During a large application assessment, I noticed in a cookie that it was load balanced. I gathered as many unique cookies I could and noticed the application was spread across many web servers. This allows room for errors concerning a WAF. Why not attack a server that the WAF is not protecting?

On this note I wrote a quick little NASL script to find a server that is not protected by the WAF. The only trick to this script is understanding what response you get once the WAF is triggered. Every WAF I have worked with all block the User Agent “nikto” by default. To find the response it gives I just set my User Agent to “nikto” and make a standard GET request. If this doesn’t work you can call your basic XSS stuff and it will usually trigger the WAF.

Once you can get the WAF triggered you just have to find something different in the response for the script to look for. In my case it was just “error”. Now just run the script and see if any WAF’s are down.

#Create tcp socket to webserver port
socket_timeout = 5;
soc = open_sock_tcp(80);
#grab host ip of current box with socket open
#if socket was created
if (soc) {
#create string and send
str = string("GET /index.html HTTP/1.0\r\nUser-Agent:Nikto\r\n\r\n");
send(socket:soc, data:str);
#grab data from the socket
page = recv(socket:soc, length:4096);
#grep for the line with error or whatever waf refturns
error = egrep(pattern:"error*", string : page);
#if grep returns value
display("WAF ON ",hostip,"\n");
display("WAF OFF ",hostip,"\n");
#close socket

I found this script pretty handy for pen-testing and monitoring.

On the monitoring side you can just throw it in a cron job and have it email you if any WAF’s were found to be off.

On the pen-testing side its a lot easier attacking an app with out those pesky WAF’s