当前位置:网站首页>Penetration test information collection - WAF identification
Penetration test information collection - WAF identification
2022-07-06 18:35:00 【Aspirin. two thousand and two】
List of articles
waf distinguish
Web Application protection system ( Also known as : Website application level intrusion prevention system . english :Web Application Firewall, abbreviation : WAF). Use an internationally accepted saying :Web The application firewall is designed by performing a series of actions against HTTP/HTTPS The security policy for Web An application that provides protection
WAF Difference from network firewall
Network firewall as access control device , The main work is OSI Model three 、 four layers , be based on IP Message detection . Just limit the port , Yes TCP The agreement is blocked . Its product design does not need to be understood HTTP conversation , It also determines that you can't understand Web Application languages such as HTML、SQL Language . therefore , It's impossible HTTP Communication for input verification or attack rule analysis . in the light of Web Malicious attacks on websites Most of them will be encapsulated as HTTP request , from 80 or 443 The port successfully passed the firewall detection .
waf species
- Hardware equipment ( Green League 、 Venus 、 Anheng 、 Know Chuangyu 、 Tianrongxin, etc )
- Software products ( Safe dog 、 Cloud lock 、D Shield, etc )
- Cloud based WAF( Alibaba cloud 、 Anheng 、 Know Chuangyu )
waf distinguish
wafwoof—https://github.com/EnableSecurity/wafw00f
see X-Powered-By: WAF Parameters
Tool use
The target site :https://www.safedog.cn/
Under folder `python main.py https://www.safedog.cn/
Know that the site uses waf after , It can be judged that the manufacturer is trying to bypass , And know that the site exists waf after , Pay attention when using scanning tools , Easy to ban ip
边栏推荐
- 第三季百度网盘AI大赛盛夏来袭,寻找热爱AI的你!
- Alibaba cloud international ECS cannot log in to the pagoda panel console
- 模板于泛型编程之declval
- 转载:基于深度学习的工业品组件缺陷检测技术
- Cobra 快速入门 - 专为命令行程序而生
- AFNetworking框架_上传文件或图像server
- Jdbc driver, c3p0, druid and jdbctemplate dependent jar packages
- 2019 Alibaba cluster dataset Usage Summary
- Coco2017 dataset usage (brief introduction)
- Use cpolar to build a business website (1)
猜你喜欢
Blue Bridge Cup real question: one question with clear code, master three codes
30 minutes to understand PCA principal component analysis
None of the strongest kings in the monitoring industry!
Windows connects redis installed on Linux
[the 300th weekly match of leetcode]
Splay
44 colleges and universities were selected! Publicity of distributed intelligent computing project list
Maixll-Dock 摄像头使用
简单易用的PDF转SVG程序
Virtual machine VirtualBox and vagrant installation
随机推荐
Grafana 9.0 正式发布!堪称最强!
Markdown syntax for document editing (typera)
44所高校入选!分布式智能计算项目名单公示
虚拟机VirtualBox和Vagrant安装
atcoder它A Mountaineer
Specify flume introduction, installation and configuration
2022 Summer Project Training (III)
Huawei 0 foundation - image sorting
阿里云国际版ECS云服务器无法登录宝塔面板控制台
None of the strongest kings in the monitoring industry!
Prophet模型的简介以及案例分析
C语言自动预订飞机票问题
Use cpolar to build a business website (1)
监控界的最强王者,没有之一!
文档编辑之markdown语法(typora)
【剑指 Offer】 60. n个骰子的点数
First, look at K, an ugly number
Windows连接Linux上安装的Redis
Xu Xiang's wife Ying Ying responded to the "stock review": she wrote it!
从交互模型中蒸馏知识!中科大&美团提出VIRT,兼具双塔模型的效率和交互模型的性能,在文本匹配上实现性能和效率的平衡!...