Firewall Ferret

This java project was created with Portswigger's Montoya API to be a Burp Extension. It's well known that WAFs only scan up to a certain amount of data per request. This extension allows a tester to manually insert junk data and adds junk data to Active Scans by duplicating each scan check.

---

Table of Contents

1. Functionalities
2. How to Use the Different Functionalities
3. How to Configure the Extension
4. Common WAF Limits
5. How to Add Manually Extension to Burp Suite
6. How to Install Extension from Burp Suite BAPP Store

---

Functionalities

This extension provides a few functionalities.

1. The option to manually insert a bullet of X Kilobyte
2. The option to allow the extension to add a parameter of bullet of X Kilobyte
   1. The following requests are supported: URL-Encoded Body, JSON, XML, Multipart
   2. The following requests are a work in progress: AMF
   3. If the request's content type of unknown to Burp, then the extension will append the entire body with a bullet.
3. Adds a check for every burp active scan check. The check will take the standard payload and prepend a bullet of the following sizes: 8, 16, 32, 64, 128, 1024. This should lead to better scan results since most applications have WAFs in front.

How to Use the Different Functionalities

Automatic Insert

The automatic insert works for requests URL-Encoded, JSON, XML, Multipart bodies. The bullet will be added as the first argument in the request.

Auto Add Examples

UsingAutoInsertFunction.mp4

Manual Insert

The manual insert works by adding a bullet (a * X * 1024) where you're caret is.

Manual Insert Example

UsingManulInsertFunction.mp4

Active Scan

The extension runs additional checks when the default active scan is used. If you require this feature to be disabled, uncheck all the boxes on the extension's settings tab.

How to Configure Extension

1. Click on Firewall Ferret tab
2. Select the bullets you want the scanner to try with its payloads

The extension will automatically update what the scanner uses when you click a checkbox

Common WAF Limits

WAF Provider	Maximum Request Body Inspection Size Limit	Sources
Cloudflare	128 KB for ruleset engine, up to 100 - 500 MB depending on the plan	Ruleset Engine Cloudflare Plan Limits
AWS WAF	8 KB - 64 KB (configurable depending on service)	Handling Oversize Requests
Azure WAF	128 KB - 4 GB (configurable depending on service & rule set version)	Application Gateway Limits
Akamai	8 KB, 1 KB, 32 KB	Body Inspection Limit
Fortiweb by Fortinet	0 MB - 200 MB (configurable)	Limiting File Uploads
F5 BIG-IP WAAP	1 KB (configurable)	Policy Management
Palo Alto	Unknown
Barracuda WAF	Unknown
Radware AppWall	30 KB - 20 KB	AppWall Documentation
Sucuri	Unknown

How to add manually extension to Burp Suite

HowToInstallBurpExt.mp4

1. Download the latest release here
2. Open the Extensions tab in Burp Suite
3. Click Add and then add the extension as a Java extension
4. Close pop-up

How to install extension from Burp Suite BAPP store

Not yet available

1. Open the Extensions tab in Burp Suite
2. Click BAPP store
3. Search for Firewall Ferret
4. Click Install