Hi all!
How can we determining if a site (HTTPS) has WAF?
I’m trying to use nmap but no use.
I’m aware of WAFWOOF and softwares like that but I’m not sure if that’s helpful and don’t wannt indulge in setting up the system.
thanks in advance!
5 Likes
What command are you using?
nmap –script=http-waf-fingerprint targetsite.com
There are other tools that you can use also if you wish. I’m not sure about WAFWOOF but in WHATWAF it’s:
./whatwaf -u targetsite.com
1 Like
If you have a page like “/search?q=hi”, and you try loading “/search?id=select%20*%20from%20table” you should be able to trigger it. If there’s a WAF, you’d get a 403 or a dropped request. If there’s no WAF, you’d get your standard results page.
(A friend of mine runs a WAF company, happy to connect you if you’d like to talk to someone with a lot more know-how)
This topic was automatically closed after 465 days. New replies are no longer allowed.