How to use the command 'whatwaf' (with examples)

How to use the command 'whatwaf' (with examples)

The whatwaf command-line tool is a sophisticated utility designed to detect and potentially bypass Web Application Firewalls (WAFs) and other website protection systems. Originally crafted for penetration testers and security researchers, whatwaf helps identify the specific type of firewall installed on a website, whether it’s Cloudflare, Akamai, or many others. This information can provide insight into the security posture of a web application and assist in penetration testing efforts. The command also includes options for customizing requests, such as using a proxy or alternative payloads, allowing the user to approach WAFs in varied ways.

Use case 1: Detect protection on a single URL, optionally use verbose output

Code:

whatwaf --url https://example.com --verbose

Motivation:

In the rapidly evolving domain of web security, understanding what type of defenses a web application has in place is crucial for penetration testing and assessing security risks. By detecting the presence of a WAF, security professionals can make informed decisions about testing strategies or mitigating threats. Using the --verbose flag provides additional technical details that could be beneficial for an in-depth analysis.

Explanation:

  • --url https://example.com: This specifies the target URL, informing whatwaf which website to analyze for protection mechanisms.
  • --verbose: Enables verbose output mode, which gives more detailed feedback about the process and findings, including potential rules or identifiers detected by the tool.

Example Output:

Detected Cloudflare WAF on https://example.com
Verbose report:
  - Challenge triggered: JS-based
  - Rule ID: XXXXXX

Use case 2: Detect protection on a list of URLs in parallel from a file (one URL per line)

Code:

whatwaf --threads 5 --list path/to/file

Motivation:

When analyzing multiple websites at scale, efficiency becomes a key concern. Security professionals and developers managing numerous web assets can benefit from running parallel scans across different websites to identify protection systems quickly. This approach saves time and resources, facilitating large-scale web security assessments.

Explanation:

  • --threads 5: Limits the number of concurrent threads to 5, enabling parallel scanning of multiple URLs for a more efficient process.
  • --list path/to/file: Specifies the path to the file containing the list of URLs, with each URL on a separate line. The tool reads from this file to detect protections in bulk.

Example Output:

Initiating scan with 5 threads...
https://example1.com - Detected ModSecurity
https://example2.com - No WAF detected
https://example3.com - Detected AWS WAF
Scan complete

Use case 3: Send requests through a proxy and use a custom payload list from a file (one payload per line)

Code:

whatwaf --proxy http://127.0.0.1:8080 --pl path/to/file -u https://example.com

Motivation:

Routing requests through a proxy is often necessary for security research to mask the origin of traffic or to further analyze network interactions. Using custom payloads during a detection process refines the testing parameters, making them more tailored to the WAFs being challenged.

Explanation:

  • --proxy http://127.0.0.1:8080: Sets the proxy server that requests are routed through, which can be helpful for traffic monitoring or anonymization.
  • --pl path/to/file: Indicates the file containing custom payloads, used to test WAF resilience and detection capabilities.
  • -u https://example.com: Indicates the target URL for the tests.

Example Output:

Proxy connected: http://127.0.0.1:8080
Custom payloads loaded: 10 items
Attempting payload 1/10...
...
Detected F5 BIG-IP APM

Use case 4: Send requests through Tor (Tor must be installed) using custom payloads (comma-separated)

Code:

whatwaf --tor --payloads 'payload1,payload2,...' -u https://example.com

Motivation:

Using Tor for web application testing can aid in preserving anonymity, which is vital for ethical hacking and sensitive security tasks. This approach is aligned with best practices in penetration testing when the testers want to ensure that their activities remain difficult to trace.

Explanation:

  • --tor: Uses the Tor network to route requests, maintaining user anonymity.
  • --payloads 'payload1,payload2,...': Specifies custom payloads to include in requests, providing flexibility in how the application firewall is tested.
  • -u https://example.com: The target URL where the payloads will be tested.

Example Output:

Connected to Tor network...
Sending payloads to https://example.com...
Payload 1...No detection
Payload 2...Detected: Barracuda WAF

Use case 5: Use a random user-agent, set throttling and timeout, send a POST request, and force HTTPS connection

Code:

whatwaf --ra --throttle 2 --timeout 10 --post --force-ssl -u http://example.com

Motivation:

Implementing randomized user agents can help bypass basic WAF detection that filters requests based on headers. Controlling throttling and timeout settings ensures that the requests do not overload the server, which is especially important during testing in a production environment. Using POST requests performs tests in different HTTP methods, potentially encountering additional defenses.

Explanation:

  • --ra: Randomizes User-Agent strings to disguise request origin.
  • --throttle 2: Inserts a delay of 2 seconds between requests to prevent overwhelming the server.
  • --timeout 10: Sets the request timeout period to 10 seconds, limiting the duration the tool waits for a response.
  • --post: Configures the request to be sent as a POST method instead of GET.
  • --force-ssl: Forces all connections to be made securely over HTTPS, even if the initial URL is HTTP.

Example Output:

Randomizing User-Agent...
Sending POST requests...
Detected Imperva Incapsula with SSL enforced

Use case 6: List all WAFs that can be detected

Code:

whatwaf --wafs

Motivation:

Security experts and researchers often need to understand the capabilities of their tools before initiating any action. Listing all detectable WAFs allows users to confirm whether their targets’ technologies are included in whatwaf’s detection library, ensuring the tool’s relevance to their specific needs.

Explanation:

  • --wafs: Instructs the tool to output a comprehensive list of WAFs that it is programmed to detect. This offers insight into the tool’s capabilities and helps users to plan their assessments accordingly.

Example Output:

Able to detect the following WAFs:
- Cloudflare
- Akamai
- AWS WAF
- F5 BIG-IP
- ModSecurity
- Imperva
[total: 100 WAFs]

Use case 7: List all available tamper scripts

Code:

whatwaf --tampers

Motivation:

When confronted with sophisticated protection systems, altering the way payloads are constructed before being sent can be an effective strategy. Tamper scripts are useful for this purpose, and knowing the options available can guide testers in choosing the appropriate script to modify the requests’ behavior.

Explanation:

  • --tampers: Displays a list of all tamper scripts that are bundled with whatwaf. These scripts are designed to alter HTTP requests in specific ways to bypass or test the limits of web application firewalls.

Example Output:

Available tamper scripts:
- random_case
- space2comment
- charencode
- space2plus
[total: 20 scripts]

Conclusion:

The whatwaf tool offers a diverse set of features for identifying and analyzing web application firewalls, giving penetration testers and security professionals valuable insights into the security mechanisms of web applications. Each use case demonstrates a unique capability of the tool, showcasing its flexibility and power in tackling various security challenges. Through its numerous options for customization and comprehensive detection capabilities, whatwaf remains a valuable asset in the arsenal of cybersecurity tools.

Related Posts

How to Use the Command 'eopkg' (with Examples)

How to Use the Command 'eopkg' (with Examples)

The ’eopkg’ command is a package management tool specifically designed for Solus, a cutting-edge Linux distribution.

Read More
Mastering the OpenSSL x509 Command (with examples)

Mastering the OpenSSL x509 Command (with examples)

OpenSSL is a robust tool that serves a variety of functions related to cryptography and secure communications.

Read More
How to Analyze Binary Files using 'ropper' (with examples)

How to Analyze Binary Files using 'ropper' (with examples)

Ropper is a powerful command-line tool designed for binary analysis, specifically focusing on finding Return Oriented Programming (ROP) gadgets in binary files.

Read More