Forum Discussion
NimbostratusLinux (Kali) found our application hosted behind F5
We want to stop display of banner name of F5 to any WAF detection tools , as during VAPT it was seen that wafw00f (A WAF detection Tool) is able to find out our WAF name through our application.
root@kali:/home/iicybersecurity/wafw00f# wafw00f example.com
^ ^
_ __ _ ____ _ __ _ _ ____
///7/ /.' \ / __////7/ /,' \ ,' \ / __/
| V V // o // _/ | V V // 0 // 0 // _/
|_n_,'/_n_//_/ |_n_,' \_,' \_,'/_/
<
...'
WAFW00F - Web Application Firewall Detection Tool
By Sandro Gauci && Wendel G. Henrique
Checking https://example.com
The site https://example.com is behind a F5 BIG-IP APM
Number of requests: 11
- boneyard
MVP
APM isn't really a WAF, it is an authentication module.
and trying to stop APM from getting detected will be impossible in my opinion. the whole setup with the my.policy and such is hard coded, the login page contains lots of finger printable information.
you will need to do some extreme things to make this happen, i wouldn't pursue it. just keep your BIG-IP updated and keep an eye out for security alerts.
ayhatuHi Everyone,
I had the same problem.can you help me ? When I tested on kali ;
"is behind BIG-IP Access Policy Manager (F5 Networks) WAF"
- boneyard
as mentioned before, you are not going to "fix" this without a huge amount of work and a chance you will break Access Policy Manager.
and why do you want this? to remove this is a typical security through obscurity. just keep up with patches so you are fine.
- ayhatu
"why do you want this" Isn't it clear why this is wanted to be removed? Because anyone who uses this code (wafw00f ) will know that I am using F5.
JGCumulonimbus
From the source code of the "wafw00f" package below, we can see how APM is defined and detected:
def is_waf(self): detected = False # the following based on nmap's http-waf-fingerprint.nse if self.matchcookie('^LastMRH_Session') and self.matchcookie('^MRHSession'): return True elif self.matchheader(('server', 'BigIP|BIG-IP|BIGIP')) and self.matchcookie('^MRHSession'): return True if self.matchheader(('Location', '\/my.policy')) and self.matchheader(('server', 'BigIP|BIG-IP|BIGIP')): return True elif self.matchheader(('Location', '\/my\.logout\.php3')) and self.matchheader(('server', 'BigIP|BIG-IP|BIGIP')): return True elif self.matchheader(('Location', '.+\/f5\-w\-68747470.+')) and self.matchheader(('server', 'BigIP|BIG-IP|BIGIP')): return True elif self.matchheader(('server', 'BigIP|BIG-IP|BIGIP')): return True elif self.matchcookie('^F5_fullWT') or self.matchcookie('^F5_ST') or self.matchcookie('^F5_HT_shrinked'): return True elif self.matchcookie('^MRHSequence') or self.matchcookie('^MRHSHint') or self.matchcookie('^LastMRH_Session'): return True else: return False.
The names of the session cookies just can't be masked, I am afraid.
There are other definition files separately for ASM, LTM, etc.
