Skip to content

WAF-aiki tool: wafiron

Posted by Greg Owen on
At SANS Pen Test Hackfest 2017 I presented "WAF-aiki: Pentest Techniques against a Web Application Firewall." One aspect of that presentation dealt with wafiron, a bespoke tool that I wrote to deal with a particularly troublesome pentest where the WAF was effectively thwarting all my attacks.

If you'd like to peek or play with it, the current version is here.
wafiron maps the protections upon parameters inputs that the WAF is imposing. Given a URL with a designated data field, and a way to tell if the WAF blocked the submission or not, it will try to determine the acceptable character set, minimum length, and maximum length for that data field.

Here's the usage screen:


usage: wafiron.py [-h] -u URL -f FAILURE [-g GOOD] [-d DUMP]

Probe the URL to determine WAF limits. The URL must include the word WAFFLE to
mark where adaptive changes should be made.

optional arguments:
-h, --help show this help message and exit
-g GOOD, --good GOOD Known good value for WAFFLE
-d DUMP, --dump DUMP Dump request/response pairs to files in dump directory

required arguments:
-u URL, --url URL URL of the target; WAFFLE will be replaced to test
-f FAILURE, --failure FAILURE String indicating WAF blocked the request

Trackbacks

No Trackbacks

Comments

Display comments as Linear | Threaded

No comments

Add Comment

BBCode format allowed
Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA 1CAPTCHA 2CAPTCHA 3CAPTCHA 4CAPTCHA 5


Submitted comments will be subject to moderation before being displayed.