Repository: sandrogauci/wafw00f Branch: master Commit: 69fbe3956bba Files: 202 Total size: 186.3 KB Directory structure: gitextract_69mvkwm9/ ├── .github/ │ ├── ISSUE_TEMPLATE/ │ │ └── bug_report.md │ └── PULL_REQUEST_TEMPLATE.md ├── .gitignore ├── CLAUDE.md ├── CODE_OF_CONDUCT.md ├── CREDITS.txt ├── Dockerfile ├── LICENSE ├── MANIFEST.in ├── Makefile ├── README.md ├── docs/ │ ├── Makefile │ ├── conf.py │ ├── index.rst │ └── wafw00f.8 ├── pyproject.toml ├── tests/ │ ├── __init__.py │ ├── conftest.py │ ├── test_detection.py │ ├── test_evillib.py │ ├── test_manager.py │ └── test_matching.py └── wafw00f/ ├── __init__.py ├── lib/ │ ├── __init__.py │ ├── asciiarts.py │ └── evillib.py ├── main.py ├── manager.py ├── plugins/ │ ├── __init__.py │ ├── aesecure.py │ ├── airee.py │ ├── airlock.py │ ├── alertlogic.py │ ├── aliyundun.py │ ├── anquanbao.py │ ├── anubis.py │ ├── anyu.py │ ├── applicationgateway.py │ ├── approach.py │ ├── armor.py │ ├── arvancloud.py │ ├── aspa.py │ ├── aspnetgen.py │ ├── astra.py │ ├── awswaf.py │ ├── azion.py │ ├── baffinbay.py │ ├── baidu.py │ ├── barikode.py │ ├── barracuda.py │ ├── bekchy.py │ ├── beluga.py │ ├── binarysec.py │ ├── bitninja.py │ ├── blockdos.py │ ├── bluedon.py │ ├── bulletproof.py │ ├── cachefly.py │ ├── cachewall.py │ ├── cdnns.py │ ├── cerber.py │ ├── chinacache.py │ ├── chuangyu.py │ ├── ciscoacexml.py │ ├── cloudbric.py │ ├── cloudflare.py │ ├── cloudfloordns.py │ ├── cloudfront.py │ ├── cloudprotector.py │ ├── comodo.py │ ├── crawlprotect.py │ ├── ddosguard.py │ ├── denyall.py │ ├── distil.py │ ├── dosarrest.py │ ├── dotdefender.py │ ├── dynamicweb.py │ ├── edgecast.py │ ├── eisoo.py │ ├── envoy.py │ ├── expressionengine.py │ ├── f5bigipapm.py │ ├── f5bigipasm.py │ ├── f5bigipltm.py │ ├── f5firepass.py │ ├── f5trafficshield.py │ ├── fastly.py │ ├── fortigate.py │ ├── fortiguard.py │ ├── fortiweb.py │ ├── frontdoor.py │ ├── gcparmor.py │ ├── godaddy.py │ ├── greywizard.py │ ├── huaweicloud.py │ ├── hyperguard.py │ ├── ibmdatapower.py │ ├── imunify360.py │ ├── incapsula.py │ ├── indusguard.py │ ├── instartdx.py │ ├── isaserver.py │ ├── janusec.py │ ├── jiasule.py │ ├── kemp.py │ ├── keycdn.py │ ├── knownsec.py │ ├── kona.py │ ├── limelight.py │ ├── link11.py │ ├── litespeed.py │ ├── malcare.py │ ├── maxcdn.py │ ├── missioncontrol.py │ ├── modsecurity.py │ ├── naxsi.py │ ├── nemesida.py │ ├── netcontinuum.py │ ├── netscaler.py │ ├── nevisproxy.py │ ├── newdefend.py │ ├── nexusguard.py │ ├── ninja.py │ ├── nsfocus.py │ ├── nullddos.py │ ├── onmessage.py │ ├── openresty.py │ ├── oraclecloud.py │ ├── paloalto.py │ ├── panyun360.py │ ├── pentawaf.py │ ├── perimeterx.py │ ├── pksec.py │ ├── powercdn.py │ ├── profense.py │ ├── ptaf.py │ ├── puhui.py │ ├── qcloud.py │ ├── qiniu.py │ ├── qrator.py │ ├── radware.py │ ├── reblaze.py │ ├── reflected.py │ ├── rsfirewall.py │ ├── rvmode.py │ ├── sabre.py │ ├── safe3.py │ ├── safedog.py │ ├── safeline.py │ ├── scutum.py │ ├── secking.py │ ├── secupress.py │ ├── secureentry.py │ ├── secureiis.py │ ├── securesphere.py │ ├── senginx.py │ ├── serverdefender.py │ ├── shadowd.py │ ├── shieldon.py │ ├── shieldsecurity.py │ ├── siteground.py │ ├── siteguard.py │ ├── sitelock.py │ ├── sonicwall.py │ ├── sophos.py │ ├── squarespace.py │ ├── squidproxy.py │ ├── stackpath.py │ ├── sucuri.py │ ├── tencent.py │ ├── teros.py │ ├── threatx.py │ ├── transip.py │ ├── uewaf.py │ ├── urlmaster.py │ ├── urlscan.py │ ├── variti.py │ ├── varnish.py │ ├── vercel.py │ ├── viettel.py │ ├── virusdie.py │ ├── wallarm.py │ ├── watchguard.py │ ├── webarx.py │ ├── webknight.py │ ├── webland.py │ ├── webray.py │ ├── webseal.py │ ├── webtotem.py │ ├── west263cdn.py │ ├── wordfence.py │ ├── wpmudev.py │ ├── wts.py │ ├── wzb360.py │ ├── xlabssecuritywaf.py │ ├── xuanwudun.py │ ├── yundun.py │ ├── yunsuo.py │ ├── yxlink.py │ ├── zenedge.py │ └── zscaler.py └── wafprio.py ================================================ FILE CONTENTS ================================================ ================================================ FILE: .github/ISSUE_TEMPLATE/bug_report.md ================================================ --- name: Bug report about: Create a report to help us improve title: '' labels: '' assignees: sandrogauci, 0xInfection --- **Describe the bug** A clear and concise description of what the bug is. **To Reproduce** Command that reproduces the issue. e.g. `wafw00f http://example.org -a -vv` **Expected behavior** A clear and concise description of what you expected to happen. **Screenshots** If applicable, add screenshots to help explain your problem. **Desktop (please complete the following information):** - OS: [e.g. Windows, Linux] - OS version, distribution: - Python version: [e.g. python 3.2] **Debug output** Paste the output that you get when passing `-vv` to wafw00f. Example: ``` [*] Checking http://www.example.com INFO:wafw00f:starting wafw00f on http://www.example.com INFO:wafw00f:Request Succeeded INFO:wafw00f:Request Succeeded INFO:wafw00f:Checking for ACE XML Gateway (Cisco) INFO:wafw00f:Checking for aeSecure (aeSecure) INFO:wafw00f:Checking for AireeCDN (Airee) INFO:wafw00f:Checking for Airlock (Phion/Ergon) INFO:wafw00f:Checking for Alert Logic (Alert Logic) INFO:wafw00f:Checking for AliYunDun (Alibaba Cloud Computing) INFO:wafw00f:Checking for Anquanbao (Anquanbao) INFO:wafw00f:Checking for AnYu (AnYu Technologies) INFO:wafw00f:Checking for Approach (Approach) INFO:wafw00f:Checking for AppWall (Radware) INFO:wafw00f:Checking for Armor Defense (Armor) INFO:wafw00f:Checking for ArvanCloud (ArvanCloud) INFO:wafw00f:Checking for ASP.NET Generic (Microsoft) INFO:wafw00f:Checking for ASPA Firewall (ASPA Engineering Co.) INFO:wafw00f:Checking for Astra (Czar Securities) INFO:wafw00f:Checking for AzionCDN (AzionCDN) INFO:wafw00f:Checking for Barikode (Ethic Ninja) INFO:wafw00f:Checking for Barracuda (Barracuda Networks) INFO:wafw00f:Checking for Bekchy (Faydata Technologies Inc.) INFO:wafw00f:Checking for Beluga CDN (Beluga) INFO:wafw00f:Checking for BIG-IP Local Traffic Manager (F5 Networks) INFO:wafw00f:Checking for BinarySec (BinarySec) INFO:wafw00f:Checking for BitNinja (BitNinja) INFO:wafw00f:Checking for BlockDoS (BlockDoS) INFO:wafw00f:Checking for Bluedon (Bluedon IST) INFO:wafw00f:Checking for BulletProof Security Pro (AITpro Security) INFO:wafw00f:Checking for CacheWall (Varnish) INFO:wafw00f:Checking for CacheFly CDN (CacheFly) INFO:wafw00f:Checking for Comodo cWatch (Comodo CyberSecurity) INFO:wafw00f:Checking for CdnNS Application Gateway (CdnNs/WdidcNet) INFO:wafw00f:Checking for ChinaCache Load Balancer (ChinaCache) INFO:wafw00f:Checking for Chuang Yu Shield (Yunaq) INFO:wafw00f:Checking for Cloudbric (Penta Security) INFO:wafw00f:Checking for Cloudflare (Cloudflare Inc.) INFO:wafw00f:Checking for Cloudfloor (Cloudfloor DNS) INFO:wafw00f:Checking for Cloudfront (Amazon) INFO:wafw00f:Checking for CrawlProtect (Jean-Denis Brun) INFO:wafw00f:Checking for DataPower (IBM) INFO:wafw00f:Checking for DenyALL (Rohde & Schwarz CyberSecurity) INFO:wafw00f:Checking for Distil (Distil Networks) INFO:wafw00f:Checking for DOSarrest (DOSarrest Internet Security) INFO:wafw00f:Checking for DotDefender (Applicure Technologies) INFO:wafw00f:Checking for DynamicWeb Injection Check (DynamicWeb) INFO:wafw00f:Checking for Edgecast (Verizon Digital Media) INFO:wafw00f:Identified WAF: ['Edgecast (Verizon Digital Media)'] [+] The site http://www.example.com is behind Edgecast (Verizon Digital Media) WAF. [~] Number of requests: 2 ``` **Additional context** Add any other context about the problem here. ================================================ FILE: .github/PULL_REQUEST_TEMPLATE.md ================================================ #### Which category is this pull request? - [ ] A new feature/enhancement. - [ ] Fix an issue/feature-request. - [ ] An improvement to existing modules. - [ ] Other (Please mention below). #### Where has this been tested? - Python Version - [ ] v3.x - [ ] v2.x - Operating System: - [ ] Linux (Please specify distro) - [ ] Windows - [ ] MacOS #### Does this close any currently open issues? [Mention any issue which this PR closes] #### Does this add any new dependency? [Mention if this PR includes any new library] #### Does this add any new command line switch/argument? [Mention if the changes add any new arguments like `--arg`] #### Any other comments you would like to make? [Anything more you'd want the reviewer to know] ================================================ FILE: .gitignore ================================================ # Byte-compiled / optimized / DLL files __pycache__/ *.py[cod] *.swp # C extensions *.so # Distribution / packaging .Python env/ bin/ build/ develop-eggs/ dist/ eggs/ include/ local/ lib64/ man/ parts/ sdist/ var/ *.egg-info/ .installed.cfg *.egg # Installer logs pip-log.txt pip-delete-this-directory.txt # Unit test / coverage reports htmlcov/ .tox/ .coverage .cache nosetests.xml coverage.xml # Translations *.mo # Mr Developer .mr.developer.cfg .project .pydevproject # Rope .ropeproject # Django stuff: *.log *.pot # Sphinx documentation docs/_build/ *.csv *.json .idea/* .vscode/* .pypirc .venv/ ================================================ FILE: CLAUDE.md ================================================ # CLAUDE.md This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository. ## Project Overview WAFW00F is a Web Application Firewall (WAF) fingerprinting and detection tool written in Python. It identifies WAF products protecting web applications through HTTP response analysis and behavioral testing. ## Development Commands ### Testing ```bash # Run all tests pytest # Run tests with verbose output pytest -v # Run specific test file pytest tests/test_evillib.py # Run specific test pytest tests/test_evillib.py::TestWafToolsEngine::test_default_timeout # Run tests with coverage pytest --cov=wafw00f --cov-report=term-missing ``` ### Linting ```bash # Run linter (prospector) prospector wafw00f --strictness veryhigh ``` ### Building and Installing ```bash # Install in development mode with dev dependencies pip install -e .[dev,docs] # Build distribution packages python setup.py sdist bdist_wheel # Clean build artifacts make clean ``` ### Publishing New Release ```bash # 1. Update version in wafw00f/__init__.py # 2. Update version in README.md (badge and ASCII art examples - 3 places) # 3. Run tests pytest # 4. Build package python setup.py sdist bdist_wheel # 5. Upload to PyPI twine upload dist/* # 6. Create GitHub release gh release create vX.Y.Z --title "vX.Y.Z" --notes "Release notes here" # 7. Commit version changes git add wafw00f/__init__.py README.md git commit -m "Bump version to X.Y.Z" git push ``` ## Architecture ### Core Components **main.py** - Entry point and orchestration - `WAFW00F` class extends `waftoolsengine` and orchestrates the detection workflow - Contains attack payload definitions (XSS, SQLi, LFI, XXE, RCE) - Implements detection methods: `matchHeader()`, `matchStatus()`, `matchCookie()`, `matchContent()`, `matchReason()` - Provides attack request generators: `normalRequest()`, `xssAttack()`, `sqliAttack()`, `centralAttack()`, etc. - Two detection modes: - `identwaf()`: Plugin-based detection using WAF-specific signatures - `genericdetect()`: Behavioral detection when no plugin matches **manager.py** - Plugin loader - Dynamically discovers and loads all Python files from `wafw00f/plugins/` - Uses `importlib.util` for runtime module loading - Returns dictionary: `{plugin_name: plugin_module}` **wafprio.py** - Detection priority - Ordered list of 182 WAF names defining which plugins to check first - Optimization: fast header/cookie checks before complex logic - Plugins not in the list are still checked but after prioritized ones **evillib.py** - HTTP request engine - `waftoolsengine` class wraps the `requests` library - Enforces 100KB max response size to prevent hanging on streaming responses - Enforces timeout during response body reading (not just connection) - Default timeout: 7 seconds (configurable) - Disables SSL warnings for testing self-signed certificates - Streams responses in 8KB chunks ### Detection Flow 1. **Normal request**: Baseline HTTP request to establish normal behavior 2. **Attack request**: `centralAttack()` sends combined XSS+SQLi+LFI payload 3. **Plugin detection**: Iterate through prioritized plugins, each calling `is_waf(self)` 4. **Generic detection**: If no plugin matches, analyze behavioral differences (status codes, headers, blocking) ### Plugin System Plugins are minimal Python modules in `wafw00f/plugins/` with exactly 2 requirements: ```python NAME = 'WAF Name (Manufacturer)' def is_waf(self): # 'self' is the WAFW00F instance # Access: self.rq (normal response), self.attackres (attack response) # Available methods: matchHeader, matchCookie, matchContent, matchStatus, matchReason if self.matchHeader(('server', 'cloudflare')): return True return False ``` **Common detection patterns:** 1. **Simple single-check** (e.g., `cloudflare.py`): - Check for specific header, cookie, or content pattern 2. **Multiple checks** (e.g., `incapsula.py`): - Try several different signatures (OR logic) 3. **Schema-based** (e.g., `modsecurity.py`): - Multiple helper functions checking combinations of conditions (AND logic) - Example: `check_schema_02()` requires both 403 status AND "ModSecurity Action" reason **Detection methods available to plugins:** - `matchHeader((name, pattern), attack=False)` - Regex match on header - `matchCookie(pattern, attack=False)` - Shortcut for Set-Cookie header - `matchContent(regex, attack=True)` - Regex match on response body - `matchStatus(code, attack=True)` - Match HTTP status code - `matchReason(phrase, attack=True)` - Match HTTP reason phrase ## Adding New WAF Detection 1. Create `wafw00f/plugins/newwaf.py` 2. Define `NAME` constant with "WAF Name (Manufacturer)" format 3. Define `is_waf(self)` function returning True/False 4. Optionally add WAF name to `wafprio.py` for priority detection 5. Add test to `tests/test_detection.py`: ```python @responses.activate def test_detect_newwaf_by_header(self): responses.add(responses.GET, 'https://example.com', headers={'Server': 'NewWAF'}, status=200) engine = WAFW00F('https://example.com') assert 'NewWAF' in engine.identwaf() ``` ## Important Notes for Development ### Timeout Handling (Issue #246) The timeout parameter must be enforced during both: 1. Connection establishment (handled by requests library) 2. Response body reading (enforced manually in `evillib.py`) When modifying request logic, ensure timeouts are respected during streaming to prevent hangs on slow servers. ### Response Size Limiting Always use `stream=True` with requests and enforce `MAX_RESPONSE_SIZE` (100KB) to prevent memory issues and hanging on: - Streaming media servers (audio/video) - Infinite response generators - Large file downloads ### Version Updates When bumping version, update **3 locations**: 1. `wafw00f/__init__.py` - `__version__` variable 2. `README.md` - Badge (line 18) 3. `README.md` - ASCII art examples (lines 53 and 253) ### Commit Messages Follow conventional format: - "Fix X" for bug fixes - "Add X" for new features - "Update X" for enhancements - Include issue references: "Fix timeout enforcement (issue #246)" ### Testing WAF Plugins When testing plugin detection: - Use `@responses.activate` decorator - Mock HTTP responses with specific headers/content/status - Test both positive (WAF detected) and negative (not detected) cases - Check against actual attack responses when possible ### Git Workflow - Main branch: `master` - Always run tests before committing - Push releases to both GitHub and PyPI - Create GitHub releases using `gh release create` ================================================ FILE: CODE_OF_CONDUCT.md ================================================ # Contributor Covenant Code of Conduct ## Our Pledge In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, sex characteristics, gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance, race, religion, or sexual identity and orientation. ## Our Standards Examples of behavior that contributes to creating a positive environment include: * Using welcoming and inclusive language * Being respectful of differing viewpoints and experiences * Gracefully accepting constructive criticism * Focusing on what is best for the community * Showing empathy towards other community members Examples of unacceptable behavior by participants include: * The use of sexualized language or imagery and unwelcome sexual attention or advances * Trolling, insulting/derogatory comments, and personal or political attacks * Public or private harassment * Publishing others' private information, such as a physical or electronic address, without explicit permission * Other conduct which could reasonably be considered inappropriate in a professional setting ## Our Responsibilities Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior. Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful. ## Scope This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers. ## Enforcement Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at code@enablesecurity.com. All complaints will be reviewed and investigated and will result in a response that is deemed necessary and appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately. Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership. ## Attribution This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html [homepage]: https://www.contributor-covenant.org For answers to common questions about this code of conduct, see https://www.contributor-covenant.org/faq ================================================ FILE: CREDITS.txt ================================================ =================== THE WAFW00F PROJECT =================== $ AUTHORS ======= * Current Maintainers :- - Sandro Gauci - Pinaki Mondal <0xinfection [at] gmail [dot] com> * Original Code by :- - Sandro Gauci - Wendel G. Henrique $ CONTRIBUTORS ============ A number of people contributed in the past (in no particular order): - Sebastien Gioria - W3AF (or Andres Riancho) - Charlie Campbell - @j0eMcCray - Mathieu Dessus - David S. Langlands - Nmap's http-waf-fingerprint.nse / Hani Benhabiles - Denis Kolegov - kun a - Louis-Philippe Huberdeau - Brendan Coles - Matt Foster - g0tmi1k (?) - MyKings If you did contribute and somehow I didn't put your name in there, please do let me know at: . ================================================ FILE: Dockerfile ================================================ FROM python:3.11.9-alpine WORKDIR /usr/src/app COPY . . RUN pip install . ENTRYPOINT [ "wafw00f" ] ================================================ FILE: LICENSE ================================================ Copyright (c) 2009-2026, WAFW00F Developers All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * Neither the name of the {organization} nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ================================================ FILE: MANIFEST.in ================================================ include CREDITS.txt include LICENSE include MANIFEST.in include README.md include wafw00f/__init__.py include wafw00f/bin/wafw00f ================================================ FILE: Makefile ================================================ SRC_DIR = wafw00f DOC_DIR = docs MAKE = make all: make install make test make html make clean install: pip install -q -e .[dev,docs] test: pytest test-verbose: pytest -v --tb=short test-coverage: pytest --cov=$(SRC_DIR) --cov-report=term-missing lint: prospector $(SRC_DIR) --strictness veryhigh testall: tox html: cd $(DOC_DIR) && $(MAKE) html clean: rm -rf *.egg-info build dist .coverage find $(SRC_DIR) -name "*.pyc" | xargs rm -rf ================================================ FILE: README.md ================================================

wafw00f
WAFW00F

The Web Application Firewall Fingerprinting Tool.
— From Enable Security

## How does it work? To do its magic, WAFW00F does the following: - Sends a _normal_ HTTP request and analyses the response; this identifies a number of WAF solutions. - If that is not successful, it sends a number of (potentially malicious) HTTP requests and uses simple logic to deduce which WAF it is. - If that is also not successful, it analyses the responses previously returned and uses another simple algorithm to guess if a WAF or security solution is actively responding to our attacks. For further details, check out the source code on our [main repository](https://github.com/EnableSecurity/wafw00f). ## What does it detect? WAFW00F can detect a number of firewalls, a list of which is as below: ``` $ wafw00f -l ? ,. ( . ) . " __ ?? (" ) )' ,' ) . (` '` (___()'`; ??? .; ) ' (( (" ) ;(, (( ( ;) " )") /,___ /` _"., ,._'_.,)_(..,( . )_ _' )_') (. _..( ' ) \\ \\ |____|____|____|____|____|____|____|____|____| ~ WAFW00F : v2.4.2 ~ ~ Sniffing Web Application Firewalls since 2009 ~ [+] Can test for these WAFs: WAF Name Manufacturer -------- ------------ 360PanYun 360 Technologies 360WangZhanBao 360 Technologies ACE XML Gateway Cisco ASP.NET Generic Microsoft ASPA Firewall ASPA Engineering Co. AWS Elastic Load Balancer Amazon AireeCDN Airee Airlock Phion/Ergon Alert Logic Alert Logic AliYunDun Alibaba Cloud Computing AnYu AnYu Technologies Anquanbao Anquanbao Anubis Techaro AppWall Radware Approach Approach Armor Defense Armor ArvanCloud ArvanCloud Astra Czar Securities Azion Edge Firewall Azion Azure Application Gateway Microsoft Azure Front Door Microsoft BIG-IP AP Manager F5 Networks BIG-IP AppSec Manager F5 Networks BIG-IP Local Traffic Manager F5 Networks Barikode Ethic Ninja Barracuda Barracuda Networks Baffin Bay Mastercard Bekchy Faydata Technologies Inc. Beluga CDN Beluga BinarySec BinarySec BitNinja BitNinja BlockDoS BlockDoS Bluedon Bluedon IST BulletProof Security Pro AITpro Security CacheFly CDN CacheFly CacheWall Varnish CdnNS Application Gateway CdnNs/WdidcNet ChinaCache Load Balancer ChinaCache Chuang Yu Shield Yunaq Cloud Protector Rohde & Schwarz CyberSecurity Cloudbric Penta Security Cloudflare Cloudflare Inc. Cloudfloor Cloudfloor DNS Cloudfront Amazon Comodo cWatch Comodo CyberSecurity CrawlProtect Jean-Denis Brun DDoS-GUARD DDOS-GUARD CORP. DOSarrest DOSarrest Internet Security DataPower IBM DenyALL Rohde & Schwarz CyberSecurity Distil Distil Networks DotDefender Applicure Technologies DynamicWeb Injection Check DynamicWeb Edgecast Verizon Digital Media Eisoo Cloud Firewall Eisoo Envoy EnvoyProxy Expression Engine EllisLab Fastly Fastly CDN FirePass F5 Networks FortiGate Fortinet FortiGuard Fortinet FortiWeb Fortinet GoDaddy Website Protection GoDaddy Google Cloud App Armor Google Cloud Greywizard Grey Wizard Huawei Cloud Firewall Huawei HyperGuard Art of Defense ISA Server Microsoft Imunify360 CloudLinux Incapsula Imperva Inc. IndusGuard Indusface Instart DX Instart Logic Janusec Application Gateway Janusec Jiasule Jiasule KS-WAF KnownSec Kemp LoadMaster Progress Software KeyCDN KeyCDN Kona SiteDefender Akamai LimeLight CDN LimeLight Link11 WAAP Link11 LiteSpeed LiteSpeed Technologies Malcare Inactiv MaxCDN MaxCDN Mission Control Shield Mission Control ModSecurity SpiderLabs NAXSI NBS Systems NSFocus NSFocus Global Inc. Nemesida PentestIt NetContinuum Barracuda Networks NetScaler AppFirewall Citrix Systems NevisProxy AdNovum Newdefend NewDefend NexusGuard Firewall NexusGuard NinjaFirewall NinTechNet NullDDoS Protection NullDDoS OnMessage Shield BlackBaud Open-Resty Lua Nginx FLOSS Oracle Cloud Oracle PT Application Firewall Positive Technologies Palo Alto Next Gen Firewall Palo Alto Networks PentaWAF Global Network Services PerimeterX PerimeterX PowerCDN PowerCDN Profense ArmorLogic Puhui Puhui Qcloud Tencent Cloud Qiniu Qiniu CDN Qrator Qrator RSFirewall RSJoomla! RayWAF WebRay Solutions Reblaze Reblaze Reflected Networks Reflected Networks RequestValidationMode Microsoft SEnginx Neusoft Sabre Firewall Sabre Safe3 Web Firewall Safe3 Safedog SafeDog Safeline Chaitin Tech. Scutum Secure Sky Technology Inc. SecKing SecKing SecuPress WP Security SecuPress Secure Entry United Security Providers SecureSphere Imperva Inc. ServerDefender VP Port80 Software Shadow Daemon Zecure Shield Security One Dollar Plugin SiteGround SiteGround SiteGuard EG Secure Solutions Inc. Sitelock TrueShield SonicWall Dell Squarespace Squarespace SquidProxy IDS SquidProxy StackPath StackPath Sucuri CloudProxy Sucuri Inc. Tencent Cloud Firewall Tencent Technologies Teros Citrix Systems ThreatX A10 Networks Trafficshield F5 Networks TransIP Web Firewall TransIP UEWaf UCloud URLMaster SecurityCheck iFinity/DotNetNuke URLScan Microsoft UTM Web Protection Sophos Variti Variti Varnish OWASP Vercel WAF Vercel Viettel Cloudrity VirusDie VirusDie LLC WP Cerber Security Cerber Tech WTS-WAF WTS Wallarm Wallarm Inc. WatchGuard WatchGuard Technologies WebARX WebARX Security Solutions WebKnight AQTRONIX WebLand WebLand WebSEAL IBM WebTotem WebTotem West263 CDN West263CDN Wordfence Defiant XLabs Security WAF XLabs Xuanwudun Xuanwudun YXLink YxLink Technologies Yundun Yundun Yunjiasu Baidu Cloud Computing Yunsuo Yunsuo ZScaler Accenture Zenedge Zenedge aeSecure aeSecure eEye SecureIIS BeyondTrust pkSecurity IDS pkSec wpmudev WAF Incsub Shieldon Firewall Shieldon.io ``` ## How do I use it? First, install the tools as described [here](#how-do-i-install-it). For help you can make use of the `--help` option. The basic usage is to pass an URL as an argument. Example: ``` $ wafw00f https://example.org ______ / \ ( Woof! ) \ ____/ ) ,, ) (_ .-. - _______ ( |__| ()``; |==|_______) .)|__| / (' /|\ ( |__| ( / ) / | \ . |__| \(_)_)) / | \ |__| ~ WAFW00F : v2.4.2 ~ The Web Application Firewall Fingerprinting Toolkit [*] Checking https://example.org [+] The site https://example.org is behind Edgecast (Verizon Digital Media) WAF. [~] Number of requests: 2 ``` ## How do I install it? ### Install from PyPI (recommended) Run: ``` python3 -m pip install wafw00f ``` or ``` pip3 install wafw00f ``` ### Via Docker It is also possible to run it within a docker container. Clone this repository first and build the Docker image using: ``` docker build . -t wafw00f ``` Now you can run: ``` docker run --rm -it wafw00f https://example.com ``` ### From source > NOTE: Be careful to not break your system packages while installing wafw00f. Use venv as and when required. Clone the repository: ``` git clone https://github.com/enablesecurity/wafw00f.git ``` Then: ``` cd wafw00f/ python3 -m pip install . ``` Or, by using pipx directly: ``` pipx install git+https://github.com/EnableSecurity/wafw00f.git ``` ## Final Words __Questions?__ Pull up an [issue on GitHub Issue Tracker](https://github.com/enablesecurity/wafw00f/issues/new) or contact [me](mailto:sandro@enablesecurity.com). [Pull requests](https://github.com/enablesecurity/wafw00f/pulls), [ideas and issues](https://github.com/enablesecurity/wafw00f/issues) are highly welcome. Some useful links: - [Documentation/Wiki](https://github.com/enablesecurity/wafw00f/wiki/) - [Pypi Package Repository](https://pypi.org/project/wafw00f) Presently being developed and maintained by: - Sandro Gauci ([@SandroGauci](https://twitter.com/sandrogauci)) - Pinaki Mondal ([@0xInfection](https://twitter.com/0xinfection)) ================================================ FILE: docs/Makefile ================================================ # Makefile for Sphinx documentation # # You can set these variables from the command line. SPHINXOPTS = SPHINXBUILD = sphinx-build PAPER = BUILDDIR = _build # User-friendly check for sphinx-build ifeq ($(shell which $(SPHINXBUILD) >/dev/null 2>&1; echo $$?), 1) $(error The '$(SPHINXBUILD)' command was not found. Make sure you have Sphinx installed, then set the SPHINXBUILD environment variable to point to the full path of the '$(SPHINXBUILD)' executable. Alternatively you can add the directory with the executable to your PATH. If you don't have Sphinx installed, grab it from http://sphinx-doc.org/) endif # Internal variables. PAPEROPT_a4 = -D latex_paper_size=a4 PAPEROPT_letter = -D latex_paper_size=letter ALLSPHINXOPTS = -d $(BUILDDIR)/doctrees $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) . # the i18n builder cannot share the environment and doctrees with the others I18NSPHINXOPTS = $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) . .PHONY: help clean html dirhtml singlehtml pickle json htmlhelp qthelp devhelp epub latex latexpdf text man changes linkcheck doctest gettext help: @echo "Please use \`make ' where is one of" @echo " html to make standalone HTML files" @echo " dirhtml to make HTML files named index.html in directories" @echo " singlehtml to make a single large HTML file" @echo " pickle to make pickle files" @echo " json to make JSON files" @echo " htmlhelp to make HTML files and a HTML help project" @echo " qthelp to make HTML files and a qthelp project" @echo " devhelp to make HTML files and a Devhelp project" @echo " epub to make an epub" @echo " latex to make LaTeX files, you can set PAPER=a4 or PAPER=letter" @echo " latexpdf to make LaTeX files and run them through pdflatex" @echo " latexpdfja to make LaTeX files and run them through platex/dvipdfmx" @echo " text to make text files" @echo " man to make manual pages" @echo " texinfo to make Texinfo files" @echo " info to make Texinfo files and run them through makeinfo" @echo " gettext to make PO message catalogs" @echo " changes to make an overview of all changed/added/deprecated items" @echo " xml to make Docutils-native XML files" @echo " pseudoxml to make pseudoxml-XML files for display purposes" @echo " linkcheck to check all external links for integrity" @echo " doctest to run all doctests embedded in the documentation (if enabled)" clean: rm -rf $(BUILDDIR)/* html: $(SPHINXBUILD) -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html @echo @echo "Build finished. The HTML pages are in $(BUILDDIR)/html." dirhtml: $(SPHINXBUILD) -b dirhtml $(ALLSPHINXOPTS) $(BUILDDIR)/dirhtml @echo @echo "Build finished. The HTML pages are in $(BUILDDIR)/dirhtml." singlehtml: $(SPHINXBUILD) -b singlehtml $(ALLSPHINXOPTS) $(BUILDDIR)/singlehtml @echo @echo "Build finished. The HTML page is in $(BUILDDIR)/singlehtml." pickle: $(SPHINXBUILD) -b pickle $(ALLSPHINXOPTS) $(BUILDDIR)/pickle @echo @echo "Build finished; now you can process the pickle files." json: $(SPHINXBUILD) -b json $(ALLSPHINXOPTS) $(BUILDDIR)/json @echo @echo "Build finished; now you can process the JSON files." htmlhelp: $(SPHINXBUILD) -b htmlhelp $(ALLSPHINXOPTS) $(BUILDDIR)/htmlhelp @echo @echo "Build finished; now you can run HTML Help Workshop with the" \ ".hhp project file in $(BUILDDIR)/htmlhelp." qthelp: $(SPHINXBUILD) -b qthelp $(ALLSPHINXOPTS) $(BUILDDIR)/qthelp @echo @echo "Build finished; now you can run "qcollectiongenerator" with the" \ ".qhcp project file in $(BUILDDIR)/qthelp, like this:" @echo "# qcollectiongenerator $(BUILDDIR)/qthelp/wafw00f.qhcp" @echo "To view the help file:" @echo "# assistant -collectionFile $(BUILDDIR)/qthelp/wafw00f.qhc" devhelp: $(SPHINXBUILD) -b devhelp $(ALLSPHINXOPTS) $(BUILDDIR)/devhelp @echo @echo "Build finished." @echo "To view the help file:" @echo "# mkdir -p $$HOME/.local/share/devhelp/wafw00f" @echo "# ln -s $(BUILDDIR)/devhelp $$HOME/.local/share/devhelp/wafw00f" @echo "# devhelp" epub: $(SPHINXBUILD) -b epub $(ALLSPHINXOPTS) $(BUILDDIR)/epub @echo @echo "Build finished. The epub file is in $(BUILDDIR)/epub." latex: $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex @echo @echo "Build finished; the LaTeX files are in $(BUILDDIR)/latex." @echo "Run \`make' in that directory to run these through (pdf)latex" \ "(use \`make latexpdf' here to do that automatically)." latexpdf: $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex @echo "Running LaTeX files through pdflatex..." $(MAKE) -C $(BUILDDIR)/latex all-pdf @echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex." latexpdfja: $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex @echo "Running LaTeX files through platex and dvipdfmx..." $(MAKE) -C $(BUILDDIR)/latex all-pdf-ja @echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex." text: $(SPHINXBUILD) -b text $(ALLSPHINXOPTS) $(BUILDDIR)/text @echo @echo "Build finished. The text files are in $(BUILDDIR)/text." man: $(SPHINXBUILD) -b man $(ALLSPHINXOPTS) $(BUILDDIR)/man @echo @echo "Build finished. The manual pages are in $(BUILDDIR)/man." texinfo: $(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo @echo @echo "Build finished. The Texinfo files are in $(BUILDDIR)/texinfo." @echo "Run \`make' in that directory to run these through makeinfo" \ "(use \`make info' here to do that automatically)." info: $(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo @echo "Running Texinfo files through makeinfo..." make -C $(BUILDDIR)/texinfo info @echo "makeinfo finished; the Info files are in $(BUILDDIR)/texinfo." gettext: $(SPHINXBUILD) -b gettext $(I18NSPHINXOPTS) $(BUILDDIR)/locale @echo @echo "Build finished. The message catalogs are in $(BUILDDIR)/locale." changes: $(SPHINXBUILD) -b changes $(ALLSPHINXOPTS) $(BUILDDIR)/changes @echo @echo "The overview file is in $(BUILDDIR)/changes." linkcheck: $(SPHINXBUILD) -b linkcheck $(ALLSPHINXOPTS) $(BUILDDIR)/linkcheck @echo @echo "Link check complete; look for any errors in the above output " \ "or in $(BUILDDIR)/linkcheck/output.txt." doctest: $(SPHINXBUILD) -b doctest $(ALLSPHINXOPTS) $(BUILDDIR)/doctest @echo "Testing of doctests in the sources finished, look at the " \ "results in $(BUILDDIR)/doctest/output.txt." xml: $(SPHINXBUILD) -b xml $(ALLSPHINXOPTS) $(BUILDDIR)/xml @echo @echo "Build finished. The XML files are in $(BUILDDIR)/xml." pseudoxml: $(SPHINXBUILD) -b pseudoxml $(ALLSPHINXOPTS) $(BUILDDIR)/pseudoxml @echo @echo "Build finished. The pseudo-XML files are in $(BUILDDIR)/pseudoxml." ================================================ FILE: docs/conf.py ================================================ # -*- coding: utf-8 -*- # # wafw00f documentation build configuration file, created by # sphinx-quickstart on Thu May 15 20:04:22 2014. # # This file is execfile()d with the current directory set to its # containing dir. # # Note that not all possible configuration values are present in this # autogenerated file. # # All configuration values have a default; values that are commented out # serve to show the default. import os import sys BASE_DIR = os.path.dirname(os.path.dirname(os.path.realpath(__file__))) sys.path.insert(0, BASE_DIR) from wafw00f import __version__ # If extensions (or modules to document with autodoc) are in another directory, # add these directories to sys.path here. If the directory is relative to the # documentation root, use os.path.abspath to make it absolute, like shown here. #sys.path.insert(0, os.path.abspath('.')) # -- General configuration ------------------------------------------------ # If your documentation needs a minimal Sphinx version, state it here. #needs_sphinx = '1.0' # Add any Sphinx extension module names here, as strings. They can be # extensions coming with Sphinx (named 'sphinx.ext.*') or your custom # ones. extensions = [] # Add any paths that contain templates here, relative to this directory. templates_path = ['_templates'] # The suffix of source filenames. source_suffix = '.rst' # The encoding of source files. #source_encoding = 'utf-8-sig' # The master toctree document. master_doc = 'index' # General information about the project. project = u'wafw00f' copyright = u'2020, WAFW00F Developers' # The version info for the project you're documenting, acts as replacement for # |version| and |release|, also used in various other places throughout the # built documents. # # The short X.Y version. version = __version__ # The full version, including alpha/beta/rc tags. release = __version__ # The language for content autogenerated by Sphinx. Refer to documentation # for a list of supported languages. #language = None # There are two options for replacing |today|: either, you set today to some # non-false value, then it is used: #today = '' # Else, today_fmt is used as the format for a strftime call. #today_fmt = '%B %d, %Y' # List of patterns, relative to source directory, that match files and # directories to ignore when looking for source files. exclude_patterns = ['_build'] # The reST default role (used for this markup: `text`) to use for all # documents. #default_role = None # If true, '()' will be appended to :func: etc. cross-reference text. #add_function_parentheses = True # If true, the current module name will be prepended to all description # unit titles (such as .. function::). #add_module_names = True # If true, sectionauthor and moduleauthor directives will be shown in the # output. They are ignored by default. #show_authors = False # The name of the Pygments (syntax highlighting) style to use. pygments_style = 'sphinx' # A list of ignored prefixes for module index sorting. #modindex_common_prefix = [] # If true, keep warnings as "system message" paragraphs in the built documents. #keep_warnings = False # -- Options for HTML output ---------------------------------------------- # The theme to use for HTML and HTML Help pages. See the documentation for # a list of builtin themes. html_theme = 'default' # Theme options are theme-specific and customize the look and feel of a theme # further. For a list of options available for each theme, see the # documentation. #html_theme_options = {} # Add any paths that contain custom themes here, relative to this directory. #html_theme_path = [] # The name for this set of Sphinx documents. If None, it defaults to # " v documentation". #html_title = None # A shorter title for the navigation bar. Default is the same as html_title. #html_short_title = None # The name of an image file (relative to this directory) to place at the top # of the sidebar. #html_logo = None # The name of an image file (within the static path) to use as favicon of the # docs. This file should be a Windows icon file (.ico) being 16x16 or 32x32 # pixels large. #html_favicon = None # Add any paths that contain custom static files (such as style sheets) here, # relative to this directory. They are copied after the builtin static files, # so a file named "default.css" will overwrite the builtin "default.css". html_static_path = ['_static'] # Add any extra paths that contain custom files (such as robots.txt or # .htaccess) here, relative to this directory. These files are copied # directly to the root of the documentation. #html_extra_path = [] # If not '', a 'Last updated on:' timestamp is inserted at every page bottom, # using the given strftime format. #html_last_updated_fmt = '%b %d, %Y' # If true, SmartyPants will be used to convert quotes and dashes to # typographically correct entities. #html_use_smartypants = True # Custom sidebar templates, maps document names to template names. #html_sidebars = {} # Additional templates that should be rendered to pages, maps page names to # template names. #html_additional_pages = {} # If false, no module index is generated. #html_domain_indices = True # If false, no index is generated. #html_use_index = True # If true, the index is split into individual pages for each letter. #html_split_index = False # If true, links to the reST sources are added to the pages. #html_show_sourcelink = True # If true, "Created using Sphinx" is shown in the HTML footer. Default is True. #html_show_sphinx = True # If true, "(C) Copyright ..." is shown in the HTML footer. Default is True. #html_show_copyright = True # If true, an OpenSearch description file will be output, and all pages will # contain a tag referring to it. The value of this option must be the # base URL from which the finished HTML is served. #html_use_opensearch = '' # This is the file name suffix for HTML files (e.g. ".xhtml"). #html_file_suffix = None # Output file base name for HTML help builder. htmlhelp_basename = 'wafw00fdoc' # -- Options for LaTeX output --------------------------------------------- latex_elements = { # The paper size ('letterpaper' or 'a4paper'). #'papersize': 'letterpaper', # The font size ('10pt', '11pt' or '12pt'). #'pointsize': '10pt', # Additional stuff for the LaTeX preamble. #'preamble': '', } # Grouping the document tree into LaTeX files. List of tuples # (source start file, target name, title, # author, documentclass [howto, manual, or own class]). latex_documents = [ ('index', 'wafw00f.tex', u'wafw00f Documentation', u'sandrogauci', 'manual'), ] # The name of an image file (relative to this directory) to place at the top of # the title page. #latex_logo = None # For "manual" documents, if this is true, then toplevel headings are parts, # not chapters. #latex_use_parts = False # If true, show page references after internal links. #latex_show_pagerefs = False # If true, show URL addresses after external links. #latex_show_urls = False # Documents to append as an appendix to all manuals. #latex_appendices = [] # If false, no module index is generated. #latex_domain_indices = True # -- Options for manual page output --------------------------------------- # One entry per manual page. List of tuples # (source start file, name, description, authors, manual section). man_pages = [ ('index', 'wafw00f', u'wafw00f Documentation', [u'sandrogauci'], 1) ] # If true, show URL addresses after external links. #man_show_urls = False # -- Options for Texinfo output ------------------------------------------- # Grouping the document tree into Texinfo files. List of tuples # (source start file, target name, title, author, # dir menu entry, description, category) texinfo_documents = [ ('index', 'wafw00f', u'wafw00f Documentation', u'sandrogauci', 'wafw00f', 'One line description of project.', 'Miscellaneous'), ] # Documents to append as an appendix to all manuals. #texinfo_appendices = [] # If false, no module index is generated. #texinfo_domain_indices = True # How to display URL addresses: 'footnote', 'no', or 'inline'. #texinfo_show_urls = 'footnote' # If true, do not generate a @detailmenu in the "Top" node's menu. #texinfo_no_detailmenu = False ================================================ FILE: docs/index.rst ================================================ .. wafw00f documentation master file, created by sphinx-quickstart on Thu May 15 20:04:22 2014. You can adapt this file completely to your liking, but it should at least contain the root `toctree` directive. Welcome to wafw00f's documentation! =================================== Contents: .. toctree:: :maxdepth: 2 Indices and tables ================== * :ref:`genindex` * :ref:`modindex` * :ref:`search` ================================================ FILE: docs/wafw00f.8 ================================================ .TH WAFW00F "8" "October 2020" "wafw00f " "User Commands" .SH NAME WAFW00F \- Identify and fingerprint Web Application Firewall products .SH SYNOPSIS .B wafw00f \fI\,url1 \/\fR[\fI\,url2 \/\fR[\fI\,url3 \/\fR... ]] .SH DESCRIPTION .TP The Web Application Firewall Identification and Fingerprinting Tool. .TP .TP To do its magic, WAFW00F does the following: Sends a normal HTTP request and analyses the response; this identifies a number of WAF solutions. If that is not successful, it sends a number of (potentially malicious) HTTP requests and uses simple logic to deduce which WAF it is. If that is also not successful, it analyses the responses previously returned and uses another simple algorithm to guess if a WAF or security solution is active> .SH OPTIONS .TP \fB\-h\fR, \fB\-\-help\fR Show available options. .TP \fB\-v\fR, \fB\-\-verbose\fR Enable verbosity \- multiple \fB\-v\fR options increase verbosity. .TP \fB\-a\fR, \fB\-\-findall\fR Find all WAFs, do not stop testing on the first one. .TP \fB\-r\fR, \fB\-\-noredirect\fR Do not follow redirections given by 3xx responses. .TP \fB\-t\fR WAF, \fB\-\-test\fR=\fI\,WAF\/\fR Test for one specific WAF product. .TP \fB\-o\fR OUTPUT, \fB\-\-output\fR=\fI\,OUTPUT\/\fR Write output to csv, json or text file depending on file extension. For stdout, specify - as filename. .TP \fB\-f\fR, \fB\-\-format\fR=\fI\,FORMAT\/\fR Force output format to csv, json or text. .TP \fB\-i\fR INPUT, \fB\-\-input\fR=\fI\,INPUT\/\fR Read targets from a file. Input format can be csv, json or text. For csv and json, a `url` column name or element is required. .TP \fB\-l\fR, \fB\-\-list\fR List all the WAFs that WAFW00F is able to detect. .TP \fB\-p\fR PROXY, \fB\-\-proxy\fR=\fI\,PROXY\/\fR Use an HTTP proxy to perform requests, example: http://hostname:8080, socks5://hostname:1080. .TP \fB\-V\fR, \fB\-\-version\fR Print out the version. .TP \fB\-H\fR FILE, \fB\-\-headers\fR=\fI\,FILE\/\fR Pass custom headers, for example to overwrite the default user\-agent string. .TP \fB\-T\fR TIMEOUT, \fB\-\-timeout\fR=\fI\,TIMEOUT\/\fR Set the timeout for the requests. .TP \fB\-\-no\-colors\fR Disable ANSI colors in output. .SH AUTHORS Sandro Gauci (@SandroGauci) .br Pinaki Mondal (@0xInfection) .SH REPORTING BUGS You can report bugs at the project homepage issue tracker: . .SH COPYRIGHT Copyright (C) 2009-2022 WAFW00F Developers. License: BSD 3-Clause . .br This is free software: you are free to modify and distribute under the terms as permitted by the license provided alongwith. .SH SEE ALSO Full documentation is available at: . .PP ================================================ FILE: pyproject.toml ================================================ [build-system] requires = ["setuptools>=64", "wheel"] build-backend = "setuptools.build_meta" [project] name = "wafw00f" dynamic = ["version"] description = "The Web Application Firewall Fingerprinting Toolkit" readme = "README.md" license = "BSD-3-Clause" authors = [ {name = "Sandro Gauci", email = "sandro@enablesecurity.com"} ] keywords = ["waf", "firewall", "detector", "fingerprint"] classifiers = [ "Development Status :: 5 - Production/Stable", "Intended Audience :: System Administrators", "Intended Audience :: Information Technology", "Topic :: Internet", "Topic :: Security", "Topic :: System :: Networking :: Firewalls", "Programming Language :: Python :: 3", "Operating System :: OS Independent", ] requires-python = ">=3.10" dependencies = [ "requests", "requests[socks]", ] [project.optional-dependencies] dev = ["prospector", "pytest", "pytest-mock", "responses"] docs = ["Sphinx"] [project.urls] Homepage = "https://github.com/enablesecurity/wafw00f" "Bug Tracker" = "https://github.com/EnableSecurity/wafw00f/issues" Documentation = "https://github.com/EnableSecurity/wafw00f/wiki" "Source Code" = "https://github.com/EnableSecurity/wafw00f/tree/master" [project.scripts] wafw00f = "wafw00f.main:main" [tool.setuptools.dynamic] version = {attr = "wafw00f.__version__"} [tool.setuptools.packages.find] include = ["wafw00f*"] [tool.pytest.ini_options] testpaths = ["tests"] python_files = ["test_*.py"] python_functions = ["test_*"] addopts = "-v" ================================================ FILE: tests/__init__.py ================================================ # wafw00f tests ================================================ FILE: tests/conftest.py ================================================ """Shared pytest fixtures for wafw00f tests.""" import pytest from unittest.mock import MagicMock class MockResponse: """Mock HTTP response for testing.""" def __init__(self, status_code=200, headers=None, text='', reason='OK'): self.status_code = status_code self.headers = headers or {} self.text = text self.reason = reason self._content = text.encode('utf-8') if isinstance(text, str) else text @property def content(self): return self._content @pytest.fixture def mock_response(): """Factory fixture to create mock responses.""" def _make_response(status_code=200, headers=None, text='', reason='OK'): return MockResponse(status_code, headers, text, reason) return _make_response @pytest.fixture def wafw00f_instance(): """Create a WAFW00F instance for testing.""" from wafw00f.main import WAFW00F return WAFW00F(target='https://example.com') ================================================ FILE: tests/test_detection.py ================================================ """Integration tests for WAF detection.""" import pytest import responses from wafw00f.main import WAFW00F class TestCloudflareDetection: """Tests for Cloudflare WAF detection.""" @responses.activate def test_detect_cloudflare_by_header(self): """Test detecting Cloudflare by server header.""" responses.add( responses.GET, 'https://example.com', headers={'Server': 'cloudflare'}, status=200 ) responses.add( responses.GET, 'https://example.com', headers={'Server': 'cloudflare'}, status=200 ) waf = WAFW00F(target='https://example.com') waf.rq = waf.Request() waf.attackres = waf.Request() from wafw00f.plugins import cloudflare assert cloudflare.is_waf(waf) @responses.activate def test_detect_cloudflare_by_cf_ray(self): """Test detecting Cloudflare by CF-RAY header.""" responses.add( responses.GET, 'https://example.com', headers={'CF-RAY': '1234567890abcdef-LAX'}, status=200 ) responses.add( responses.GET, 'https://example.com', headers={'CF-RAY': '1234567890abcdef-LAX'}, status=200 ) waf = WAFW00F(target='https://example.com') waf.rq = waf.Request() waf.attackres = waf.Request() from wafw00f.plugins import cloudflare assert cloudflare.is_waf(waf) class TestFastlyDetection: """Tests for Fastly detection.""" @responses.activate def test_detect_fastly_by_request_id(self): """Test detecting Fastly by X-Fastly-Request-ID header.""" responses.add( responses.GET, 'https://example.com', headers={'X-Fastly-Request-ID': 'abc123def456'}, status=200 ) responses.add( responses.GET, 'https://example.com', headers={'X-Fastly-Request-ID': 'abc123def456'}, status=200 ) waf = WAFW00F(target='https://example.com') waf.rq = waf.Request() waf.attackres = waf.Request() from wafw00f.plugins import fastly assert fastly.is_waf(waf) @responses.activate def test_detect_fastly_by_served_by(self): """Test detecting Fastly by X-Served-By header.""" responses.add( responses.GET, 'https://example.com', headers={'X-Served-By': 'cache-sjc10049-SJC'}, status=200 ) responses.add( responses.GET, 'https://example.com', headers={'X-Served-By': 'cache-sjc10049-SJC'}, status=200 ) waf = WAFW00F(target='https://example.com') waf.rq = waf.Request() waf.attackres = waf.Request() from wafw00f.plugins import fastly assert fastly.is_waf(waf) class TestAWSWAFDetection: """Tests for AWS WAF detection.""" @responses.activate def test_detect_awswaf_by_header(self): """Test detecting AWS WAF by X-AMZ-ID header.""" responses.add( responses.GET, 'https://example.com', headers={'X-AMZ-ID': 'abc123xyz'}, status=200 ) responses.add( responses.GET, 'https://example.com', headers={'X-AMZ-ID': 'abc123xyz'}, status=200 ) waf = WAFW00F(target='https://example.com') waf.rq = waf.Request() waf.attackres = waf.Request() from wafw00f.plugins import awswaf assert awswaf.is_waf(waf) class TestNoWAFDetection: """Tests for when no WAF is detected.""" @responses.activate def test_no_waf_plain_response(self): """Test that plain response doesn't trigger false positive.""" responses.add( responses.GET, 'https://example.com', headers={'Server': 'nginx'}, body='Hello World', status=200 ) responses.add( responses.GET, 'https://example.com', headers={'Server': 'nginx'}, body='Hello World', status=200 ) waf = WAFW00F(target='https://example.com') waf.rq = waf.Request() waf.attackres = waf.Request() # Test some common WAF plugins don't trigger from wafw00f.plugins import cloudflare, fastly, awswaf assert not cloudflare.is_waf(waf) assert not fastly.is_waf(waf) assert not awswaf.is_waf(waf) class TestAnubisDetection: """Tests for Anubis bot protection detection.""" @responses.activate def test_detect_anubis_by_cookie(self): """Test detecting Anubis by cookie pattern.""" responses.add( responses.GET, 'https://example.com', headers={'Set-Cookie': 'site-anubis-auth=token123; path=/'}, status=200 ) responses.add( responses.GET, 'https://example.com', headers={'Set-Cookie': 'site-anubis-auth=token123; path=/'}, status=200 ) waf = WAFW00F(target='https://example.com') waf.rq = waf.Request() waf.attackres = waf.Request() from wafw00f.plugins import anubis assert anubis.is_waf(waf) @responses.activate def test_detect_anubis_by_content(self): """Test detecting Anubis by page content.""" anubis_page = ''' Protected by Anubis From Techaro ''' responses.add( responses.GET, 'https://example.com', body=anubis_page, status=200 ) responses.add( responses.GET, 'https://example.com', body=anubis_page, status=200 ) waf = WAFW00F(target='https://example.com') waf.rq = waf.Request() waf.attackres = waf.Request() from wafw00f.plugins import anubis assert anubis.is_waf(waf) ================================================ FILE: tests/test_evillib.py ================================================ """Tests for the evillib module.""" import pytest import responses from wafw00f.lib.evillib import waftoolsengine, MAX_RESPONSE_SIZE class TestWafToolsEngine: """Tests for the waftoolsengine class.""" def test_default_timeout(self): """Test default timeout is set.""" engine = waftoolsengine(target='https://example.com') assert engine.timeout == 7 def test_custom_timeout(self): """Test custom timeout can be set.""" engine = waftoolsengine(target='https://example.com', timeout=30) assert engine.timeout == 30 def test_default_headers(self): """Test default headers are set.""" engine = waftoolsengine(target='https://example.com') assert 'User-Agent' in engine.headers assert 'Accept' in engine.headers def test_custom_headers(self): """Test custom headers can be set.""" custom = {'X-Custom': 'value'} engine = waftoolsengine(target='https://example.com', head=custom) assert engine.headers == custom @responses.activate def test_request_success(self): """Test successful request.""" responses.add( responses.GET, 'https://example.com', body='Hello World', status=200 ) engine = waftoolsengine(target='https://example.com') resp = engine.Request() assert resp is not None assert resp.status_code == 200 assert engine.requestnumber == 1 @responses.activate def test_request_increments_counter(self): """Test request counter increments.""" responses.add(responses.GET, 'https://example.com', status=200) responses.add(responses.GET, 'https://example.com', status=200) engine = waftoolsengine(target='https://example.com') engine.Request() engine.Request() assert engine.requestnumber == 2 @responses.activate def test_response_content_accessible(self): """Test response content is accessible after streaming read.""" test_content = 'This is test content for WAF detection' responses.add( responses.GET, 'https://example.com', body=test_content, status=200 ) engine = waftoolsengine(target='https://example.com') resp = engine.Request() assert resp.content == test_content.encode('utf-8') assert resp.text == test_content class TestResponseSizeLimit: """Tests for the response size limiting feature.""" def test_max_response_size_defined(self): """Test MAX_RESPONSE_SIZE is defined.""" assert MAX_RESPONSE_SIZE > 0 assert MAX_RESPONSE_SIZE == 100 * 1024 # 100KB @responses.activate def test_small_response_fully_read(self): """Test small responses are fully read.""" small_content = 'x' * 1000 # 1KB responses.add( responses.GET, 'https://example.com', body=small_content, status=200 ) engine = waftoolsengine(target='https://example.com') resp = engine.Request() assert len(resp.content) == 1000 @responses.activate def test_large_response_truncated(self): """Test large responses are truncated to MAX_RESPONSE_SIZE.""" large_content = 'x' * (MAX_RESPONSE_SIZE + 50000) # 150KB responses.add( responses.GET, 'https://example.com', body=large_content, status=200 ) engine = waftoolsengine(target='https://example.com') resp = engine.Request() # Should be truncated to around MAX_RESPONSE_SIZE (may be slightly over due to chunk size) assert len(resp.content) <= MAX_RESPONSE_SIZE + 8192 assert len(resp.content) >= MAX_RESPONSE_SIZE class TestTimeoutEnforcement: """Tests for timeout enforcement during response reading.""" @responses.activate def test_timeout_attribute_used(self): """Test timeout is properly configured and accessible. Note: Testing actual timeout enforcement during slow streaming requires integration tests with real servers, as the responses mock library doesn't support time-based streaming simulation. The timeout enforcement logic in Request() will break out of the chunk reading loop if time.time() - start_time > self.timeout. """ responses.add( responses.GET, 'https://example.com', body='test', status=200 ) engine = waftoolsengine(target='https://example.com', timeout=5) resp = engine.Request() # Verify the engine has timeout configured assert engine.timeout == 5 assert resp is not None class TestPathPreservation: """Tests that request paths are not normalized.""" @responses.activate def test_path_traversal_not_normalized(self): """Test path traversal sequences are preserved.""" responses.add(responses.GET, 'https://example.com/../../etc/passwd', status=200) engine = waftoolsengine(target='https://example.com') engine.Request(path='../../etc/passwd') assert '../../etc/passwd' in responses.calls[0].request.url @responses.activate def test_path_traversal_with_params(self): """Test path traversal is preserved when query params are present.""" responses.add(responses.GET, 'https://example.com/../../etc/passwd', status=200) engine = waftoolsengine(target='https://example.com') engine.Request(path='../../etc/passwd', params={'key': 'val'}) url = responses.calls[0].request.url assert '../../etc/passwd' in url assert 'key=val' in url ================================================ FILE: tests/test_manager.py ================================================ """Tests for the plugin manager.""" import pytest from wafw00f.manager import load_plugins class TestLoadPlugins: """Tests for the load_plugins function.""" def test_load_plugins_returns_dict(self): """Verify load_plugins returns a dictionary.""" plugins = load_plugins() assert isinstance(plugins, dict) def test_load_plugins_not_empty(self): """Verify plugins are loaded.""" plugins = load_plugins() assert len(plugins) > 0 def test_plugins_have_name_attribute(self): """Verify each plugin has a NAME attribute.""" plugins = load_plugins() for name, plugin in plugins.items(): assert hasattr(plugin, 'NAME'), f"Plugin {name} missing NAME attribute" def test_plugins_have_is_waf_function(self): """Verify each plugin has an is_waf function.""" plugins = load_plugins() for name, plugin in plugins.items(): assert hasattr(plugin, 'is_waf'), f"Plugin {name} missing is_waf function" assert callable(plugin.is_waf), f"Plugin {name} is_waf is not callable" def test_known_plugins_loaded(self): """Verify some known plugins are loaded.""" plugins = load_plugins() known_plugins = ['cloudflare', 'fastly', 'awswaf', 'anubis'] for plugin_name in known_plugins: assert plugin_name in plugins, f"Expected plugin {plugin_name} not found" def test_plugin_names_are_strings(self): """Verify plugin keys are strings.""" plugins = load_plugins() for name in plugins.keys(): assert isinstance(name, str) ================================================ FILE: tests/test_matching.py ================================================ """Tests for the WAFW00F matching functions.""" import pytest from wafw00f.main import WAFW00F class TestMatchHeader: """Tests for the matchHeader function.""" def test_match_header_exact(self, wafw00f_instance, mock_response): """Test matching an exact header value.""" wafw00f_instance.rq = mock_response(headers={'Server': 'cloudflare'}) assert wafw00f_instance.matchHeader(('Server', 'cloudflare'), attack=False) def test_match_header_regex(self, wafw00f_instance, mock_response): """Test matching header with regex.""" wafw00f_instance.rq = mock_response(headers={'Server': 'cloudflare-nginx'}) assert wafw00f_instance.matchHeader(('Server', r'cloudflare.*'), attack=False) def test_match_header_case_insensitive(self, wafw00f_instance, mock_response): """Test that header matching is case insensitive.""" wafw00f_instance.rq = mock_response(headers={'Server': 'CLOUDFLARE'}) assert wafw00f_instance.matchHeader(('Server', 'cloudflare'), attack=False) def test_match_header_not_found(self, wafw00f_instance, mock_response): """Test when header doesn't match.""" wafw00f_instance.rq = mock_response(headers={'Server': 'nginx'}) assert not wafw00f_instance.matchHeader(('Server', 'cloudflare'), attack=False) def test_match_header_missing(self, wafw00f_instance, mock_response): """Test when header is missing.""" wafw00f_instance.rq = mock_response(headers={}) assert not wafw00f_instance.matchHeader(('Server', 'cloudflare'), attack=False) def test_match_header_none_response(self, wafw00f_instance): """Test when response is None.""" wafw00f_instance.rq = None result = wafw00f_instance.matchHeader(('Server', 'cloudflare'), attack=False) assert result is None class TestMatchContent: """Tests for the matchContent function.""" def test_match_content_exact(self, wafw00f_instance, mock_response): """Test matching exact content.""" wafw00f_instance.attackres = mock_response(text='Access Denied by Cloudflare') assert wafw00f_instance.matchContent('Access Denied') def test_match_content_regex(self, wafw00f_instance, mock_response): """Test matching content with regex.""" wafw00f_instance.attackres = mock_response(text='Error 403: Forbidden by WAF') assert wafw00f_instance.matchContent(r'Error \d+:.*WAF') def test_match_content_case_insensitive(self, wafw00f_instance, mock_response): """Test that content matching is case insensitive.""" wafw00f_instance.attackres = mock_response(text='ACCESS DENIED') assert wafw00f_instance.matchContent('access denied') def test_match_content_not_found(self, wafw00f_instance, mock_response): """Test when content doesn't match.""" wafw00f_instance.attackres = mock_response(text='Welcome to our website') assert not wafw00f_instance.matchContent('Access Denied') def test_match_content_none_response(self, wafw00f_instance): """Test when response is None.""" wafw00f_instance.attackres = None result = wafw00f_instance.matchContent('test') assert result is None class TestMatchCookie: """Tests for the matchCookie function.""" def test_match_cookie(self, wafw00f_instance, mock_response): """Test matching a cookie.""" wafw00f_instance.rq = mock_response( headers={'Set-Cookie': '__cfduid=abc123; path=/'} ) assert wafw00f_instance.matchCookie('__cfduid', attack=False) def test_match_cookie_regex(self, wafw00f_instance, mock_response): """Test matching cookie with regex.""" wafw00f_instance.rq = mock_response( headers={'Set-Cookie': 'session_id=xyz789; path=/'} ) assert wafw00f_instance.matchCookie(r'session_id=\w+', attack=False) def test_match_cookie_not_found(self, wafw00f_instance, mock_response): """Test when cookie doesn't match.""" wafw00f_instance.rq = mock_response( headers={'Set-Cookie': 'other_cookie=value'} ) assert not wafw00f_instance.matchCookie('__cfduid', attack=False) class TestMatchStatus: """Tests for the matchStatus function.""" def test_match_status_200(self, wafw00f_instance, mock_response): """Test matching 200 status code.""" wafw00f_instance.attackres = mock_response(status_code=200) assert wafw00f_instance.matchStatus(200) def test_match_status_403(self, wafw00f_instance, mock_response): """Test matching 403 status code.""" wafw00f_instance.attackres = mock_response(status_code=403) assert wafw00f_instance.matchStatus(403) def test_match_status_mismatch(self, wafw00f_instance, mock_response): """Test when status code doesn't match.""" wafw00f_instance.attackres = mock_response(status_code=200) assert not wafw00f_instance.matchStatus(403) def test_match_status_none_response(self, wafw00f_instance): """Test when response is None.""" wafw00f_instance.attackres = None result = wafw00f_instance.matchStatus(200) assert result is None class TestMatchReason: """Tests for the matchReason function.""" def test_match_reason_ok(self, wafw00f_instance, mock_response): """Test matching OK reason.""" wafw00f_instance.attackres = mock_response(reason='OK') assert wafw00f_instance.matchReason('OK') def test_match_reason_forbidden(self, wafw00f_instance, mock_response): """Test matching Forbidden reason.""" wafw00f_instance.attackres = mock_response(reason='Forbidden') assert wafw00f_instance.matchReason('Forbidden') def test_match_reason_mismatch(self, wafw00f_instance, mock_response): """Test when reason doesn't match.""" wafw00f_instance.attackres = mock_response(reason='OK') assert not wafw00f_instance.matchReason('Forbidden') ================================================ FILE: wafw00f/__init__.py ================================================ #!/usr/bin/env python3 __version__ = '2.4.2' __license__ = 'BSD 3-Clause' ================================================ FILE: wafw00f/lib/__init__.py ================================================ ================================================ FILE: wafw00f/lib/asciiarts.py ================================================ #!/usr/bin/env python3 ''' Copyright (C) 2026, WAFW00F Developers. See the LICENSE file for copying permission. ''' from dataclasses import dataclass from random import randint from wafw00f import __version__ @dataclass class Color: """ANSI colors.""" W: str = '\033[1;97m' Y: str = '\033[1;93m' G: str = '\033[1;92m' R: str = '\033[1;91m' B: str = '\033[1;94m' C: str = '\033[1;96m' E: str = '\033[0m' @classmethod def disable(cls): """Disables all colors.""" cls.W = '' cls.Y = '' cls.G = '' cls.R = '' cls.B = '' cls.C = '' cls.E = '' @classmethod def unpack(cls): """Unpacks and returns the color values. Useful for brevity, e.g.: (W,Y,G,R,B,C,E) = Color.unpack() """ return ( cls.W, cls.Y, cls.G, cls.R, cls.B, cls.C, cls.E ) def randomArt(): # Colors for terminal (W,Y,G,R,B,C,E) = Color.unpack() woof = ''' '''+W+'''______ '''+W+'''/ \\ '''+W+'''( Woof! ) '''+W+r'''\ ____/ '''+R+''') '''+W+''',, '''+R+''') ('''+Y+'''_ '''+Y+'''.-. '''+W+'''- '''+G+'''_______ '''+R+'''( '''+Y+'''|__| '''+Y+'''()``; '''+G+'''|==|_______) '''+R+'''.)'''+Y+'''|__| '''+Y+'''/ (' '''+G+r'''/|\ '''+R+'''( '''+Y+'''|__| '''+Y+'''( / ) '''+G+r''' / | \ '''+R+'''. '''+Y+'''|__| '''+Y+r'''\(_)_)) '''+G+r'''/ | \ '''+Y+'''|__|'''+E+''' '''+C+'~ WAFW00F : '+B+'v'+__version__+''' ~'''+W+''' The Web Application Firewall Fingerprinting Toolkit '''+E w00f = ''' '''+W+'''______ '''+W+'''/ \\ '''+W+'''( W00f! ) '''+W+r'''\ ____/ '''+W+''',, '''+G+'''__ '''+Y+'''404 Hack Not Found '''+C+'''|`-.__ '''+G+'''/ / '''+R+''' __ __ '''+C+'''/" _/ '''+G+'''/_/ '''+R+r'''\ \ / / '''+B+'''*===* '''+G+'''/ '''+R+r'''\ \_/ / '''+Y+'''405 Not Allowed '''+C+'''/ )__// '''+R+r'''\ / '''+C+'''/| / /---` '''+Y+'''403 Forbidden '''+C+r'''\\/` \ | '''+R+'''/ _ \\ '''+C+r'''`\ /_\\_ '''+Y+'''502 Bad Gateway '''+R+r'''/ / \ \ '''+Y+'''500 Internal Error '''+C+'''`_____``-` '''+R+r'''/_/ \_\\ '''+C+'~ WAFW00F : '+B+'v'+__version__+''' ~'''+W+''' The Web Application Firewall Fingerprinting Toolkit '''+E wo0f = r''' ? ,. ( . ) . " __ ?? (" ) )' ,' ) . (` '` (___()'`; ??? .; ) ' (( (" ) ;(, (( ( ;) " )") /,___ /` _"., ,._'_.,)_(..,( . )_ _' )_') (. _..( ' ) \\ \\ |____|____|____|____|____|____|____|____|____| ~ WAFW00F : v'''+__version__+''' ~ ~ Sniffing Web Application Firewalls since 2009 ~ ''' arts = [woof, w00f, wo0f] return arts[randint(0, len(arts)-1)] ================================================ FILE: wafw00f/lib/evillib.py ================================================ #!/usr/bin/env python3 ''' Copyright (C) 2026, WAFW00F Developers. See the LICENSE file for copying permission. ''' import time import logging from copy import copy from urllib.parse import urlparse import requests import urllib3 # For requests < 2.16, this should be used. # requests.packages.urllib3.disable_warnings(InsecureRequestWarning) # For requests >= 2.16, this is the convention urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) def_headers = { 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3', 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0', 'Accept-Language': 'en-US,en;q=0.5', 'Upgrade-Insecure-Requests': '1', 'Sec-Fetch-Dest': 'document', 'Sec-Fetch-Mode': 'navigate', 'Sec-Fetch-Site': 'cross-site', 'Priority': 'u=0, i', 'DNT': '1', } proxies = {} # Maximum response body size to read (100KB should be plenty for WAF detection) MAX_RESPONSE_SIZE = 100 * 1024 class waftoolsengine: def __init__( self, target='https://example.com', debuglevel=0, path='/', proxies=None, redir=True, head=None, timeout=7 ): self.target = target self.debuglevel = debuglevel self.requestnumber = 0 self.path = path self.redirectno = 0 self.allowredir = redir self.proxies = proxies self.log = logging.getLogger('wafw00f') self.timeout = timeout if head: self.headers = head else: self.headers = copy(def_headers) #copy object by value not reference. Fix issue #90 def Request(self, headers=None, path=None, params={}, delay=0): try: time.sleep(delay) if not headers: h = self.headers else: h = headers # Create the url manually to avoid path normalization url = self.target if path is None else self.target.rstrip('/') + '/' + path.lstrip('/') prepared = requests.Request('GET', url, headers=h, params=params or {}).prepare() parsed_url = urlparse(prepared.url) # Ensuring trailing slash does not disappear trailing_slash = parsed_url.path.endswith('/') if trailing_slash and not url.endswith('/'): url += '/' # Preserve the original path (e.g. ../../etc/passwd) if params: prepared.url = url + '?' + parsed_url.query else: prepared.url = url req = requests.Session().send(prepared, proxies=self.proxies, timeout=self.timeout, allow_redirects=self.allowredir, verify=False, stream=True) # Read only up to MAX_RESPONSE_SIZE to avoid hanging on streaming responses # (e.g., audio streams) - see issue #246 # Also enforce timeout during reading to handle slow streaming servers chunks = [] bytes_read = 0 start_time = time.time() for chunk in req.iter_content(chunk_size=8192): chunks.append(chunk) bytes_read += len(chunk) if bytes_read >= MAX_RESPONSE_SIZE: break # Check if we've exceeded the timeout during reading if time.time() - start_time > self.timeout: self.log.debug('Timeout reached during response body reading') break req._content = b''.join(chunks) self.log.info('Request Succeeded') self.log.debug('Headers: %s\n' % req.headers) self.log.debug('Content: %s\n' % req.content) self.requestnumber += 1 return req except requests.exceptions.RequestException as e: self.log.error('Something went wrong %s' % (e.__str__())) ================================================ FILE: wafw00f/main.py ================================================ #!/usr/bin/env python3 # -*- coding: utf-8 -*- ''' Copyright (C) 2026, WAFW00F Developers. See the LICENSE file for copying permission. ''' import csv import io import json import logging import os import random import re import sys import string import urllib.parse from collections import defaultdict from optparse import OptionParser from wafw00f import __license__, __version__ from wafw00f.lib.asciiarts import Color, randomArt from wafw00f.lib.evillib import waftoolsengine from wafw00f.manager import load_plugins from wafw00f.wafprio import wafdetectionsprio class WAFW00F(waftoolsengine): xsstring = r'' sqlistring = r'UNION SELECT ALL FROM information_schema AND " or SLEEP(5) or "' lfistring = r'../../etc/passwd' rcestring = r'/bin/cat /etc/passwd; ping 127.0.0.1; curl google.com' xxestring = r']>&hack;' def __init__(self, target='www.example.com', debuglevel=0, path='/', followredirect=True, extraheaders={}, proxies=None, timeout=7): self.log = logging.getLogger('wafw00f') self.attackres = None waftoolsengine.__init__(self, target, debuglevel, path, proxies, followredirect, extraheaders, timeout) self.knowledge = { 'generic': { 'found': False, 'reason': '' }, 'wafname': [] } self.rq = self.normalRequest() def normalRequest(self): return self.Request() def customRequest(self, headers=None): return self.Request( headers=headers ) def nonExistent(self): return self.Request( path=self.path + str(random.randrange(100, 999)) + '.html' ) def xssAttack(self): return self.Request( path=self.path, params={ create_random_param_name(): self.xsstring } ) def xxeAttack(self): return self.Request( path=self.path, params={ create_random_param_name(): self.xxestring } ) def lfiAttack(self): return self.Request( path=self.path + self.lfistring ) def centralAttack(self): return self.Request( path=self.path, params={ create_random_param_name(): self.xsstring, create_random_param_name(): self.sqlistring, create_random_param_name(): self.lfistring } ) def sqliAttack(self): return self.Request( path=self.path, params={ create_random_param_name(): self.sqlistring } ) def osciAttack(self): return self.Request( path=self.path, params= { create_random_param_name(): self.rcestring } ) def performCheck(self, request_method): r = request_method() if r is None: raise RequestBlocked() return r, r.url # Most common attacks used to detect WAFs attcom = [xssAttack, sqliAttack, lfiAttack] attacks = [xssAttack, xxeAttack, lfiAttack, sqliAttack, osciAttack] def genericdetect(self): reason = '' reasons = ['Blocking is being done at connection/packet level.', 'The server header is different when an attack is detected.', 'The server returns a different response code when an attack string is used.', 'It closed the connection for a normal request.', 'The response was different when the request wasn\'t made from a browser.' ] try: # Testing for no user-agent response. Detects almost all WAFs out there. resp1, _ = self.performCheck(self.normalRequest) if 'User-Agent' in self.headers: self.headers.pop('User-Agent') # Deleting the user-agent key from object not dict. resp3 = self.customRequest(headers=self.headers) if resp3 is not None and resp1 is not None: if resp1.status_code != resp3.status_code: self.log.info('Server returned a different response when request didn\'t contain the User-Agent header.') reason = reasons[4] reason += '\r\n' reason += 'Normal response code is "%s",' % resp1.status_code reason += ' while the response code to a modified request is "%s"' % resp3.status_code self.knowledge['generic']['reason'] = reason self.knowledge['generic']['found'] = True return True # Testing the status code upon sending a xss attack resp2, xss_url = self.performCheck(self.xssAttack) if resp1.status_code != resp2.status_code: self.log.info('Server returned a different response when a XSS attack vector was tried.') reason = reasons[2] reason += '\r\n' reason += 'Normal response code is "%s",' % resp1.status_code reason += ' while the response code to cross-site scripting attack is "%s"' % resp2.status_code self.knowledge['generic']['reason'] = reason self.knowledge['generic']['found'] = True return xss_url # Testing the status code upon sending a lfi attack resp2, lfi_url = self.performCheck(self.lfiAttack) if resp1.status_code != resp2.status_code: self.log.info('Server returned a different response when a directory traversal was attempted.') reason = reasons[2] reason += '\r\n' reason += 'Normal response code is "%s",' % resp1.status_code reason += ' while the response code to a file inclusion attack is "%s"' % resp2.status_code self.knowledge['generic']['reason'] = reason self.knowledge['generic']['found'] = True return lfi_url # Testing the status code upon sending a sqli attack resp2, sqli_url = self.performCheck(self.sqliAttack) if resp1.status_code != resp2.status_code: self.log.info('Server returned a different response when a SQLi was attempted.') reason = reasons[2] reason += '\r\n' reason += 'Normal response code is "%s",' % resp1.status_code reason += ' while the response code to a SQL injection attack is "%s"' % resp2.status_code self.knowledge['generic']['reason'] = reason self.knowledge['generic']['found'] = True return sqli_url # Checking for the Server header after sending malicious requests normalserver, attackresponse_server = '', '' response = self.attackres if 'server' in resp1.headers: normalserver = resp1.headers.get('Server') if response is not None and 'server' in response.headers: attackresponse_server = response.headers.get('Server') if attackresponse_server != normalserver: self.log.info('Server header changed, WAF possibly detected') self.log.debug('Attack response: %s' % attackresponse_server) self.log.debug('Normal response: %s' % normalserver) reason = reasons[1] reason += '\r\nThe server header for a normal response is "%s",' % normalserver reason += ' while the server header a response to an attack is "%s",' % attackresponse_server self.knowledge['generic']['reason'] = reason self.knowledge['generic']['found'] = True return True # If at all request doesn't go, press F except RequestBlocked: self.knowledge['generic']['reason'] = reasons[0] self.knowledge['generic']['found'] = True return True return False def matchHeader(self, headermatch, attack=False): if attack: r = self.attackres else: r = self.rq if r is None: return header, match = headermatch headerval = r.headers.get(header) if headerval: # set-cookie can have multiple headers, python gives it to us # concatinated with a comma if header == 'Set-Cookie': headervals = headerval.split(', ') else: headervals = [headerval] for headerval in headervals: if re.search(match, headerval, re.I): return True return False def matchStatus(self, statuscode, attack=True): if attack: r = self.attackres else: r = self.rq if r is None: return if r.status_code == statuscode: return True return False def matchCookie(self, match, attack=False): return self.matchHeader(('Set-Cookie', match), attack=attack) def matchReason(self, reasoncode, attack=True): if attack: r = self.attackres else: r = self.rq if r is None: return # We may need to match multiline context in response body if str(r.reason) == reasoncode: return True return False def matchContent(self, regex, attack=True): if attack: r = self.attackres else: r = self.rq if r is None: return # We may need to match multiline context in response body if re.search(regex, r.text, re.I): return True return False wafdetections = dict() plugin_dict = load_plugins() result_dict = {} for plugin_module in plugin_dict.values(): wafdetections[plugin_module.NAME] = plugin_module.is_waf # Check for prioritized ones first, then check those added externally checklist = wafdetectionsprio checklist += list(set(wafdetections.keys()) - set(checklist)) def identwaf(self, findall=False): detected = list() try: self.attackres, xurl = self.performCheck(self.centralAttack) except RequestBlocked: return detected, None for wafvendor in self.checklist: self.log.info('Checking for %s' % wafvendor) if self.wafdetections[wafvendor](self): detected.append(wafvendor) if not findall: break self.knowledge['wafname'] = detected return detected, xurl def calclogginglevel(verbosity): default = 40 # errors are printed out level = default - (verbosity * 10) if level < 0: level = 0 return level def buildResultRecord(url, waf, evil_url=None): result = {} result['url'] = url if waf: result['detected'] = True if waf == 'generic': result['trigger_url'] = evil_url result['firewall'] = 'Generic' result['manufacturer'] = 'Unknown' else: result['trigger_url'] = evil_url result['firewall'] = waf.split('(')[0].strip() result['manufacturer'] = waf.split('(')[1].replace(')', '').strip() else: result['trigger_url'] = evil_url result['detected'] = False result['firewall'] = 'None' result['manufacturer'] = 'None' return result def getTextResults(res=[]): # leaving out some space for future possibilities of newer columns # newer columns can be added to this tuple below keys = ('detected') res = [({key: ba[key] for key in ba if key not in keys}) for ba in res] rows = [] for dk in res: p = [str(x) for _, x in dk.items()] rows.append(p) for m in rows: m[1] = '%s (%s)' % (m[1], m[2]) m.pop() defgen = [ (max([len(str(row[i])) for row in rows]) + 3) for i in range(len(rows[0])) ] rwfmt = ''.join(['{:>'+str(dank)+'}' for dank in defgen]) textresults = [] for row in rows: textresults.append(rwfmt.format(*row)) return textresults def create_random_param_name(size=8, chars=string.ascii_lowercase): return ''.join(random.choice(chars) for _ in range(size)) def disableStdOut(): sys.stdout = None def enableStdOut(): sys.stdout = sys.__stdout__ def getheaders(fn): headers = {} if not os.path.exists(fn): logging.getLogger('wafw00f').critical('Headers file "%s" does not exist!' % fn) return with io.open(fn, 'r', encoding='utf-8') as f: for line in f.readlines(): _t = line.split(':', 2) if len(_t) == 2: h, v = map(lambda x: x.strip(), _t) headers[h] = v return headers class RequestBlocked(Exception): pass def main(): parser = OptionParser(usage='%prog url1 [url2 [url3 ... ]]\r\nexample: %prog http://www.victim.org/') parser.add_option('-v', '--verbose', action='count', dest='verbose', default=0, help='Enable verbosity, multiple -v options increase verbosity') parser.add_option('-a', '--findall', action='store_true', dest='findall', default=False, help='Find all WAFs which match the signatures, do not stop testing on the first one') parser.add_option('-r', '--noredirect', action='store_false', dest='followredirect', default=True, help='Do not follow redirections given by 3xx responses') parser.add_option('-t', '--test', dest='test', help='Test for one specific WAF (use --list to get names, quote names with spaces e.g. "AireeCDN (Airee)")') parser.add_option('-o', '--output', dest='output', help='Write output to csv, json or text file depending on file extension. For stdout, specify - as filename.', default=None) parser.add_option('-f', '--format', dest='format', help='Force output format to csv, json or text.', default=None) parser.add_option('-i', '--input-file', dest='input', help='Read targets from a file. Input format can be csv, json or text. For csv and json, a `url` column name or element is required.', default=None) parser.add_option('-l', '--list', dest='list', action='store_true', default=False, help='List all WAFs that WAFW00F is able to detect') parser.add_option('-p', '--proxy', dest='proxy', default=None, help='Use an HTTP proxy to perform requests, examples: http://hostname:8080, socks5://hostname:1080, http://user:pass@hostname:8080') parser.add_option('--version', '-V', dest='version', action='store_true', default=False, help='Print out the current version of WafW00f and exit.') parser.add_option('--headers', '-H', dest='headers', action='store', default=None, help='Pass custom headers via a text file to overwrite the default header set.') parser.add_option('-T', '--timeout', dest='timeout', action='store', default=7, type=int, help='Set the timeout for the requests.') parser.add_option('--no-colors', dest='colors', action='store_false', default=True, help='Disable ANSI colors in output.') options, args = parser.parse_args() logging.basicConfig(level=calclogginglevel(options.verbose)) log = logging.getLogger('wafw00f') if options.output == '-': disableStdOut() # Windows based systems do not support ANSI sequences, # hence not displaying them. if not options.colors or 'win' in sys.platform: Color.disable() print(randomArt()) (W,Y,G,R,B,C,E) = Color.unpack() if options.list: print('[+] Can test for these WAFs:\r\n') try: m = [i.replace(')', '').split(' (') for i in wafdetectionsprio] print(R+' WAF Name'+' '*24+'Manufacturer\n '+'-'*8+' '*24+'-'*12+'\n') max_len = max(len(str(x)) for k in m for x in k) for inner in m: first = True for elem in inner: if first: text = Y+' {:<{}} '.format(elem, max_len+2) first = False else: text = W+'{:<{}} '.format(elem, max_len+2) print(text, E, end='') print() sys.exit(0) except Exception: return if options.version: print('[+] The version of WAFW00F you have is %sv%s%s' % (B, __version__, E)) print('[+] WAFW00F is provided under the %s%s%s license.' % (C, __license__, E)) return extraheaders = {} if options.headers: log.info('Getting extra headers from %s' % options.headers) extraheaders = getheaders(options.headers) if extraheaders is None: parser.error('Please provide a headers file with colon delimited header names and values') if len(args) == 0 and not options.input: parser.error('No test target specified.') #check if input file is present if options.input: log.debug('Loading file "%s"' % options.input) try: if options.input.endswith('.json'): with open(options.input) as f: try: urls = json.loads(f.read()) except json.decoder.JSONDecodeError: log.critical('JSON file %s did not contain well-formed JSON', options.input) sys.exit(1) log.info('Found: %s urls to check.' %(len(urls))) targets = [ item['url'] for item in urls ] elif options.input.endswith('.csv'): columns = defaultdict(list) with open(options.input) as f: reader = csv.DictReader(f) for row in reader: for (k,v) in row.items(): columns[k].append(v) targets = columns['url'] else: with open(options.input) as f: targets = [x for x in f.read().splitlines()] except FileNotFoundError: log.error('File %s could not be read. No targets loaded.', options.input) sys.exit(1) else: targets = args results = [] for target in targets: if not target.startswith('http'): log.info('The url %s should start with http:// or https:// .. fixing (might make this unusable)' % target) target = 'https://' + target print('[*] Checking %s' % target) pret = urllib.parse.urlparse(target) if pret is None: log.critical('The url %s is not well formed' % target) sys.exit(1) log.info('starting wafw00f on %s' % target) proxies = dict() if options.proxy: proxies = { 'http': options.proxy, 'https': options.proxy, } attacker = WAFW00F(target, debuglevel=options.verbose, path=pret.path, followredirect=options.followredirect, extraheaders=extraheaders, proxies=proxies, timeout=options.timeout) if attacker.rq is None: log.error('Site %s appears to be down' % pret.hostname) continue if options.test: if options.test in attacker.wafdetections: waf = attacker.wafdetections[options.test](attacker) if waf: print('[+] The site %s%s%s is behind %s%s%s WAF.' % (B, target, E, C, options.test, E)) else: print('[-] WAF %s was not detected on %s' % (options.test, target)) else: print('[-] WAF %s was not found in our list\r\nUse the --list option to see what is available' % options.test) return waf, xurl = attacker.identwaf(options.findall) log.info('Identified WAF: %s' % waf) if len(waf) > 0: for i in waf: results.append(buildResultRecord(target, i, xurl)) print('[+] The site %s%s%s is behind %s%s%s WAF.' % (B, target, E, C, (E+' and/or '+C).join(waf), E)) if (options.findall) or len(waf) == 0: print('[+] Generic Detection results:') generic_url = attacker.genericdetect() if generic_url: log.info('Generic Detection: %s' % attacker.knowledge['generic']['reason']) print('[*] The site %s seems to be behind a WAF or some sort of security solution' % target) print('[~] Reason: %s' % attacker.knowledge['generic']['reason']) results.append(buildResultRecord(target, 'generic', generic_url)) else: print('[-] No WAF detected by the generic detection') results.append(buildResultRecord(target, None, None)) print('[~] Number of requests: %s' % attacker.requestnumber) #print table of results if len(results) > 0: log.info('Found: %s matches.' % (len(results))) if options.output: if options.output == '-': enableStdOut() if options.format == 'json': json.dump(results, sys.stdout, indent=2, sort_keys=True) elif options.format == 'csv': csvwriter = csv.writer(sys.stdout, delimiter=',', quotechar='"', quoting=csv.QUOTE_MINIMAL) count = 0 for result in results: if count == 0: header = result.keys() csvwriter.writerow(header) count += 1 csvwriter.writerow(result.values()) else: print(os.linesep.join(getTextResults(results))) elif options.output.endswith('.json'): log.debug('Exporting data in json format to file: %s' % (options.output)) with open(options.output, 'w') as outfile: json.dump(results, outfile, indent=2, sort_keys=True) elif options.output.endswith('.csv'): log.debug('Exporting data in csv format to file: %s' % (options.output)) with open(options.output, 'w') as outfile: csvwriter = csv.writer(outfile, delimiter=',', quotechar='"', quoting=csv.QUOTE_MINIMAL) count = 0 for result in results: if count == 0: header = result.keys() csvwriter.writerow(header) count += 1 csvwriter.writerow(result.values()) else: log.debug('Exporting data in text format to file: %s' % (options.output)) if options.format == 'json': with open(options.output, 'w') as outfile: json.dump(results, outfile, indent=2, sort_keys=True) elif options.format == 'csv': with open(options.output, 'w') as outfile: csvwriter = csv.writer(outfile, delimiter=',', quotechar='"', quoting=csv.QUOTE_MINIMAL) count = 0 for result in results: if count == 0: header = result.keys() csvwriter.writerow(header) count += 1 csvwriter.writerow(result.values()) else: with open(options.output, 'w') as outfile: outfile.write(os.linesep.join(getTextResults(results))) if __name__ == '__main__': version_info = sys.version_info if version_info.major < 3 or (version_info.major == 3 and version_info.minor < 6): sys.stderr.write('Your version of python is way too old... please update to 3.6 or later\r\n') main() ================================================ FILE: wafw00f/manager.py ================================================ #!/usr/bin/env python3 ''' Copyright (C) 2026, WAFW00F Developers. See the LICENSE file for copying permission. ''' import os import importlib.util def load_plugins(): here = os.path.abspath(os.path.dirname(__file__)) plugin_dir = os.path.join(here, 'plugins') plugin_dict = {} # Iterate over all files in the plugin directory for filename in os.listdir(plugin_dir): if filename.endswith('.py') and filename != '__init__.py': plugin_name = filename[:-3] # Remove the .py extension plugin_path = os.path.join(plugin_dir, filename) # Load the plugin module spec = importlib.util.spec_from_file_location(plugin_name, plugin_path) plugin_module = importlib.util.module_from_spec(spec) spec.loader.exec_module(plugin_module) # Store the loaded plugin in the dictionary plugin_dict[plugin_name] = plugin_module return plugin_dict ================================================ FILE: wafw00f/plugins/__init__.py ================================================ ================================================ FILE: wafw00f/plugins/aesecure.py ================================================ #!/usr/bin/env python3 ''' Copyright (C) 2026, WAFW00F Developers. See the LICENSE file for copying permission. ''' NAME = 'aeSecure (aeSecure)' def is_waf(self): if self.matchHeader(('aeSecure-code', '.+?')): return True if self.matchContent(r'aesecure_denied\.png'): return True return False ================================================ FILE: wafw00f/plugins/airee.py ================================================ #!/usr/bin/env python3 ''' Copyright (C) 2026, WAFW00F Developers. See the LICENSE file for copying permission. ''' NAME = 'AireeCDN (Airee)' def is_waf(self): if self.matchHeader(('Server', 'Airee')): return True if self.matchHeader(('X-Cache', r'(\w+\.)?airee\.cloud')): return True if self.matchContent(r'airee\.cloud'): return True return False ================================================ FILE: wafw00f/plugins/airlock.py ================================================ #!/usr/bin/env python3 ''' Copyright (C) 2026, WAFW00F Developers. See the LICENSE file for copying permission. ''' NAME = 'Airlock (Phion/Ergon)' def is_waf(self): # This method of detection is old (though most reliable), so we check it first if self.matchCookie(r'^al[_-]?(sess|lb)='): return True if self.matchContent(r'server detected a syntax error in your request'): return True return False ================================================ FILE: wafw00f/plugins/alertlogic.py ================================================ #!/usr/bin/env python3 ''' Copyright (C) 2026, WAFW00F Developers. See the LICENSE file for copying permission. ''' NAME = 'Alert Logic (Alert Logic)' def is_waf(self): if not self.matchContent(r'<(title|h\d{1})>requested url cannot be found'): return False if not self.matchContent(r'we are sorry.{0,10}?but the page you are looking for cannot be found'): return False if not self.matchContent(r'back to previous page'): return False if not self.matchContent(r'proceed to homepage'): return False if not self.matchContent(r'reference id'): return False return True ================================================ FILE: wafw00f/plugins/aliyundun.py ================================================ #!/usr/bin/env python3 ''' Copyright (C) 2026, WAFW00F Developers. See the LICENSE file for copying permission. ''' NAME = 'AliYunDun (Alibaba Cloud Computing)' def is_waf(self): if not self.matchContent(r'error(s)?\.aliyun(dun)?\.(com|net)?'): return False if not self.matchContent(r'alicdn\.com\/sd\-base\/static\/\d{1,2}\.\d{1,2}\.\d{1,2}\/image\/405\.png'): return False if not self.matchContent(r'Sorry, your request has been blocked as it may cause potential threats to the server\'s security.'): return False if not self.matchStatus(405): return False return True ================================================ FILE: wafw00f/plugins/anquanbao.py ================================================ #!/usr/bin/env python3 ''' Copyright (C) 2026, WAFW00F Developers. See the LICENSE file for copying permission. ''' NAME = 'Anquanbao (Anquanbao)' def is_waf(self): if self.matchHeader(('X-Powered-By-Anquanbao', '.+?')): return True if self.matchContent(r'aqb_cc/error/'): return True return False ================================================ FILE: wafw00f/plugins/anubis.py ================================================ #!/usr/bin/env python3 ''' Copyright (C) 2026, WAFW00F Developers. See the LICENSE file for copying permission. ''' NAME = 'Anubis (Techaro)' def is_waf(self) -> bool: if self.matchCookie(r'-anubis-auth='): return True if self.matchContent(r'/\.within\.website/x/cmd/anubis/'): return True if self.matchContent(r'