wafrift-detect 0.2.13

WAF detection from response headers and body, response fingerprint drift analysis.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61

# WAF block-page body indicators.
#
# Phrases that, when found in a response body (case-insensitive),
# strongly suggest a WAF interception page.
#
# Community contributions welcome — append a new `[[indicator]]`
# stanza. The Aho-Corasick scanner handles any number of patterns
# in a single O(n) pass, so adding to the list costs nothing at
# scan time.

[[indicator]]
phrase = "access denied"
description = "Generic block phrase used by ModSecurity, Imperva, and many cloud WAFs"

[[indicator]]
phrase = "blocked"
description = "Catch-all (must run after status-code check to avoid 404 page false positives)"

[[indicator]]
phrase = "forbidden"
description = "HTTP-403-aligned phrase common to nginx error pages and WAF templates"

[[indicator]]
phrase = "captcha"
description = "Indicates a managed challenge — Cloudflare, hCaptcha, reCAPTCHA"

[[indicator]]
phrase = "challenge"
description = "Cloudflare/Akamai managed-challenge JS interstitials"

[[indicator]]
phrase = "request denied"
description = "Imperva default block-page text"

[[indicator]]
phrase = "security policy"
description = "ModSecurity / OWASP CRS default phrasing"

[[indicator]]
phrase = "not acceptable"
description = "HTTP-406 phrasing — used by mod_security to obscure 403"

[[indicator]]
phrase = "rate limit"
description = "Generic 429 / WAF rate-limit page text"

[[indicator]]
phrase = "too many requests"
description = "RFC 6585 status text leaked into body"

[[indicator]]
phrase = "waf"
description = "Self-identifying block page"

[[indicator]]
phrase = "firewall"
description = "Self-identifying block page (often verbose error templates)"

[[indicator]]
phrase = "request blocked"
description = "Cloudflare and Imperva block-page templates"