You will find below a patch for WAFW00F (a tool used to fingerprint Web Application Firewall) that allows to identify Imperva SecureSphere WAF.
On characteristic of Imperva is to respond with an HTTP/1.0 message, even if the request is made in HTTP/1.1. The other WAF I’ve worked with do not have the same behaviour (but there may be a few false positive).

This was tested with Imperva 6.2 and 7.0 in transparent bridge mode.

The whole wafw00f.py modified can be found here (or an the project issue list) and the diff is below.

421,431d420
<
<     def isimperva(self):
<         # Imperva SecureSphere
<               for attack in self.attacks:
<                       r = attack(self)
<                       if r is None:
<                               return
<                       response, responsebody = r
<                       if response.version == 10:
<                               return True
<               return False
475d463
<     wafdetections['Imperva'] = isimperva
483c471
<                          'SecureIIS','BeeWare','Imperva']
---
>                          'SecureIIS','BeeWare']

Update: Imperva posted a blog entry about this patch, criticizing it. The author did not even understand that this was only a small patch, and that I was not the author of Wafwoof . He also argues that hacking is not more manual, but failed to realize that identifying devices is generally the first step of automatic tools.
Update 2: SecureSphere in reverse proxy mode (the kernel one) has the same behaviour.

October 29, 2009, 10:14 am lock

Add your own comment or set a trackback

Currently 5 comments

  1. Comment by Mathieu Dessus

    I’ve also added detection for IBM Data Power: http://code.google.com/p/waffit/source/list

  2. Comment by Mathieu Dessus

    Yes it can be detected. As long as the WAF is responding in place of the real web server, the trick should work.

  3. Comment by Anant

    Hi,
    I am little confused. If Imperva SecureSphere is deployed in INLINE BRIDGE mode still it can be detected?

    As i understand it can be detected only if WAF is detected in reverse proxy mode.

    As we dont give ip address to WAF in bridge mode then still it can be detected?

  4. Comment by Mathieu Dessus

    Yes, you got it: when doing a HTTP/1.1 request, you should get an HTTP/1.1 response. With SecureSphere, this is not the case. While for regular web server, and a few others WAF I tested, it responds with the same version.

  5. Comment by Ofer Shezaf

    As far as I understand the patch simply checks that the HTTP response version is 1.0. I am not sure and would appreciate any comment on why this would identry a SecureSphere.

Add your own comment

*
To prove you're a person (not a spam script), type the security word shown in the picture.
Anti-Spam Image



Follow comments according to this article through a RSS 2.0 feed