|
|
|
联系客服020-83701501

WAF指纹探测及识别技术

联系在线客服,可以获得免费在线咨询服务。 QQ咨询 我要预约
WAF指纹探测及辨认技术

Web哄骗防护系统(也称:网站哄骗级入侵灌输系统。英文:Web Application Firewall,简称: WAF)。垄断海内上公认的一种说法:Web哄骗防火墙是颠末履行一系列针对HTTP/HTTPS的安然战略来顺便为Web哄骗供给爱护的一款产品。本文 介绍了常见的WAF指纹辨认的一些技术,详见以下:

WAF指纹

Cookie值

Citrix?Netscaler

“Citrix?Netscaler”会在HTTP前往头部Cookie地位参加“ns_af”的值,或许以此武断为Citrix?Netscaler的WAF,国内此类WAF很少(这货居然是searchsecurity认定的2013最佳的防火墙)。

一个恶意的乞求示例:

Default
123456789 GET / HTTP/1.1Host: target.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCookie: ASPSESSIONIDAQQSDCSC=HGJHINLDNMNFHABGPPBNGFKC; ns_af=31+LrS3EeEOBbxBV7AWDFIEhrn8A000;ns_af_.target.br_%2F_wat=QVNQU0VTU0lPTklEQVFRU0RDU0Nf?6IgJizHRbTRNuNoOpbBOiKRET2gA&Connection: keep-aliveCache-Control: max-age=0

F5?BIG?IP?ASM

Default
12345678910 F5 BiG IP ASM会在Cookie中参加“TS+随机字符串”的Cookie新闻,一个非恶意的乞求以下:GET / HTTP/1.1Host: www.target.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCookie: target_cem_tl=40FC2190D3B2D4E60AB22C0F9EF155D5; s_fid=77F8544DA30373AC-31AE8C79E13D7394; s_vnum=1388516400627%26vn%3D1; s_nr=1385938565978-New; s_nr2=1385938565979-New; s_lv=1385938565980; s_vi=[CS]v1|294DCEC0051D2761-40000143E003E9DC[CE]; fe_typo_user=7a64cc46ca253f9889675f9b9b79eb66; TSe3b54b=36f2896d9de8a61cf27aea24f35f8ee1abd1a43de557a25c529fe828; TS65374d=041365b3e678cba0e338668580430c26abd1a43de557a25c529fe8285a5ab5a8e5d0f299Connection: keep-aliveCache-Control: max-age=0

HTTP响应

Mod_Security

Mod_Security是为Apache方案的开源Web防护模块,一个恶意的乞求Mod_Security会在响应头前往“406?Not?acceptable”的新闻。

Default
1234567891011121314151617 乞求:GET /<script>alert(1);</script>HTTP/1.1Host: www.target.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alive响应:HTTP/1.1 406 Not AcceptableDate: Thu, 05 Dec 2013 03:33:03 GMTServer: ApacheContent-Length: 226Keep-Alive: timeout=10, max=30Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1<head><title>Not Acceptable!</title></head><body><h1>Not Acceptable!</h1><p>An appropriate representation of the requested resource could not be found on this server. This error was generated by Mod_Security.</p></body></html>

WebKnight

WebKnight是用来方案在IIS上面哄骗的WAF配备,较为常见。WebKnight会对恶意的乞求前往“999?No?Hacking”的新闻。

Default
1234567891011121314151617 乞求:GET /?PageID=99<script>alert(1);</script>HTTP/1.1Host: www.aqtronix.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alive响应:HTTP/1.1 999 No HackingServer: WWW Server/1.1Date: Thu, 05 Dec 2013 03:14:23 GMTContent-Type: text/html; charset=windows-1252Content-Length: 1160Pragma: no-cacheCache-control: no-cacheExpires: Thu, 05 Dec 2013 03:14:23 GMT

F5?BIG?IP

F5?BIG?IP会对恶意乞求前往“419?Unknown”的新闻,以下:

Default
123456789 GET /<script> HTTP/1.0HTTP/1.1 419 UnknownCache-Control: no-cacheContent-Type: text/html; charset=iso-8859-15Pragma: no-cacheContent-Length: 8140Date: Mon, 25 Nov 2013 15:22:44 GMTConnection: keep-aliveVary: Accept-Encoding

dotDefender

dotDefender用来防护.net的步伐,也比较出名,会对恶意乞求前往“dotDefender?Blocked?Your?Request”的新闻。

乞求:

Default
12345678 GET /---HTTP/1.1Host: www.acc.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-aliveCache-Control: max-age=0

响应:

Default
12345678910111213 HTTP/1.1 200 OKCache-Control: no-cacheContent-Type: text/htmlVary: Accept-EncodingServer: Microsoft-IIS/7.5X-Powered-By: ASP.NETDate: Thu, 05 Dec 2013 03:40:14 GMTContent-Length: 2616<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>dotDefender Blocked Your Request</title>……

特定资本文件

悉数特定WAF在前往的告警页面含特定的CSS或许JS文件,或许作为武断的按照,这种情况在WAF类里比较少,实际也或许分开到HTTP响应中。

看2个样例:

Default
12345678910111213141516171819202122232425 <html><center><iframe width="100%" align="center" height="870" frameborder="0" scrolling="no" src="http://safe.站点scan.360.cn/stopattack.html"></iframe></center>  </body>  </html>HTTP/1.1 405 Not AllowedServer: ASERVER/1.2.9-3Date: Fri, 27 Dec 2013 14:15:14 GMTContent-Type: text/htmlConnection: keep-aliveX-Powered-By-Anquanbao: MISS from uni-tj-ky-sb3Content-Length: 7188<div class="wrapper"><div class="titlelogo"></div><div class="err_tips">由于您访问的URL有大概对网站组成安然勾引,您的访问被阻断。</div><div class="feedback"><form action="http://report.anquanbao.com/api.php" method="post"><input type="hidden" name="black_code" value="" class="hidden_rule_id" /><input type="hidden" name="deny_time" value="" class="hidden_intercept_time" /><input type="hidden" name="server_id" value="" class="hidden_server_title" /><input type="hidden" name="deny_url" value="" class="deny_url" /><input type="submit" class="submit_img" value="" /></form></div><a href="javascript:;">站长点击检查里面</a><a href="javascript:;">站长点击检查里面</a>规则ID:10384拦挡工夫:2013/12/27 22:15:14ServerName:uni-tj-ky-sb3/1.2.9-3

WAF辨认货色


一些WAF或许自定义前往的动态模式,或许全体前往自定义的404页面或200页面,有一些货色会辅助作为WAF配备的辨认。

Wafw00f

用python编写的一个小货色,开源地址:

http://code.google.com/p/waffit/source/browse/trunk/wafw00f.py

Wafw00f用来武断WAF配备的函数以下:

Default
1 AdminFolder = '/Admin_Files/'

Default
1234 xssstring = '<script>alert(1)</script>'    dirtravstring = '../../../../etc/passwd'    cleanhtmlstring = '<invalid>hello'    isaservermatch = 'Forbidden ( The server denied the specified Uniform Resource Locator (URL). Contact the server administrator.  )'

哄骗“python wafw00f.py -h”或许检查货色的哄骗举措法度模范措施,运行示例:

Default
1 python wafw00f.py http://www.91ri.org/

基于Cookie的检测

Wafw00f的探测大悉数是基于Cookie的检测。

F5asm 的检测规则以下:

Default
123 def isf5asm(self):        # credit goes to W3AF        return self.matchcookie('^TS[a-zA-Z0-9]{3,6}=')

基于响应头的检测

Profense在响应头会包含’server’,’profense’的新闻。

Default
12345 def isprofense(self):        """        Checks for server headers containing "profense"        """        return self.matchheader(('server','profense'))

sqlmap

Sqlmap是一款检测和垄断SQLi马脚货色,也是基于python编写,业内认同率较高,sqlmap用来探测WAF典范想比较Wafw00f来讲还多一些。

参考:

Default
1 https://github.com/sqlmapproject/sqlmap/tree/master/waf

Sqlmap用来探测每种WAF配备都是一个python文件,同样是从cookie新闻或许前往头新闻休止武断。

以Mod_Security为例

Default
123456789101112131415161718192021222324 #!/usr/bin/env python """Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)See the file 'doc/COPYING' for copying permission""" import re from lib.core.enums import HTTP_HEADERfrom lib.core.settings import WAF_ATTACK_VECTORS __product__ = "ModSecurity: Open Source Web Application Firewall (Trustwave)" def detect(get_page):    retval = False     for vector in WAF_ATTACK_VECTORS:        page, headers, code = get_page(get=vector)        retval = code == 501 and re.search(r"Reference #[0-9A-Fa-f.]+", page, re.I) is None        retval |= re.search(r"Mod_Security|NOYB", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None        if retval:            break    return retval

Sqlmap用来探测WAF的号令以下:

Default
1 python sqlmap.py -u “http://www.91ri.org/ ex.php?id=1” --identify-waf

貌似必需是或本人批改的相反动态参数本事哄骗。

xenoitx

检测和垄断XSS马脚的神器,WAF检测也是此中的功用之一。

[via@ freebuf ]

数安新闻+更多

证书相关+更多