Update of WAF scripts

waf/cerber.py

@@ -0,0 +1,23 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
+See the file 'LICENSE' for copying permission
+"""
+
+import re
+
+from lib.core.settings import WAF_ATTACK_VECTORS
+
+__product__ = "WP Cerber Security (Cerber Tech)"
+
+def detect(get_page):
+    retval = False
+
+    for vector in WAF_ATTACK_VECTORS:
+        page, _, _ = get_page(get=vector)
+        retval = any(_ in (page or "") for _ in ("We're sorry, you are not allowed to proceed", "Your request looks suspicious or similar to automated requests from spam posting software"))
+        if retval:
+            break
+
+    return retval

waf/incapsula.py

@@ -21,6 +21,8 @@ def detect(get_page):
         retval |= re.search(r"Incapsula", headers.get("X-CDN", ""), re.I) is not None
         retval |= any(_ in (page or "") for _ in ("Incapsula incident ID", "_Incapsula_Resource?", "?subject=WAF Block Page:"))
         retval |= all(_ in (page or "") for _ in ("Application Firewall Error", "If you feel you have been blocked in error, please contact Customer Support"))
+        retval |= all(_ in (page or "") for _ in ("Error code 15", "This request was blocked by the security rules"))
+        retval |= re.search(r"(?i)incident.{1,100}?\b\d{19}\-\d{17}\b", page or "") is not None
         retval |= headers.get("X-Iinfo") is not None
         if retval:
             break

waf/sitelock.py

@@ -9,6 +9,7 @@ from lib.core.settings import WAF_ATTACK_VECTORS
 
 __product__ = "TrueShield Web Application Firewall (SiteLock)"
 
+# Note: https://www.whitefirdesign.com/blog/2016/11/08/more-evidence-that-sitelocks-trueshield-web-application-firewall-is-really-incapsulas-waf/
 def detect(get_page):
     retval = False