Merge pull request #1089 from blacklanternsecurity/wafw00f-noredirect

Don't follow redirects in wafw00f

bbot/modules/wafw00f.py

@@ -26,9 +26,15 @@ class wafw00f(BaseModule):
     in_scope_only = True
     per_hostport_only = True
 
+    async def filter_event(self, event):
+        http_status = getattr(event, "http_status", 0)
+        if not http_status or str(http_status).startswith("3"):
+            return False, f"Invalid HTTP status code: {http_status}"
+        return True, ""
+
     async def handle_event(self, event):
         url = f"{event.parsed.scheme}://{event.parsed.netloc}/"
-        WW = await self.scan.run_in_executor(wafw00f_main.WAFW00F, url)
+        WW = await self.scan.run_in_executor(wafw00f_main.WAFW00F, url, followredirect=False)
         waf_detections = await self.scan.run_in_executor(WW.identwaf)
         if waf_detections:
             for waf in waf_detections:

bbot/test/test_step_2/module_tests/test_module_wafw00f.py

@@ -12,3 +12,19 @@ async def setup_after_prep(self, module_test):
 
     def check(self, module_test, events):
         assert any(e.type == "WAF" and "LiteSpeed" in e.data["WAF"] for e in events)
+
+
+class TestWafw00f_noredirect(ModuleTestBase):
+    targets = ["http://127.0.0.1:8888"]
+    modules_overrides = ["httpx", "wafw00f"]
+
+    async def setup_after_prep(self, module_test):
+        expect_args = {"method": "GET", "uri": "/"}
+        respond_args = {"status": 301, "headers": {"Location": "/redirect"}}
+        module_test.set_expect_requests(expect_args=expect_args, respond_args=respond_args)
+        expect_args = {"method": "GET", "uri": "/redirect"}
+        respond_args = {"response_data": "Proudly powered by litespeed web server"}
+        module_test.set_expect_requests(expect_args=expect_args, respond_args=respond_args)
+
+    def check(self, module_test, events):
+        assert not any(e.type == "WAF" for e in events)