Finalizing implementation for an Issue #290

lib/controller/checks.py

@@ -36,6 +36,7 @@ from lib.core.common import readInput
 from lib.core.common import showStaticWords
 from lib.core.common import singleTimeLogMessage
 from lib.core.common import singleTimeWarnMessage
+from lib.core.common import urlencode
 from lib.core.common import wasLastResponseDBMSError
 from lib.core.common import wasLastResponseHTTPError
 from lib.core.data import conf
@@ -43,6 +44,7 @@ from lib.core.data import kb
 from lib.core.data import logger
 from lib.core.datatype import AttribDict
 from lib.core.datatype import InjectionDict
+from lib.core.decorators import cachedmethod
 from lib.core.dicts import FROM_DUMMY_TABLE
 from lib.core.enums import DBMS
 from lib.core.enums import HEURISTIC_TEST
@@ -1045,15 +1047,26 @@ def identifyWaf():
     infoMsg += "backend WAF/IPS/IDS protection"
     logger.info(infoMsg)
 
+    @cachedmethod
+    def _(*args, **kwargs):
+        try:
+            if kwargs.get("get"):
+                kwargs["get"] = urlencode(kwargs["get"])
+            kwargs["raise404"] = False
+            return Request.getPage(*args, **kwargs)
+        except Exception, ex:
+            return None, None, None
+
     retVal = False
-    page, headers, code = Request.getPage()
 
     for function, product, request in kb.wafFunctions:
         found = False
+
         if not request:
-            found = function(page or "", headers or {}, code)
+            found = function(_)
         else:
             pass
+
         if found:
             retVal = product
             break
@@ -1063,7 +1076,7 @@ def identifyWaf():
         warnMsg += "consider usage of tamper scripts (option '--tamper')"
         logger.critical(warnMsg)
     else:
-        warnMsg = "no WAF/IDS/IPS were identified"
+        warnMsg = "WAF/IDS/IPS product not identified"
         logger.warn(warnMsg)
 
     return retVal

lib/core/enums.py

@@ -150,13 +150,9 @@ class HTTPHEADER:
     PROXY_CONNECTION = "Proxy-Connection"
     RANGE = "Range"
     REFERER = "Referer"
+    SERVER = "Server"
     USER_AGENT = "User-Agent"
 
-class WAF_REQUEST:
-    GET = 1
-    POST = 2
-    HEADERS = 3
-
 class EXPECTED:
     BOOL = "bool"
     INT = "int"

lib/core/option.py

@@ -905,6 +905,9 @@ def _setWafFunctions():
             dirname, filename = os.path.split(found)
             dirname = os.path.abspath(dirname)
 
+            if filename == "__init__.py":
+                continue
+
             debugMsg = "loading WAF script '%s'" % filename[:-3]
             logger.debug(debugMsg)
 

lib/core/settings.py

@@ -380,7 +380,15 @@ BRUTE_TABLE_EXISTS_TEMPLATE = "EXISTS(SELECT %d FROM %s)"
 BRUTE_COLUMN_EXISTS_TEMPLATE = "EXISTS(SELECT %s FROM %s)"
 
 # Payload used for checking of existence of IDS/WAF (dummier the better)
-IDS_WAF_CHECK_PAYLOAD = "AND 1=1 UNION ALL SELECT 1,2,3,table_name FROM information_schema.tables"
+IDS_WAF_CHECK_PAYLOAD = "AND 1=1 UNION ALL SELECT 1,2,3,table_name FROM information_schema.tables WHERE 2>1"
+
+# Vectors used for provoking specific WAF/IDS/IPS behavior(s)
+WAF_ATTACK_VECTORS = (
+                        "search=<script>alert(1)</script>",
+                        "file=../../../../etc/passwd",
+                        "q=<invalid>foobar",
+                        "id=1 %s" % IDS_WAF_CHECK_PAYLOAD
+                     )
 
 # Used for status representation in dictionary attack phase
 ROTATING_CHARS = ('\\', '|', '|', '/', '-')