StackPath WAF not showing up in tests.

Question

StackPath WAF not showing up in tests.

ShelbyJenkins opened this issue 2 years ago · comments

Describe the bug
When running wafw00f on sites I own that are protected by StackPath's WAF, wafw00f does not detect the StackPath WAF.

To Reproduce
wafw00f jshel.be -> shows up as generic
wafw00f milliseconds-matter.me -> shows up as Fastly
wafw00f stackpath.com -> shows up as generic

Desktop (please complete the following information):

OS: Windows 10
~ WAFW00F : v2.2.0 ~
Python version: Python 3.10.7

Debug output
Paste the output that you get when passing -vv to wafw00f. Example:

[*] Checking https://stackpath.com
INFO:wafw00f:starting wafw00f on https://stackpath.com
INFO:wafw00f:Request Succeeded
INFO:wafw00f:Request Succeeded
INFO:wafw00f:Checking for ACE XML Gateway (Cisco)
INFO:wafw00f:Checking for aeSecure (aeSecure)
INFO:wafw00f:Checking for AireeCDN (Airee)
INFO:wafw00f:Checking for Airlock (Phion/Ergon)
INFO:wafw00f:Checking for Alert Logic (Alert Logic)
INFO:wafw00f:Checking for AliYunDun (Alibaba Cloud Computing)
INFO:wafw00f:Checking for Anquanbao (Anquanbao)
INFO:wafw00f:Checking for AnYu (AnYu Technologies)
INFO:wafw00f:Checking for Approach (Approach)
INFO:wafw00f:Checking for AppWall (Radware)
INFO:wafw00f:Checking for Armor Defense (Armor)
INFO:wafw00f:Checking for ArvanCloud (ArvanCloud)
INFO:wafw00f:Checking for ASP.NET Generic (Microsoft)
INFO:wafw00f:Checking for ASPA Firewall (ASPA Engineering Co.)
INFO:wafw00f:Checking for Astra (Czar Securities)
INFO:wafw00f:Checking for AWS Elastic Load Balancer (Amazon)
INFO:wafw00f:Checking for AzionCDN (AzionCDN)
INFO:wafw00f:Checking for Azure Front Door (Microsoft)
INFO:wafw00f:Checking for Barikode (Ethic Ninja)
INFO:wafw00f:Checking for Barracuda (Barracuda Networks)
INFO:wafw00f:Checking for Bekchy (Faydata Technologies Inc.)
INFO:wafw00f:Checking for Beluga CDN (Beluga)
INFO:wafw00f:Checking for BIG-IP Local Traffic Manager (F5 Networks)
INFO:wafw00f:Checking for BinarySec (BinarySec)
INFO:wafw00f:Checking for BitNinja (BitNinja)
INFO:wafw00f:Checking for BlockDoS (BlockDoS)
INFO:wafw00f:Checking for Bluedon (Bluedon IST)
INFO:wafw00f:Checking for BulletProof Security Pro (AITpro Security)
INFO:wafw00f:Checking for CacheWall (Varnish)
INFO:wafw00f:Checking for CacheFly CDN (CacheFly)
INFO:wafw00f:Checking for Comodo cWatch (Comodo CyberSecurity)
INFO:wafw00f:Checking for CdnNS Application Gateway (CdnNs/WdidcNet)
INFO:wafw00f:Checking for ChinaCache Load Balancer (ChinaCache)
INFO:wafw00f:Checking for Chuang Yu Shield (Yunaq)
INFO:wafw00f:Checking for Cloudbric (Penta Security)
INFO:wafw00f:Checking for Cloudflare (Cloudflare Inc.)
INFO:wafw00f:Checking for Cloudfloor (Cloudfloor DNS)
INFO:wafw00f:Checking for Cloudfront (Amazon)
INFO:wafw00f:Checking for CrawlProtect (Jean-Denis Brun)
INFO:wafw00f:Checking for DataPower (IBM)
INFO:wafw00f:Checking for Cloud Protector (Rohde & Schwarz CyberSecurity)
INFO:wafw00f:Checking for DenyALL (Rohde & Schwarz CyberSecurity)
INFO:wafw00f:Checking for Distil (Distil Networks)
INFO:wafw00f:Checking for DOSarrest (DOSarrest Internet Security)
INFO:wafw00f:Checking for DDoS-GUARD (DDOS-GUARD CORP.)
INFO:wafw00f:Checking for DotDefender (Applicure Technologies)
INFO:wafw00f:Checking for DynamicWeb Injection Check (DynamicWeb)
INFO:wafw00f:Checking for Edgecast (Verizon Digital Media)
INFO:wafw00f:Checking for Eisoo Cloud Firewall (Eisoo)
INFO:wafw00f:Checking for Expression Engine (EllisLab)
INFO:wafw00f:Checking for BIG-IP AppSec Manager (F5 Networks)
INFO:wafw00f:Checking for BIG-IP AP Manager (F5 Networks)
INFO:wafw00f:Checking for Fastly (Fastly CDN)
INFO:wafw00f:Checking for FirePass (F5 Networks)
INFO:wafw00f:Checking for FortiWeb (Fortinet)
INFO:wafw00f:Checking for GoDaddy Website Protection (GoDaddy)
INFO:wafw00f:Checking for Greywizard (Grey Wizard)
INFO:wafw00f:Checking for Huawei Cloud Firewall (Huawei)
INFO:wafw00f:Checking for HyperGuard (Art of Defense)
INFO:wafw00f:Checking for Imunify360 (CloudLinux)
INFO:wafw00f:Checking for Incapsula (Imperva Inc.)
INFO:wafw00f:Checking for IndusGuard (Indusface)
INFO:wafw00f:Checking for Instart DX (Instart Logic)
INFO:wafw00f:Checking for ISA Server (Microsoft)
INFO:wafw00f:Checking for Janusec Application Gateway (Janusec)
INFO:wafw00f:Checking for Jiasule (Jiasule)
INFO:wafw00f:Checking for Kona SiteDefender (Akamai)
INFO:wafw00f:Checking for KS-WAF (KnownSec)
INFO:wafw00f:Checking for KeyCDN (KeyCDN)
INFO:wafw00f:Checking for LimeLight CDN (LimeLight)
INFO:wafw00f:Checking for LiteSpeed (LiteSpeed Technologies)
INFO:wafw00f:Checking for Open-Resty Lua Nginx (FLOSS)
INFO:wafw00f:Checking for Oracle Cloud (Oracle)
INFO:wafw00f:Checking for Malcare (Inactiv)
INFO:wafw00f:Checking for MaxCDN (MaxCDN)
INFO:wafw00f:Checking for Mission Control Shield (Mission Control)
INFO:wafw00f:Checking for ModSecurity (SpiderLabs)
INFO:wafw00f:Checking for NAXSI (NBS Systems)
INFO:wafw00f:Checking for Nemesida (PentestIt)
INFO:wafw00f:Checking for NevisProxy (AdNovum)
INFO:wafw00f:Checking for NetContinuum (Barracuda Networks)
INFO:wafw00f:Checking for NetScaler AppFirewall (Citrix Systems)
INFO:wafw00f:Checking for Newdefend (NewDefend)
INFO:wafw00f:Checking for NexusGuard Firewall (NexusGuard)
INFO:wafw00f:Checking for NinjaFirewall (NinTechNet)
INFO:wafw00f:Checking for NullDDoS Protection (NullDDoS)
INFO:wafw00f:Checking for NSFocus (NSFocus Global Inc.)
INFO:wafw00f:Checking for OnMessage Shield (BlackBaud)
INFO:wafw00f:Checking for Palo Alto Next Gen Firewall (Palo Alto Networks)
INFO:wafw00f:Checking for PerimeterX (PerimeterX)
INFO:wafw00f:Checking for PentaWAF (Global Network Services)
INFO:wafw00f:Checking for pkSecurity IDS (pkSec)
INFO:wafw00f:Checking for PT Application Firewall (Positive Technologies)
INFO:wafw00f:Checking for PowerCDN (PowerCDN)
INFO:wafw00f:Checking for Profense (ArmorLogic)
INFO:wafw00f:Checking for Puhui (Puhui)
INFO:wafw00f:Checking for Qcloud (Tencent Cloud)
INFO:wafw00f:Checking for Qiniu (Qiniu CDN)
INFO:wafw00f:Checking for Qrator (Qrator)
INFO:wafw00f:Checking for Reblaze (Reblaze)
INFO:wafw00f:Checking for RSFirewall (RSJoomla!)
INFO:wafw00f:Checking for RequestValidationMode (Microsoft)
INFO:wafw00f:Checking for Sabre Firewall (Sabre)
INFO:wafw00f:Checking for Safe3 Web Firewall (Safe3)
INFO:wafw00f:Checking for Safedog (SafeDog)
INFO:wafw00f:Checking for Safeline (Chaitin Tech.)
INFO:wafw00f:Checking for SecKing (SecKing)
INFO:wafw00f:Checking for eEye SecureIIS (BeyondTrust)
INFO:wafw00f:Checking for SecuPress WP Security (SecuPress)
INFO:wafw00f:Checking for SecureSphere (Imperva Inc.)
INFO:wafw00f:Checking for Secure Entry (United Security Providers)
INFO:wafw00f:Checking for SEnginx (Neusoft)
INFO:wafw00f:Checking for ServerDefender VP (Port80 Software)
INFO:wafw00f:Checking for Shield Security (One Dollar Plugin)
INFO:wafw00f:Checking for Shadow Daemon (Zecure)
INFO:wafw00f:Checking for SiteGround (SiteGround)
INFO:wafw00f:Checking for SiteGuard (Sakura Inc.)
INFO:wafw00f:Checking for Sitelock (TrueShield)
INFO:wafw00f:Checking for SonicWall (Dell)
INFO:wafw00f:Checking for UTM Web Protection (Sophos)
INFO:wafw00f:Checking for Squarespace (Squarespace)
INFO:wafw00f:Checking for SquidProxy IDS (SquidProxy)
INFO:wafw00f:Checking for StackPath (StackPath)
INFO:wafw00f:Checking for Sucuri CloudProxy (Sucuri Inc.)
INFO:wafw00f:Checking for Tencent Cloud Firewall (Tencent Technologies)
INFO:wafw00f:Checking for Teros (Citrix Systems)
INFO:wafw00f:Checking for Trafficshield (F5 Networks)
INFO:wafw00f:Checking for TransIP Web Firewall (TransIP)
INFO:wafw00f:Checking for URLMaster SecurityCheck (iFinity/DotNetNuke)
INFO:wafw00f:Checking for URLScan (Microsoft)
INFO:wafw00f:Checking for UEWaf (UCloud)
INFO:wafw00f:Checking for Varnish (OWASP)
INFO:wafw00f:Checking for Viettel (Cloudrity)
INFO:wafw00f:Checking for VirusDie (VirusDie LLC)
INFO:wafw00f:Checking for Wallarm (Wallarm Inc.)
INFO:wafw00f:Checking for WatchGuard (WatchGuard Technologies)
INFO:wafw00f:Checking for WebARX (WebARX Security Solutions)
INFO:wafw00f:Checking for WebKnight (AQTRONIX)
INFO:wafw00f:Checking for WebLand (WebLand)
INFO:wafw00f:Checking for wpmudev WAF (Incsub)
INFO:wafw00f:Checking for RayWAF (WebRay Solutions)
INFO:wafw00f:Checking for WebSEAL (IBM)
INFO:wafw00f:Checking for WebTotem (WebTotem)
INFO:wafw00f:Checking for West263 CDN (West263CDN)
INFO:wafw00f:Checking for Wordfence (Defiant)
INFO:wafw00f:Checking for WP Cerber Security (Cerber Tech)
INFO:wafw00f:Checking for WTS-WAF (WTS)
INFO:wafw00f:Checking for 360WangZhanBao (360 Technologies)
INFO:wafw00f:Checking for XLabs Security WAF (XLabs)
INFO:wafw00f:Checking for Xuanwudun (Xuanwudun)
INFO:wafw00f:Checking for Yundun (Yundun)
INFO:wafw00f:Checking for Yunsuo (Yunsuo)
INFO:wafw00f:Checking for Yunjiasu (Baidu Cloud Computing)
INFO:wafw00f:Checking for YXLink (YxLink Technologies)
INFO:wafw00f:Checking for Zenedge (Zenedge)
INFO:wafw00f:Checking for ZScaler (Accenture)
INFO:wafw00f:Checking for Shieldon Firewall (Shieldon.io)
INFO:wafw00f:Identified WAF: []
[+] Generic Detection results:
INFO:wafw00f:Request Succeeded
INFO:wafw00f:Request Succeeded
INFO:wafw00f:Request Succeeded
INFO:wafw00f:Request Succeeded
INFO:wafw00f:Request Succeeded
[-] No WAF detected by the generic detection
[~] Number of requests: 7
INFO:wafw00f:Found: 1 matches.

Additional context
The milliseconds-matter site has StackPath WAF in monitor mode.
The jshel.be site has it in protect mode.
This is a really cool app! I work at StackPath, and am happy to help in any way I can!

Also, I'm not sure if it matters, but there are WAFs/Manufacturers on your list reselling the StackPath WAF.

Pinaki · Answer 1 · Thu Oct 06 2022 15:12:42 GMT+0800 (China Standard Time)

Looking into this right now and seems like StackPath WAF has changed their blockpage. Detecting this would require changes to the regexes in the stackpath plugin. On a MR in 30.

Pinaki · Answer 2 · Thu Oct 06 2022 17:21:53 GMT+0800 (China Standard Time)

I pushed same fixes #166:

$ wafw00f http://jshel.be -a

                ______
               /      \
              (  W00f! )
               \  ____/
               ,,    __            404 Hack Not Found
           |`-.__   / /                      __     __
           /"  _/  /_/                       \ \   / /
          *===*    /                          \ \_/ /  405 Not Allowed
         /     )__//                           \   /
    /|  /     /---`                        403 Forbidden
    \\/`   \ |                                 / _ \
    `\    /_\\_              502 Bad Gateway  / / \ \  500 Internal Error
      `_____``-`                             /_/   \_\

                        ~ WAFW00F : v2.2.0 ~
        The Web Application Firewall Fingerprinting Toolkit
    
[*] Checking http://jshel.be
[+] The site http://jshel.be is behind Fastly (Fastly CDN) and/or StackPath (StackPath) WAF.
[+] Generic Detection results:
[*] The site http://jshel.be seems to be behind a WAF or some sort of security solution
[~] Reason: The response was different when the request wasn't made from a browser.
Normal response code is "200", while the response code to a modified request is "403"
[~] Number of requests: 4

Pinaki · Answer 3 · Thu Oct 06 2022 17:24:19 GMT+0800 (China Standard Time)

Fixed in #166.