日韩无码专区无码一级三级片|91人人爱网站中日韩无码电影|厨房大战丰满熟妇|AV高清无码在线免费观看|另类AV日韩少妇熟女|中文日本大黄一级黄色片|色情在线视频免费|亚洲成人特黄a片|黄片wwwav色图欧美|欧亚乱色一区二区三区

RELATEED CONSULTING
相關(guān)咨詢
選擇下列產(chǎn)品馬上在線溝通
服務(wù)時間:8:30-17:00
你可能遇到了下面的問題
關(guān)閉右側(cè)工具欄

新聞中心

這里有您想知道的互聯(lián)網(wǎng)營銷解決方案
WAF指紋探測及識別技術(shù)

Web應(yīng)用防護(hù)系統(tǒng)(也稱:網(wǎng)站應(yīng)用級入侵防御系統(tǒng)。英文:Web Application Firewall,簡稱: WAF)。利用國際上公認(rèn)的一種說法:Web應(yīng)用防火墻是通過執(zhí)行一系列針對HTTP/HTTPS的安全策略來專門為Web應(yīng)用提供保護(hù)的一款產(chǎn)品。本文介紹了常見的WAF指紋識別的一些技術(shù),詳見如下:

10年積累的成都網(wǎng)站設(shè)計、成都做網(wǎng)站經(jīng)驗(yàn),可以快速應(yīng)對客戶對網(wǎng)站的新想法和需求。提供各種問題對應(yīng)的解決方案。讓選擇我們的客戶得到更好、更有力的網(wǎng)絡(luò)服務(wù)。我雖然不認(rèn)識你,你也不認(rèn)識我。但先網(wǎng)站設(shè)計制作后付款的網(wǎng)站建設(shè)流程,更有蕭山免費(fèi)網(wǎng)站建設(shè)讓你可以放心的選擇與我們合作。

一、WAF指紋

Cookie值

Citrix Netscaler

“Citrix Netscaler”會在HTTP返回頭部Cookie位置加入“ns_af”的值,可以以此判斷為Citrix Netscaler的WAF,國內(nèi)此類WAF很少(這貨居然是searchsecurity認(rèn)定的2013最好的防火墻)。

一個惡意的請求示例:

GET / HTTP/1.1
Host: target.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: ASPSESSIONIDAQQSDCSC=HGJHINLDNMNFHABGPPBNGFKC; ns_af=31+LrS3EeEOBbxBV7AWDFIEhrn8A000;ns_af_.target.br_%2F_wat=QVNQU0VTU0lPTklEQVFRU0RDU0Nf?6IgJizHRbTRNuNoOpbBOiKRET2gA&
Connection: keep-alive
Cache-Control: max-age=0

F5 BIG IP ASM

F5 BiG IP ASM會在Cookie中加入“TS+隨機(jī)字符串”的Cookie信息,一個非惡意的請求如下:
GET / HTTP/1.1
Host: www.target.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: target_cem_tl=40FC2190D3B2D4E60AB22C0F9EF155D5; s_fid=77F8544DA30373AC-31AE8C79E13D7394; s_vnum=1388516400627%26vn%3D1; s_nr=1385938565978-New; s_nr2=1385938565979-New; s_lv=1385938565980; s_vi=[CS]v1|294DCEC0051D2761-40000143E003E9DC[CE]; fe_typo_user=7a64cc46ca253f9889675f9b9b79eb66; TSe3b54b=36f2896d9de8a61cf27aea24f35f8ee1abd1a43de557a25c529fe828; TS65374d=041365b3e678cba0e338668580430c26abd1a43de557a25c529fe8285a5ab5a8e5d0f299
Connection: keep-alive
Cache-Control: max-age=0

HTTP響應(yīng)

Mod_Security

Mod_Security是為Apache設(shè)計的開源Web防護(hù)模塊,一個惡意的請求Mod_Security會在響應(yīng)頭返回“406 Not acceptable”的信息。

請求:

GET /HTTP/1.1
Host: www.target.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

響應(yīng):

HTTP/1.1 406 Not Acceptable
Date: Thu, 05 Dec 2013 03:33:03 GMT
Server: Apache
Content-Length: 226
Keep-Alive: timeout=10, max=30
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
Not Acceptable!
Not Acceptable!
An appropriate representation of the requested resource could not be found on this server. This error was generated by Mod_Security.

WebKnight

WebKnight是用來設(shè)計在IIS下面使用的WAF設(shè)備,較為常見。WebKnight會對惡意的請求返回“999 No Hacking”的信息。

請求:

GET /?PageID=99HTTP/1.1
Host: www.aqtronix.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

響應(yīng):

HTTP/1.1 999 No Hacking
Server: WWW Server/1.1
Date: Thu, 05 Dec 2013 03:14:23 GMT
Content-Type: text/html; charset=windows-1252
Content-Length: 1160
Pragma: no-cache
Cache-control: no-cache
Expires: Thu, 05 Dec 2013 03:14:23 GMT

F5 BIG IP

F5 BIG IP會對惡意請求返回“419 Unknown”的信息,如下:

GET /'
dirtravstring = '../../../../etc/passwd'
cleanhtmlstring = 'hello'
isaservermatch = 'Forbidden ( The server denied the specified Uniform Resource Locator (URL). Contact the server administrator.  )'

使用“python wafw00f.py -h”可以查看工具的使用方法,運(yùn)行示例:

python wafw00f.py http://www.victim.org/

基于Cookie的檢測

Wafw00f的探測大部分是基于Cookie的檢測。

F5asm的檢測規(guī)則如下:

def isf5asm(self):
# credit goes to W3AF
return self.matchcookie('^TS[a-zA-Z0-9]{3,6}=')

基于響應(yīng)頭的檢測

Profense在響應(yīng)頭會包含'server','profense'的信息。

def isprofense(self):
"""
Checks for server headers containing "profense"
"""
return self.matchheader(('server','profense'))

sqlmap

Sqlmap是一款檢測和利用SQLi漏洞工具,也是基于python編寫,業(yè)內(nèi)認(rèn)同率較高,sqlmap用來探測WAF類型想比較Wafw00f來說還多一些。

參考:

https://github.com/sqlmapproject/sqlmap/tree/master/waf

Sqlmap用來探測每種WAF設(shè)備都是一個python文件,同樣是從cookie信息或者返回頭信息進(jìn)行判斷。

以Mod_Security為例

#!/usr/bin/env python

"""
Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
See the file 'doc/COPYING' for copying permission
"""

import re

from lib.core.enums import HTTP_HEADER
from lib.core.settings import WAF_ATTACK_VECTORS

__product__ = "ModSecurity: Open Source Web Application Firewall (Trustwave)"

def detect(get_page):
retval = False

for vector in WAF_ATTACK_VECTORS:
page, headers, code = get_page(get=vector)
retval = code == 501 and re.search(r"Reference #[0-9A-Fa-f.]+", page, re.I) is None
retval |= re.search(r"Mod_Security|NOYB", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None
if retval:
break
return retval

Sqlmap用來探測WAF的命令如下:

python sqlmap.py -u “http://www.victim.org/ex.php?id=1” --identify-waf

貌似必須是或自己修改的類似動態(tài)參數(shù)才能使用。

xenoitx

檢測和利用XSS漏洞的神器,WAF檢測也是其中的功能之一。


本文標(biāo)題:WAF指紋探測及識別技術(shù)
轉(zhuǎn)載來于:http://www.5511xx.com/article/cccgsee.html