For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Lokesh's avatar
Lokesh
Icon for Nimbostratus rankNimbostratus
Oct 14, 2019

Linux (Kali) found our application hosted behind F5

We want to stop display of banner name of F5 to any WAF detection tools , as during VAPT it was seen that wafw00f (A WAF detection Tool) is able to find out our WAF name through our application.  ...
ASM Advanced WAF
BIG-IP Access Policy Manager (APM)
security
JG's avatar
JG
Icon for Cumulonimbus rankCumulonimbus
Nov 23, 2019

From the source code of the "wafw00f" package below, we can see how APM is defined and detected:

 

def is_waf(self):
    detected = False
    # the following based on nmap's http-waf-fingerprint.nse
    if self.matchcookie('^LastMRH_Session') and self.matchcookie('^MRHSession'):
        return True
    elif self.matchheader(('server', 'BigIP|BIG-IP|BIGIP')) and self.matchcookie('^MRHSession'):
        return True
    if self.matchheader(('Location', '\/my.policy')) and self.matchheader(('server', 'BigIP|BIG-IP|BIGIP')):
        return True
    elif self.matchheader(('Location', '\/my\.logout\.php3')) and self.matchheader(('server', 'BigIP|BIG-IP|BIGIP')):
        return True
    elif self.matchheader(('Location', '.+\/f5\-w\-68747470.+')) and self.matchheader(('server', 'BigIP|BIG-IP|BIGIP')):
        return True
    elif self.matchheader(('server', 'BigIP|BIG-IP|BIGIP')):
        return True
    elif self.matchcookie('^F5_fullWT') or self.matchcookie('^F5_ST') or self.matchcookie('^F5_HT_shrinked'):
        return True
    elif self.matchcookie('^MRHSequence') or self.matchcookie('^MRHSHint') or self.matchcookie('^LastMRH_Session'):
        return True
    else:
        return False

.

 

The names of the session cookies just can't be masked, I am afraid.

 

There are other definition files separately for ASM, LTM, etc.