Use YARA for WAF string detection instead of Python string-in loops

liquidsec · liquidsec · commit 9fc38378415f · 2026-04-03T15:45:33.000-04:00
diff --git a/bbot/modules/bypass403.py b/bbot/modules/bypass403.py
@@ -1,5 +1,6 @@
 from bbot.errors import HttpCompareError
 from bbot.modules.base import BaseModule
+from bbot.core.helpers.misc import get_waf_strings
 
 """
 Port of https://github.com/iamj0ker/bypass-403/ and https://portswigger.net/bappstore/444407b96d9c4de0adb7aed89e826122
@@ -80,6 +81,10 @@ class bypass403(BaseModule):
     meta = {"description": "Check 403 pages for common bypasses", "created_date": "2022-07-05", "author": "@liquidsec"}
     in_scope_only = True
 
+    async def setup(self):
+        self.waf_yara_rules = self.helpers.yara.compile_strings(get_waf_strings(), nocase=True)
+        return True
+
     async def do_checks(self, compare_helper, event, collapse_threshold):
         results = set()
         error_count = 0
@@ -105,10 +110,10 @@ async def do_checks(self, compare_helper, event, collapse_threshold):
 
             # In some cases WAFs will respond with a 200 code which causes a false positive
             if subject_response is not None:
-                for waf_string in self.helpers.get_waf_strings():
-                    if waf_string in subject_response.text:
-                        self.debug("Rejecting result based on presence of WAF string")
-                        return
+                waf_matches = await self.helpers.yara.match(self.waf_yara_rules, subject_response.text)
+                if waf_matches:
+                    self.debug("Rejecting result based on presence of WAF string")
+                    return
 
             if match is False:
                 if str(subject_response.status_code)[0] != "4":
diff --git a/bbot/modules/lightfuzz/lightfuzz.py b/bbot/modules/lightfuzz/lightfuzz.py
@@ -2,6 +2,7 @@
 from bbot.modules.base import BaseModule
 
 from bbot.errors import InteractshError
+from bbot.core.helpers.misc import get_waf_strings
 
 
 class lightfuzz(BaseModule):
@@ -60,6 +61,8 @@ async def setup(self):
                 return False, f"Invalid Lightfuzz submodule ({submodule_name}) specified in enabled_modules"
             self.submodules[submodule_name] = submodule_class
 
+        self.waf_yara_rules = self.helpers.yara.compile_strings(get_waf_strings(), nocase=True)
+
         interactsh_needed = any(submodule.uses_interactsh for submodule in self.submodules.values())
         if interactsh_needed and not self.interactsh_disable:
             try:
diff --git a/bbot/modules/lightfuzz/submodules/path.py b/bbot/modules/lightfuzz/submodules/path.py
@@ -113,9 +113,8 @@ async def fuzz(self):
                         and doubledot_probe[0] is False
                         and doubledot_probe[3] is not None
                         and doubledot_probe[1] != ["header"]
-                        and not any(
-                            waf_string in doubledot_probe[3].text
-                            for waf_string in self.lightfuzz.helpers.get_waf_strings()
+                        and not await self.lightfuzz.helpers.yara.match(
+                            self.lightfuzz.waf_yara_rules, doubledot_probe[3].text
                         )
                     ):
                         confirmations += 1
diff --git a/bbot/modules/lightfuzz/submodules/serial.py b/bbot/modules/lightfuzz/submodules/serial.py
@@ -1,6 +1,5 @@
 from .base import BaseLightfuzz
 from bbot.errors import HttpCompareError
-from bbot.core.helpers.misc import get_waf_strings
 
 
 class serial(BaseLightfuzz):
@@ -48,10 +47,20 @@ class serial(BaseLightfuzz):
         "java.io.optionaldataexception",
     ]
 
-    GENERAL_ERRORS = [
+    GENERAL_ERROR_STRINGS = [
         "Internal Error",
         "Internal Server Error",
-    ] + get_waf_strings()
+    ]
+
+    @property
+    def general_error_yara_rules(self):
+        if not hasattr(self.lightfuzz, "_serial_general_error_rules"):
+            from bbot.core.helpers.misc import get_waf_strings
+
+            self.lightfuzz._serial_general_error_rules = self.lightfuzz.helpers.yara.compile_strings(
+                self.GENERAL_ERROR_STRINGS + get_waf_strings(), nocase=True
+            )
+        return self.lightfuzz._serial_general_error_rules
 
     def is_possibly_serialized(self, value):
         # Use the is_base64 method from BaseLightfuzz via self
@@ -101,7 +110,6 @@ async def fuzz(self):
         php_raw_serialization_payloads = self.PHP_RAW_SERIALIZATION_PAYLOADS
 
         serialization_errors = self.SERIALIZATION_ERRORS
-        general_errors = self.GENERAL_ERRORS
 
         probe_value = self.incoming_probe_value(populate_empty=False)
         if probe_value:
@@ -172,12 +180,13 @@ async def fuzz(self):
                     )
                     continue
 
+                general_error_matches = await self.lightfuzz.helpers.yara.match(
+                    self.general_error_yara_rules, response.text
+                )
                 if (
                     status_code == 200
                     and "code" in diff_reasons
-                    and not any(
-                        error in response.text for error in general_errors
-                    )  # ensure the 200 is not actually an error
+                    and not general_error_matches  # ensure the 200 is not actually an error
                 ):
                     # Confirm the baseline error state is stable by re-sending the control payload.
                     # If the control also returns 200 now, the original error was transient.
diff --git a/bbot/modules/lightfuzz/submodules/sqli.py b/bbot/modules/lightfuzz/submodules/sqli.py
@@ -1,6 +1,5 @@
 from .base import BaseLightfuzz
 from bbot.errors import HttpCompareError
-from bbot.core.helpers.misc import get_waf_strings
 
 import statistics
 
@@ -122,7 +121,10 @@ async def fuzz(self):
                     ):
                         # Check if the status code change is due to a WAF, not SQL injection
                         if single_quote[3].status_code == 403:
-                            waf_detected = any(ws in single_quote[3].text for ws in get_waf_strings())
+                            waf_matches = await self.lightfuzz.helpers.yara.match(
+                                self.lightfuzz.waf_yara_rules, single_quote[3].text
+                            )
+                            waf_detected = len(waf_matches) > 0
                             if waf_detected:
                                 self.debug(
                                     "Single quote probe returned 403 with WAF signature, "
