Plugins tainted by others

[ghost]

Hi, this is generally more of a question/guidance while I try to develop a plugin.

I'm trying to write a plugin for AWS WAF detection. You can see my current state at https://github.com/d-j-c/wafw00f/blob/master/wafw00f/plugins/aws.py

AWS WAF is interesting as it is an API called by CloudFront - so the identifiers are of CloudFront, not of the WAF - the way to detect the WAF is to run tests and see if a 403 is returned from CloudFront. However even without the WAF enabled CloudFront returns 403 if such conditions as a mangled header is submitted.

What I am finding is that if I turn off the WAF I am still falsely detecting AWS WAF because of 403s being returned from CloudFront by checks of the other plugins. For example isaserver.py submits an invalid Host, CloudFront returns 403 and my plugin goes 'oh yup, that must be AWS WAF'.

My question is - is there a way to 'strict' match a plugin - I want to return positive if only the checks within the aws.py plugin return true (I've tested the default attack checks and CloudFront does not return 403 to any of these).

[sandrogauci]

Hi @d-j-c .. apologies for the late response. I'm not 100% sure that I understand what you are seeing. Some logs would be helpful. Feel free to email me privately - sandro@enablesecurity.com.

I have a feeling however, that what you need is to prioritize your aws plugin ahead of those that are currently matching. This is done by editing wafdetectionsprio.py. The first ones should always be the ones that match with a non-attack request (kindof passively).

For testing purposes, you should make use of the --find-all option, unless you are already doing so:

    parser.add_option('-a', '--findall', action='store_true', dest='findall', default=False,
                      help='Find all WAFs, do not stop testing on the first one')

The default behavior is to stop testing after the first one matches so as to avoid sending unnecessary requests.

Does this answer your question? Looking forward to your new plugin.