Skip to content

19. Nmap HTTP Enumeration WAF Detection And Fingerprinting

Web Application Firewalls (WAFs) are security systems designed to protect web applications by filtering and monitoring HTTP traffic. These Nmap commands help detect the presence of a WAF and identify its type.

1. WAF Detection

Command:

nmap -p 443 --script http-waf-detect cutm.ac.in

Explanation:

  • -p 443:
    • Scans port 443, the default port for HTTPS traffic.
  • --script http-waf-detect:
    • Executes the http-waf-detect NSE script to identify if a Web Application Firewall is present.
  • cutm.ac.in:
    • The target domain.

Purpose:

  • Detects if a WAF is protecting the web application.
  • Provides insights into potential security layers defending the application.

Example Output:

PORT    STATE SERVICE
443/tcp open  https
| http-waf-detect: 
|   WAF Detected: Generic WAF
|_  Use the http-waf-fingerprint script for more details.

Key Findings:

  • WAF Detected: Confirms the presence of a WAF.
  • Generic WAF: Indicates that the WAF could not be precisely identified, requiring further analysis.

2. WAF Fingerprinting

Command:

nmap -p 443 --script http-waf-fingerprint cutm.ac.in

Explanation:

  • -p 443:
    • Scans port 443, typically used for HTTPS.
  • --script http-waf-fingerprint:
    • Executes the http-waf-fingerprint NSE script to determine the type and vendor of the WAF.
  • cutm.ac.in:
    • The target domain.

Purpose:

  • Identifies the specific WAF vendor or technology protecting the web application.

Example Output:

PORT    STATE SERVICE
443/tcp open  https
| http-waf-fingerprint: 
|   WAF Detected: Cloudflare
|   Fingerprint:
|     - Behavioral: XSS filter enabled
|     - Header Analysis: Security headers detected
|_    - Response Anomalies: 403 on unusual requests

Key Findings:

  • WAF Vendor: Identifies the vendor, such as Cloudflare, Imperva, or F5.
  • Fingerprint Details:
    • Behavioral patterns (e.g., XSS filtering).
    • HTTP headers and response codes indicating WAF behavior.

Comparison of Scripts

Script Purpose Output
http-waf-detect Detects the presence of a WAF. Generic detection of WAF presence.
http-waf-fingerprint Identifies WAF vendor and type. Detailed fingerprinting and vendor.

Actionable Insights:

  1. If a WAF is Detected:

    • Understand the level of security protecting the web application.
    • Prepare for techniques to bypass or test against the WAF (if authorized).

    • If WAF is Identified:

    • Research specific bypass techniques or configurations for the identified WAF.

    • Identify potential security gaps in its configuration.

    • Ethical Considerations:

    • Always obtain permission before scanning targets.

    • Avoid misuse of information about WAF configurations.

Use Case:

These scripts are crucial during a penetration test or vulnerability assessment to evaluate the presence and effectiveness of a WAF. Identifying the WAF can help testers tailor their approach while respecting legal and ethical boundaries.