Reverse proxy phishing with Evilginx is a technique where a phishing site acts as a proxy server, intercepting legitimate requests and forwarding them to the genuine website while capturing sensitive information from users. This approach allows us to create convincing phishing campaigns by seamlessly proxying the target site, making it [...]
In this tutorial, we will dive into several methods that penetration testers can use to detect the Web Application Firewall (WAF) that a web application is utilizing. Knowing how to pinpoint these components is a crucial skill in a tester’s toolkit, allowing for a more precise and informed approach to security assessments. Whether you’re just starting out or already have some experience, this guide will help you build on what you know.
A fundamental aspect to grasp is the role WAFs play; they act as an intermediary between the web server and the user, shielding the server from potential threats while also managing data traffic to ensure smooth operation. This protective barrier scrutinizes every bit of data passed through it, helping to secure the application against a variety of attacks such as SQL injection, cross-scripting, and more. A very high level overview is shown below:
During a penetration test, it is vital to ascertain whether the website is shielded by a Web Application Firewall (WAF), which is designed to block any malicious content. I would recommend against beginning your penetration testing (pentest) with random XSS or SQL techniques just to test for WAF triggers.
A more prudent initial step is to inspect the response headers of the web application to identify signs of WAF protection, which is usually mentioned under the server header. You can carry out this investigation in Firefox using the following steps:
Ctrl + Shift + i or right-click anywhere on the webpage and select ‘Inspect’ from the dropdown menu.Following this procedure should allow you to confirm whether a WAF is active. Refer to the screenshot below for a visual guide on what to expect during this process:
If you don’t have any luck with the server header you can attempt to manually identify if a WAF is in use by sending malicious payloads to the site to see if you get blocked and what the block page is. To do this we can send a malicious HTTPS request to the site to get WAF to block us:
https://www.krptyk.com:443/?p4yl04d3=<script>alert(document.cookie)</script>
We can see from this response that we have been blocked and that Cloudflare is being used.
Of course there are ways to find this information automatically using different tools. The first tool we will look at is Nmap. Remember to always look at what a tool is doing before you blindly run it. Sending malicious requests to a website is illegal, but you have approval from the website owner / client so that’s not a problem in this case. For more information on the WAF detection scripts that Nmap uses, the documentation is here. This tool needs no introduction so lets get right into the commands we will use:
nmap -p80,443 --script http-waf-detect <host>
nmap -p80,443 --script http-waf-detect --script-args="http-waf-detect.aggro,http-waf-detect.uri=/<URI Path.extension>" <host>
Nmap won’t detect the type of WAF that is installed it’ll simply report whether one is being used or not.
As you can see from the screenshot above, Nmap simply injects malicious payload types into the request and checks if it returns a block page or not.
The second automated tool we will look at is wafw00f (Github). Remember as I previously mentioned to see what a tool does before you run it. In this case wafw00f will send a standard request and parse the response to determine if a WAF is being used (similar to our manual method earlier – checking the server header). If that doesn’t work, it will send (potentially) malicious requests to the site to try and trigger the blocking protocols in place and determine the WAF from there. wafw00f comes with the latest version of Kali so you should be able to run it without going through the installation process. The command to run wafw00f is as follows:
wafw00f https://www.krptyk.com/
Wafw00f quickly determined that a WAF was in operation and identified the specific one being utilized. While the techniques mentioned above each have their own appropriate use cases, they generally lead to the same conclusion. It’s worth noting that there is a wide array of tools available that can accomplish this task, and this tutorial has showcased only a selection of them.
A crucial tip, which I have observed being overlooked many times, is to avoid using Nmap or similar port scanning tools to scan the web application’s ports if you notice it’s utilizing a CDN/WAF. Generally, you’ll find only ports 80 and 443 open. This is because you aren’t actually scanning the web server; instead, you are scanning the intermediary service — in the context of our tutorial, Cloudflare.
Following this process your next steps should be to uncover the IP address of the web server itself. Often, due to misconfigurations, retrieving the web server’s IP and bypassing the WAF intermediary isn’t a complex task. Taking these next steps ensures you are analyzing the actual web server itself, not just the WAF.
Before we begin – let me preface this whole post with the fact that for this to work – there would need to be some sort of access gained to ...
Reverse proxy phishing with Evilginx is a technique where a phishing site acts as a proxy server, intercepting legitimate requests and forwarding them to the genuine website while capturing sensitive … Read more
Post comments (0)