Linux (Kali) found our application hosted behind F5

Question

We want to stop display of banner name of F5 to any WAF detection tools , as during VAPT it was seen that wafw00f (A WAF detection Tool) is able to find out our WAF name through our application.&nbsp;

root@kali:/home/iicybersecurity/wafw00f# wafw00f example.com

^ ^
_ __ _ ____ _ __ _ _ ____
///7/ /.' \ / __////7/ /,' \ ,' \ / __/
| V V // o // _/ | V V // 0 // 0 // _/
|_n_,'/_n_//_/ |_n_,' \_,' \_,'/_/
&lt;
...'

WAFW00F - Web Application Firewall Detection Tool

By Sandro Gauci &amp;&amp; Wendel G. Henrique

Checking https://example.com
The site https://example.com is behind a F5 BIG-IP APM
Number of requests: 11

boneyard · Answer

APM isn't really a WAF, it is an authentication module.

and trying to stop APM from getting detected will be impossible in my opinion. the whole setup with the my.policy and such is hard coded, the login page contains lots of finger printable information.

you will need to do some extreme things to make this happen, i wouldn't pursue it. just keep your BIG-IP updated and keep an eye out for security alerts.

ayhatu · Answer

Hi Everyone,I had the same problem.can you help me ? When I tested on kali ;"is behind BIG-IP Access Policy Manager (F5 Networks) WAF"&nbsp;

boneyard · Answer

as mentioned before, you are not going to "fix" this without a huge amount of work and a chance you will break Access Policy Manager.

and why do you want this? to remove this is a typical security through obscurity. just keep up with patches so you are fine.

jg · Answer

From the source code of the "wafw00f" package below, we can see how APM is defined and detected:&nbsp;def is_waf(self):
    detected = False
    # the following based on nmap's http-waf-fingerprint.nse
    if self.matchcookie('^LastMRH_Session') and self.matchcookie('^MRHSession'):
        return True
    elif self.matchheader(('server', 'BigIP|BIG-IP|BIGIP')) and self.matchcookie('^MRHSession'):
        return True
    if self.matchheader(('Location', '\/my.policy')) and self.matchheader(('server', 'BigIP|BIG-IP|BIGIP')):
        return True
    elif self.matchheader(('Location', '\/my\.logout\.php3')) and self.matchheader(('server', 'BigIP|BIG-IP|BIGIP')):
        return True
    elif self.matchheader(('Location', '.+\/f5\-w\-68747470.+')) and self.matchheader(('server', 'BigIP|BIG-IP|BIGIP')):
        return True
    elif self.matchheader(('server', 'BigIP|BIG-IP|BIGIP')):
        return True
    elif self.matchcookie('^F5_fullWT') or self.matchcookie('^F5_ST') or self.matchcookie('^F5_HT_shrinked'):
        return True
    elif self.matchcookie('^MRHSequence') or self.matchcookie('^MRHSHint') or self.matchcookie('^LastMRH_Session'):
        return True
    else:
        return False.&nbsp;The names of the session cookies just can't be masked, I am afraid.&nbsp;There are other definition files separately for ASM, LTM, etc.

ayhatu · Answer

"why do you want this"  Isn't it clear why this is wanted to be removed? Because anyone who uses this code (wafw00f&nbsp;) will know that I am using F5.

Forum Discussion

Linux (Kali) found our application hosted behind F5

6 Replies

Recent Discussions

Import PKCS 12 SSL to Device Certificate via API/Script or CLI on BIG-IP

Help with URL Masking

F5 iRule to replace host to path

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5 Rseries R2600 Tenant sizing

Related Content

Kali Purple, Linus Tech Tips, SDR - March 18th - 24th, 2023 - F5 SIRT - This Week in Security

Getting Started with BIG-IP Next: Migrating an Application Workload

Application Programming Interface (API) Authentication types simplified

F5 BIG-IP per application Red Hat OpenShift cluster migrations

Securing Applications using mTLS Supported by F5 Distributed Cloud