class XspearScan::CallbackCheckWAF

Public Instance Methods

run() click to toggle source
# File lib/XSpear.rb, line 99
def run
  pattern = {}
  pattern['AWS'] = 'AWS Web Application FW'
  pattern['ACE XML Gateway'] = 'Cisco ACE XML Gateway'
  pattern['cloudflare'] = 'CloudFlare'
  pattern['cf-ray'] = 'CloudFlare'
  pattern['Error from cloudfront'] = 'Amazone CloudFront'
  pattern['Protected by COMODO WAF'] = 'Comodo Web Application FW'
  pattern['X-Backside-Transport.*?(OK|FAIL)'] = 'IBM WebSphere DataPower'
  pattern['FORTIWAFSID'] = 'FortiWeb Web Application FW'
  pattern['ODSESSION'] = 'Hyperguard Web Application FW'
  pattern['AkamaiGHost'] = 'KONA(AKAMAIGHOST)'
  pattern['Mod_Security|NOYB'] = 'ModSecurity'
  pattern['naxsi/waf'] = 'NAXSI'
  pattern['NCI__SessionId='] = 'NetContinuum Web Application FW'
  pattern['citrix_ns_id'] = 'Citrix NetScaler'
  pattern['NSC_'] = 'Citrix NetScaler'
  pattern['NS-CACHE'] = 'Citrix NetScaler'
  pattern['newdefend'] = 'Newdefend Web Application FW'
  pattern['NSFocus'] = 'NSFOCUS Web Application FW'
  pattern['PLBSID'] = 'Profense Web Application Firewall'
  pattern['X-SL-CompState'] = 'AppWall (Radware)'
  pattern['safedog'] = 'Safedog Web Application FW'
  pattern['Sucuri/Cloudproxy|X-Sucuri'] = 'CloudProxy WebSite FW'
  pattern['X-Sucuri'] = 'CloudProxy WebSite FW'
  pattern['st8(id)'] = 'Teros/Citrix Application FW'
  pattern['st8(_wat)'] = 'Teros/Citrix Application FW'
  pattern['st8(_wlf)'] = 'Teros/Citrix Application FW'
  pattern['F5-TrafficShield'] = 'TrafficShield'
  pattern['Rejected-By-UrlScan'] = 'MS UrlScan'
  pattern['Secure Entry Server'] = 'USP Secure Entry Server'
  pattern['nginx-wallarm'] = 'Wallarm Web Application FW'
  pattern['WatchGuard'] = 'WatchGuard '
  pattern['X-Powered-By-360wzb'] = '360 Web Application'
  pattern['WebKnight'] = 'WebKnight Application FW'

  pattern.each do |key,value|
    if !@response[key].nil?
      time = Time.now
      puts '[I]'.blue + " [#{time.strftime('%H:%M:%S')}] Found WAF: #{value}"
      @report.add_issue("i","d","-","-","<original query>","Found WAF: #{value}")
    end
  end

  [false, "not reflected #{@query}"]
end