Skip to content

This java project was created with Portswigger's Montoya API to be a Burp Extension. It's well known that WAFs only scan up to a certain amount of data per request. This extension allows a tester to manually insert junk data and adds junk data to Active Scans by duplicating each scan check.

Notifications You must be signed in to change notification settings

PortSwigger/firewall-ferret

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

36 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Firewall Ferret

This java project was created with Portswigger's Montoya API to be a Burp Extension. It's well known that WAFs only scan up to a certain amount of data per request. This extension allows a tester to manually insert junk data and adds junk data to Active Scans by duplicating each scan check.


Table of Contents

  1. Functionalities
  2. How to Use the Different Functionalities
  3. How to Configure the Extension
  4. Common WAF Limits
  5. How to Add Manually Extension to Burp Suite
  6. How to Install Extension from Burp Suite BAPP Store

Functionalities

Extension Menu Screenshot This extension provides a few functionalities.

  1. The option to manually insert a bullet of X Kilobyte
  2. The option to allow the extension to add a parameter of bullet of X Kilobyte
    1. The following requests are supported: URL-Encoded Body, JSON, XML, Multipart
    2. The following requests are a work in progress: AMF
    3. If the request's content type of unknown to Burp, then the extension will append the entire body with a bullet.
  3. Adds a check for every burp active scan check. The check will take the standard payload and prepend a bullet of the following sizes: 8, 16, 32, 64, 128, 1024. This should lead to better scan results since most applications have WAFs in front.

How to Use the Different Functionalities

Automatic Insert

The automatic insert works for requests URL-Encoded, JSON, XML, Multipart bodies. The bullet will be added as the first argument in the request.

Auto Add Examples

UsingAutoInsertFunction.mp4

Manual Insert

The manual insert works by adding a bullet (a * X * 1024) where you're caret is.

Manual Insert Example

UsingManulInsertFunction.mp4

Active Scan

The extension runs additional checks when the default active scan is used. If you require this feature to be disabled, uncheck all the boxes on the extension's settings tab.

How to Configure Extension

  1. Click on Firewall Ferret tab
  2. Select the bullets you want the scanner to try with its payloads

Settings Tab

The extension will automatically update what the scanner uses when you click a checkbox

Common WAF Limits

WAF Provider Maximum Request Body Inspection Size Limit Sources
Cloudflare 128 KB for ruleset engine, up to 100 - 500 MB depending on the plan Ruleset Engine
Cloudflare Plan Limits
AWS WAF 8 KB - 64 KB (configurable depending on service) Handling Oversize Requests
Azure WAF 128 KB - 4 GB (configurable depending on service & rule set version) Application Gateway Limits
Akamai 8 KB, 1 KB, 32 KB Body Inspection Limit
Fortiweb by Fortinet 0 MB - 200 MB (configurable) Limiting File Uploads
F5 BIG-IP WAAP 1 KB (configurable) Policy Management
Palo Alto Unknown
Barracuda WAF Unknown
Radware AppWall 30 KB - 20 KB AppWall Documentation
Sucuri Unknown

How to add manually extension to Burp Suite

HowToInstallBurpExt.mp4
  1. Download the latest release here
  2. Open the Extensions tab in Burp Suite
  3. Click Add and then add the extension as a Java extension
  4. Close pop-up

How to install extension from Burp Suite BAPP store

Not yet available

  1. Open the Extensions tab in Burp Suite
  2. Click BAPP store
  3. Search for Firewall Ferret
  4. Click Install

About

This java project was created with Portswigger's Montoya API to be a Burp Extension. It's well known that WAFs only scan up to a certain amount of data per request. This extension allows a tester to manually insert junk data and adds junk data to Active Scans by duplicating each scan check.

Resources

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Java 97.7%
  • HTML 2.3%