You will find below a patch for WAFW00F (a tool used to fingerprint Web Application Firewall) that allows to identify Imperva SecureSphere WAF.
On characteristic of Imperva is to respond with an HTTP/1.0 message, even if the request is made in HTTP/1.1. The other WAF I’ve worked with do not have the same behaviour (but there may be a few false positive).
This was tested with Imperva 6.2 and 7.0 in transparent bridge mode.
421,431d420 < < def isimperva(self): < # Imperva SecureSphere < for attack in self.attacks: < r = attack(self) < if r is None: < return < response, responsebody = r < if response.version == 10: < return True < return False 475d463 < wafdetections['Imperva'] = isimperva 483c471 < 'SecureIIS','BeeWare','Imperva'] --- > 'SecureIIS','BeeWare']
Update: Imperva posted a blog entry about this patch, criticizing it. The author did not even understand that this was only a small patch, and that I was not the author of Wafwoof . He also argues that hacking is not more manual, but failed to realize that identifying devices is generally the first step of automatic tools.
Update 2: SecureSphere in reverse proxy mode (the kernel one) has the same behaviour.