From 05d1fe77f6a7cafa2c3e8f6cc570b6c61a1928bc Mon Sep 17 00:00:00 2001 From: Dwi Siswanto Date: Mon, 28 Sep 2020 03:13:29 +0700 Subject: [PATCH] :fire: Add WhatWAF detection --- technologies/waf-detect.yaml | 663 +++++++++++++++++++++++++++++++++++ 1 file changed, 663 insertions(+) create mode 100644 technologies/waf-detect.yaml diff --git a/technologies/waf-detect.yaml b/technologies/waf-detect.yaml new file mode 100644 index 0000000000..fb5c57c9a7 --- /dev/null +++ b/technologies/waf-detect.yaml @@ -0,0 +1,663 @@ +id: waf-detect + +info: + name: WAF Detection + author: dwisiswant0 + severity: info + + # Source: + # - https://github.com/Ekultek/WhatWaf + +requests: + - raw: + - | + POST / HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + _= + redirects: true + max-redirects: 2 + matchers: + - type: regex + name: instart + regex: + - '(?i)instartrequestid' + part: all + - type: regex + name: perimx + regex: + - '(?i)access.to.this.page.has.been.denied.because.we.believe.you.are.using.automation.tool' + - '(?i)http(s)?://(www.)?perimeterx.\w+.whywasiblocked' + - '(?i)perimeterx' + - '(?i)(..)?client.perimeterx.*/[a-zA-Z]{8,15}/*.*.js' + condition: or + part: all + - type: regex + name: webknight + regex: + - '(?i)\bwebknight' + - '(?i)webknight' + condition: or + part: all + - type: regex + name: zscaler + regex: + - '(?i)zscaler(.\d+(.\d+)?)?' + - '(?i)zscaler' + condition: or + part: all + - type: regex + name: fortigate + regex: + - '(?i).>powered.by.fortinet<.' + - '(?i).>fortigate.ips.sensor<.' + - '(?i)fortigate' + - '(?i).fgd_icon' + - '(?i)\AFORTIWAFSID=' + - '(?i)application.blocked.' + - '(?i).fortiGate.application.control' + - '(?i)(http(s)?)?://\w+.fortinet(.\w+:)?' + - '(?i)fortigate.hostname' + - '(?i)the.page.cannot.be.displayed..please.contact.[^@]+@[^@]+\.[^@]+.for.additional.information' + condition: or + part: all + - type: regex + name: teros + regex: + - '(?i)st8(id|.wa|.wf)?.?(\d+|\w+)?' + condition: or + part: all + - type: regex + name: stricthttp + regex: + - '(?i)the.request.was.rejected.because.the.url.contained.a.potentially.malicious.string' + condition: or + part: all + - type: regex + name: stricthttp + regex: + - '(?i)rejected.by.url.scan' + - '(?i)/rejected.by.url.scan' + condition: or + part: all + - type: regex + name: shadowd + regex: + - '(?i)\d{3}.forbidden<.h\d>' + - '(?i)request.forbidden.by.administrative.rules.' + condition: or + part: all + - type: regex + name: bigip + regex: + - '(?i)\ATS\w{4,}=' + - '(?i)bigipserver(.i)?|bigipserverinternal' + - '(?i)^TS[a-zA-Z0-9]{3,8}=' + - '(?i)BigIP|BIG-IP|BIGIP' + - '(?i)bigipserver' + condition: or + part: all + - type: regex + name: edgecast + regex: + - '(?i)\Aecdf' + condition: or + part: all + - type: regex + name: radware + regex: + - '(?i).\bcloudwebsec.radware.com\b.' + - '(?i).>unauthorized.activity.has.been.detected<.' + - '(?i)with.the.following.case.number.in.its.subject:.\d+.' + condition: or + part: all + - type: regex + name: varnish + regex: + - '(?i)\bxid. \d+' + - '(?i)varnish$' + - '(?i)varnish' + - '(?i).>.?security.by.cachewall.?<.' + - '(?i)cachewall' + - '(?i).>access.is.blocked.according.to.our.site.security.policy.<+' + condition: or + part: all + - type: regex + name: infosafe + regex: + - '(?i)infosafe' + - '(?i)by.(http(s)?(.//)?)?7i24.(com|net)' + - '(?i)infosafe.\d.\d' + - '(?i)var.infosafekey=' + condition: or + part: all + - type: regex + name: aliyundun + regex: + - '(?i)error(s)?.aliyun(dun)?.(com|net)' + - '(?i)http(s)?://(www.)?aliyun.(com|net)' + condition: or + part: all + - type: regex + name: ats + regex: + - '(?i)(\()?apachetrafficserver((\/)?\d+(.\d+(.\d+)?)?)' + - '(?i)ats((\/)?(\d+(.\d+(.\d+)?)?))?' + condition: or + part: all + - type: regex + name: malcare + regex: + - '(?i)malcare' + - '(?i).>login.protection<.+.><.+>powered.by<.+.>(<.+.>)?(.?malcare.-.pro|blogvault)?' + - '(?i).>firewall<.+.><.+>powered.by<.+.>(<.+.>)?(.?malcare.-.pro|blogvault)?' + condition: or + part: all + - type: regex + name: wts + regex: + - '(?i)()?wts.wa(f)?(\w+(\w+(\w+)?)?)?' + part: all + - type: regex + name: dw + regex: + - '(?i)dw.inj.check' + part: all + - type: regex + name: denyall + regex: + - '(?i)\Acondition.intercepted' + - '(?i)\Asessioncookie=' + condition: or + part: all + - type: regex + name: yunsuo + regex: + - '(?i)<img.class=.yunsuologo.' + - '(?i)yunsuo.session' + condition: or + part: all + - type: regex + name: litespeed + regex: + - '(?i)litespeed.web.server' + part: all + - type: regex + name: cloudfront + regex: + - '(?i)[a-zA-Z0-9]{,60}.cloudfront.net' + - '(?i)cloudfront' + - '(?i)x.amz.cf.id|nguardx' + condition: or + part: all + - type: regex + name: anyu + regex: + - '(?i)sorry.{1,2}your.access.has.been.intercept(ed)?.by.anyu' + - '(?i)anyu' + - '(?i)anyu-?.the.green.channel' + condition: or + part: all + - type: regex + name: googlewebservices + regex: + - '(?i)your.client.has.issued.a.malformed.or.illegal.request' + - '(?i)our.systems.have.detected.unusual.traffic' + - '(?i)block(ed)?.by.g.cloud.security.policy.+' + condition: or + part: all + - type: regex + name: didiyun + regex: + - '(?i)(http(s)?://)(sec-waf.|www.)?didi(static|yun)?.com(/static/cloudwafstatic)?' + - '(?i)didiyun' + condition: or + part: all + - type: regex + name: blockdos + regex: + - '(?i)blockdos\.net' + part: all + - type: regex + name: codeigniter + regex: + - '(?i)the.uri.you.submitted.has.disallowed.characters' + part: all + - type: regex + name: stingray + regex: + - '(?i)\AX-Mapping-' + part: all + - type: regex + name: west263 + regex: + - '(?i)wt\d*cdn' + part: all + - type: regex + name: aws + regex: + - '(?i)<RequestId>[0-9a-zA-Z]{16,25}<.RequestId>' + - '(?i)<Error><Code>AccessDenied<.Code>' + - '(?i)\baws(alb)?.' + - '(?i)x.amz.id.\d+' + - '(?i)x.amz.request.id' + - '(?i)amazon(aws.com)?(\d+)?' + condition: or + part: all + - type: regex + name: yundun + regex: + - '(?i)YUNDUN' + - '(?i)^yd.cookie=' + - '(?i)http(s)?.//(www\.)?(\w+.)?yundun(.com)?' + - '(?i)<title>.403.forbidden:.access.is.denied.{0,2}<.{0,2}title>' + condition: or + part: all + - type: regex + name: barracuda + regex: + - '(?i)\Abarra.counter.session=?' + - '(?i)(\A|\b)?barracuda.' + - '(?i)barracuda.networks.{1,2}inc' + condition: or + part: all + - type: regex + name: dodenterpriseprotection + regex: + - '(?i)dod.enterprise.level.protection.system' + part: all + - type: regex + name: secupress + regex: + - '(?i)<h\d*>secupress<.' + - '(?i)block.id.{1,2}bad.url.contents.<.' + condition: or + part: all + - type: regex + name: aesecure + regex: + - '(?i)aesecure.denied.png' + part: all + - type: regex + name: incapsula + regex: + - '(?i)incap_ses|visid_incap' + - '(?i)incapsula' + - '(?i)incapsula.incident.id' + condition: or + part: all + - type: regex + name: nexusguard + regex: + - '(?i)nexus.?guard' + - '(?i)((http(s)?://)?speresources.)?nexusguard.com.wafpage' + condition: or + part: all + - type: regex + name: cloudflare + regex: + - '(?i)cloudflare.ray.id.|var.cloudflare.' + - '(?i)cloudflare.nginx' + - '(?i)..cfduid=([a-z0-9]{43})?' + - '(?i)cf[-|_]ray(..)?([0-9a-f]{16})?[-|_]?(dfw|iad)?' + - '(?i).>attention.required!.\|.cloudflare<.+' + - '(?i)http(s)?.//report.(uri.)?cloudflare.com(/cdn.cgi(.beacon/expect.ct)?)?' + - '(?i)ray.id' + condition: or + part: all + - type: regex + name: akamai + regex: + - '(?i).>access.denied<.' + - '(?i)akamaighost' + - '(?i)ak.bmsc.' + condition: or + part: all + - type: regex + name: webseal + regex: + - '(?i)webseal.error.message.template' + - '(?i)webseal.server.received.an.invalid.http.request' + condition: or + part: all + - type: regex + name: dotdefender + regex: + - '(?i)dotdefender.blocked.your.request' + part: all + - type: regex + name: pk + regex: + - '(?i).>pkSecurityModule\W..\WSecurity.Alert<.' + - '(?i).http(s)?.//([w]{3})?.kitnetwork.\w' + - '(?i).>A.safety.critical.request.was.discovered.and.blocked.<.' + condition: or + part: all + - type: regex + name: expressionengine + regex: + - '(?i).>error.-.expressionengine<.' + - '(?i).>:.the.uri.you.submitted.has.disallowed.characters.<.' + - '(?i)invalid.(get|post).data' + condition: or + part: all + - type: regex + name: comodo + regex: + - '(?i)protected.by.comodo.waf' + part: all + - type: regex + name: ciscoacexml + regex: + - '(?i)ace.xml.gateway' + part: all + - type: regex + name: barikode + regex: + - '(?i).>barikode<.' + - '(?i)<h\d{1}>forbidden.access<.h\d{1}>' + condition: or + part: all + - type: regex + name: watchguard + regex: + - '(?i)(request.denied.by.)?watchguard.firewall' + - '(?i)watchguard(.technologies(.inc)?)?' + condition: or + part: all + - type: regex + name: binarysec + regex: + - '(?i)x.binarysec.via' + - '(?i)x.binarysec.nocache' + - '(?i)binarysec' + - '(?i)\bbinarysec\b' + condition: or + part: all + - type: regex + name: bekchy + regex: + - '(?i)bekchy.(-.)?access.denied' + - '(?i)(http(s)?://)(www.)?bekchy.com(/report)?' + condition: or + part: all + - type: regex + name: bitninja + regex: + - '(?i)bitninja' + - '(?i)security.check.by.bitninja' + - '(?i).>visitor.anti(\S)?robot.validation<.' + condition: or + part: all + - type: regex + name: apachegeneric + regex: + - '(?i)apache' + - '(?i).>you.don.t.have.permission.to.access+' + - '(?i)was.not.found.on.this.server' + - '(?i)<address>apache/([\d+{1,2}](.[\d+]{1,2}(.[\d+]{1,3})?)?)?' + - '(?i)<title>403 Forbidden' + condition: or + part: all + - type: regex + name: greywizard + regex: + - '(?i)greywizard(.\d.\d(.\d)?)?' + - '(?i)grey.wizard.block' + - '(?i)(http(s)?.//)?(\w+.)?greywizard.com' + - '(?i)grey.wizard' + condition: or + part: all + - type: regex + name: configserver + regex: + - '(?i).>the.firewall.on.this.server.is.blocking.your.connection.<+' + part: all + - type: regex + name: viettel + regex: + - '(?i)access.denied(...)?viettel.waf' + - '(?i)viettel.waf.system' + - '(?i)(http(s).//)?cloudrity.com(.vn)?' + condition: or + part: all + - type: regex + name: safedog + regex: + - '(?i)(http(s)?)?(://)?(www|404|bbs|\w+)?.safedog.\w' + - '(?i)waf(.?\d+.?\d+)' + condition: or + part: all + - type: regex + name: baidu + regex: + - '(?i)yunjiasu.nginx' + part: all + - type: regex + name: alertlogic + regex: + - '(?i).>requested.url.cannot.be.found<.' + - '(?i)proceed.to.homepage' + - '(?i)back.to.previous.page' + - "(?i)we('re|.are)?sorry.{1,2}but.the.page.you.are.looking.for.cannot" + - '(?i)reference.id.?' + - '(?i)page.has.either.been.removed.{1,2}renamed' + condition: or + part: all + - type: regex + name: armor + regex: + - '(?i)blocked.by.website.protection.from.armour' + part: all + - type: regex + name: dosarrest + regex: + - '(?i)dosarrest' + - '(?i)x.dis.request.id' + condition: or + part: all + - type: regex + name: paloalto + regex: + - 'has.been.blocked.in.accordance.with.company.policy' + - '.>Virus.Spyware.Download.Blocked<.' + condition: or + part: all + - type: regex + name: aspgeneric + regex: + - '(?i)this.generic.403.error.means.that.the.authenticated' + - '(?i)request.could.not.be.understood' + - '(?i)<.+>a.potentially.dangerous.request(.querystring)?.+' + - '(?i)runtime.error' + - '(?i).>a.potentially.dangerous.request.path.value.was.detected.from.the.client+' + - '(?i)asp.net.sessionid' + - '(?i)errordocument.to.handle.the.request' + - '(?i)an.application.error.occurred.on.the.server' + - '(?i)error.log.record.number' + - '(?i)error.page.might.contain.sensitive.information' + - "(?i)<.+>server.error.in.'/'.application.+" + - '(?i)\basp.net\b' + condition: or + part: all + - type: regex + name: powerful + regex: + - '(?i)Powerful Firewall' + - '(?i)http(s)?...tiny.cc.powerful.firewall' + condition: or + part: all + - type: regex + name: uewaf + regex: + - '(?i)http(s)?.//ucloud' + - '(?i)uewaf(.deny.pages)' + condition: or + part: all + - type: regex + name: janusec + regex: + - '(?i)janusec' + - '(?i)(http(s)?\W+(www.)?)?janusec.(com|net|org)' + condition: or + part: all + - type: regex + name: siteguard + regex: + - '(?i)>Powered.by.SiteGuard.Lite<' + - '(?i)refuse.to.browse' + condition: or + part: all + - type: regex + name: sonicwall + regex: + - '(?i)This.request.is.blocked.by.the.SonicWALL' + - '(?i)Dell.SonicWALL' + - '(?i)\bDell\b' + - '(?i)Web.Site.Blocked.+\bnsa.banner' + - '(?i)SonicWALL' + - '(?i).>policy.this.site.is.blocked<.' + condition: or + part: all + - type: regex + name: jiasule + regex: + - '(?i)^jsl(_)?tracking' + - '(?i)(__)?jsluid(=)?' + - '(?i)notice.jiasule' + - '(?i)(static|www|dynamic).jiasule.(com|net)' + condition: or + part: all + - type: regex + name: nginxgeneric + regex: + - '(?i)nginx' + - '(?i)you.do(not|n.t)?.have.permission.to.access.this.document' + condition: or + part: all + - type: regex + name: stackpath + regex: + - '(?i)action.that.triggered.the.service.and.blocked' + - '(?i)

sorry,.you.have.been.blocked.?<.h2>' + condition: or + part: all + - type: regex + name: sabre + regex: + - '(?i)dxsupport@sabre.com' + part: all + - type: regex + name: wordfence + regex: + - '(?i)generated.by.wordfence' + - '(?i)your.access.to.this.site.has.been.limited' + - '(?i).>wordfence<.' + condition: or + part: all + - type: regex + name: '360' + regex: + - '(?i).wzws.waf.cgi.' + - '(?i)wangzhan\.360\.cn' + - '(?i)qianxin.waf' + - '(?i)360wzws' + - '(?i)transfer.is.blocked' + condition: or + part: all + - type: regex + name: asm + regex: + - '(?i)the.requested.url.was.rejected..please.consult.with.your.administrator.' + condition: or + part: all + - type: regex + name: rsfirewall + regex: + - '(?i)com.rsfirewall.403.forbidden' + - '(?i)com.rsfirewall.event' + - '(?i)(\b)?rsfirewall(\b)?' + - '(?i)rsfirewall' + condition: or + part: all + - type: regex + name: sucuri + regex: + - '(?i)access.denied.-.sucuri.website.firewall' + - '(?i)sucuri.webSite.firewall.-.cloudProxy.-.access.denied' + - '(?i)questions\?.+cloudproxy@sucuri\.net' + - '(?i)http(s)?.\/\/(cdn|supportx.)?sucuri(.net|com)?' + condition: or + part: all + - type: regex + name: airlock + regex: + - '(?i)\Aal[.-]?(sess|lb)=?' + part: all + - type: regex + name: xuanwudun + regex: + - '(?i)class=.(db)?waf.?(-row.)?>' + part: all + - type: regex + name: chuangyu + regex: + - '(?i)(http(s)?.//(www.)?)?365cyd.(com|net)' + part: all + - type: regex + name: securesphere + regex: + - '(?i)

error<.h2>' + - '(?i)error<.title>' + - '(?i)<b>error<.b>' + - '(?i)<td.class="(errormessage|error)".height="[0-9]{1,3}".width="[0-9]{1,3}">' + - '(?i)the.incident.id.(is|number.is).' + - '(?i)page.cannot.be.displayed' + - '(?i)contact.support.for.additional.information' + condition: or + part: all + - type: regex + name: anquanbao + regex: + - '(?i).aqb_cc.error.' + part: all + - type: regex + name: modsecurity + regex: + - '(?i)ModSecurity|NYOB' + - '(?i)mod_security' + - '(?i)this.error.was.generated.by.mod.security' + - '(?i)web.server at' + - '(?i)page.you.are.(accessing|trying)?.(to|is)?.(access)?.(is|to)?.(restricted)?' + - '(?i)blocked.by.mod.security' + condition: or + part: all + - type: regex + name: modsecurityowasp + regex: + - '(?i)not.acceptable' + - '(?i)additionally\S.a.406.not.acceptable' + condition: or + part: all + - type: regex + name: squid + regex: + - '(?i)squid' + - '(?i)Access control configuration prevents' + - '(?i)X.Squid.Error' + condition: or + part: all + - type: regex + name: shieldsecurity + regex: + - '(?i)blocked.by.the.shield' + - '(?i)transgression(\(s\))?.against.this' + - '(?i)url.{1,2}form.or.cookie.data.wasn.t.appropriate' + condition: or + part: all + - type: regex + name: wallarm + regex: + - '(?i)nginix.wallarm' + part: all \ No newline at end of file