_/\_/ l__j__jl__j (1.0.XX)
Usage: python identYwaf.py [options] <host|url>
Options:
--version Show program's version number and exit
-h, --help Show this help message and exit
--delay=DELAY Delay (sec) between tests (default: 0)
--timeout=TIMEOUT Response timeout (sec) (default: 10)
--proxy=PROXY HTTP proxy address (e.g. "http://127.0.0.1:8080")
--proxy-file=PRO.. Load (rotating) HTTP(s) proxy list from a file
--random-agent Use random HTTP User-Agent header value
--code=CODE Expected HTTP code in rejected responses
--string=STRING Expected string in rejected responses
--post Use POST body for sending payloads