Add support for akamai waf about wafw00f HOT 8 CLOSED

No problem mate, happens to the best of us. Feel free to ping if you run into further problems. ;)

from wafw00f.

Thanks for pulling this up, the modsecurity part is a minor bug. It'll be resolved via #67.

from wafw00f.

For the Akamai WAF, it has already been included in #67, but for the Mod Security fingerprint I am not being able to reproduce the attack vector technique on 3+ sites running Mod Security. I do presume that the test GET request is supposed to trigger the WAF, but actually its not being reproduced on the sites found in the wild.

from wafw00f.

#67 should do it. Thanks @Pacodiaz2g , @0xInfection

from wafw00f.

Akamai is sometimes not detected. Ie. it is now obscured, since Apache takes a lead.

POST /getstorelocatoraddress.json HTTP/1.1
Host: *
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://www.superdrug.com/no-referrer
content-type: application/x-www-form-urlencoded; charset=UTF-8
x-csrf-token: 1849b727-47fe-402c-8a31-69af0a2487e2
Origin: https://www.superdrug.com
Content-Length: 23
Connection: close
Cookie: ...
DNT: 1

q=&country=GB&services=

Response:

HTTP/1.1 200 OK
Server: Apache
X-Frame-Options: SAMEORIGIN
...

{"pagination":{"pageSize":0,"sort":...}

In case when body payload is:

q=" and 1=1--&country=GB&services=

AkamaiGhost is visible in the response, so it requires permutation on the given URL. Didn't open a new issue since I don't know if this is normal occurence.

Response:

HTTP/1.1 403 Forbidden
Server: AkamaiGHost
Mime-Version: 1.0
Content-Type: text/html
Content-Length: 298
Expires: Tue, 11 Aug 2020 19:47:03 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 11 Aug 2020 19:47:03 GMT
Connection: close
Server-Timing: cdn-cache; desc=HIT
Server-Timing: edge; dur=4

<HTML><HEAD>
<TITLE>Access Denied</TITLE>
</HEAD><BODY>
<H1>Access Denied</H1>
 
You don't have permission to access "http&#58;&#47;&#47;www&#46;*&#46;com&#47;*&#46;json" on this server.<P>
Reference&#32;&#35;18&#46;745b6068&#46;1597175223&#46;24f2341c
</BODY>
</HTML>

from wafw00f.

Hi @duraki,
So far in my research I have observed that Akamai will trigger on GET requests too, so any non existent URLs with any random payload should also trigger the WAF. If this seems a new variant, I'll look into it. Thanks for this. =)

from wafw00f.

@duraki could you provide us with the wafw00f command that you're running to reproduce the issue?

I'm using v2.1.0, running wafw00f https://yourtarget/getstorelocatoraddress.json and see the following:

[*] Checking https://yourtarget/getstorelocatoraddress.json
[+] The site https://yourtarget/getstorelocatoraddress.json is behind Kona SiteDefender (Akamai) WAF.
[~] Number of requests: 2

Of course it is not sending a POST request like you are.

from wafw00f.

Ah crap! Forget it. Just did history | grep wafw00f and saw I passed a wrong DNS. Sorry guys, must be lack of caffeine.

from wafw00f.