How to write new WAF checks
Steps to becoming a wafw00f groupie
- Create a new python script in the plugins directory with the short-name of the check (e.g.
- Use the template below to get started
- Make modifications within the
is_wafmethod so that it returns
Trueif the WAF is detected, otherwise return False
- Test and test some more
- Once happy with the results, you are welcome to submit a pull on github
Simple template for getting started
#!/usr/bin/env python NAME = 'WAF Name' def is_waf(self): return self.matchheader(('X-Powered-By-WAF', 'regex'))
The following tips should help you in getting quickly up to scratch with adding new checks:
- Check the code in the
pluginsdirectory, some checks are very simple, others a bit more complex
- Sometimes, WAFs will simply reveal themselves all the time through some HTTP header
- Other times, they will show themselves only when certain rules are triggered by the "attacks"
- Note that each HTTP request and response is cached so that the tool does not emit a huge amount of traffic
Exposed methods for your checks
When creating new checks, you will normally want to make use of one of the following methods:
self.matchheader(headermatch, attack=False, ignorecase=True), where
headermatchis a tuple consisting of the header name (case insensitive) and a regular expression to match the value of the header, e.g.
('someheader','^SuperWAF[a-fA-F0-9]$'). If attack is set to
True, the matchheader does not send the normal HTTP request, but instead sends the five attack requests. The value of
ignorecaseparameter determines if the regular expression match has a
re.IGNORECASEflag or not.
self.matchcookie(match)which is a shortcut for
If you need more flexibility, the
matchheader() function is making use of the following, which are also accessible from each check:
self.request(self, method='GET', path=None, usecache=True, cacheresponse=True, headers=None, comingfromredir=False)
self.request and methods based on it (e.g.
normalrequest() and functions in
attacks) makes use of
httplib and returns an