cdn_waf_fingerprinter_skill

This skill identifies CDNs and WAFs from HTTP, DNS, and TLS signals to reveal protection layers and potential exposure.
  • Python

42

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill transilienceai/communitytools --skill cdn_waf_fingerprinter

  • SKILL.md7.9 KB

Overview

This skill identifies Content Delivery Networks (CDNs), Web Application Firewalls (WAFs), DDoS protection, and bot management services by analyzing HTTP headers, cookies, DNS CNAMEs, IP ranges, and TLS/JARM fingerprints. It aggregates signals into weighted detections and produces a prioritized list of likely providers and protections. The output helps pentesters, bug bounty hunters, and security researchers understand edge services and attack surface obfuscation.

How this skill works

The fingerprinter ingests phase-2 raw signals: http_signals (headers and cookies), dns_signals (CNAME records), ip_signals (IP ranges), and tls_signals (JARM and cert issuers). It matches those signals against known CDN, WAF, DDoS, and bot-management patterns, scoring each match and combining evidence. Detection includes header patterns, cookie name matches, CNAME substring checks, IP-range looks, and exact JARM fingerprint comparisons.

When to use it

  • During reconnaissance to identify edge services protecting or caching a target
  • When confirming if a target hides its origin IP behind a CDN/WAF
  • To prioritize targets for exploits that rely on bypassing WAF or caching behavior
  • When triaging inconsistent signals that may indicate multi-CDN or migration
  • As part of automated scanning pipelines for bug bounty and pentest engagements

Best practices

  • Combine multiple signal types (headers + CNAME + JARM) before concluding provider identity
  • Treat low-weight single signals as tentative and highlight higher-weight aggregates
  • Report all plausible providers when signals conflict or indicate chaining
  • Respect rate limits and legal boundaries when collecting HTTP/DNS/TLS data
  • Use IP-range lists and JARM DB updates regularly to reduce false negatives

Example use cases

  • Detect Cloudflare in front of an application by CF-RAY, cf_clearance, and cloudflare server header
  • Find an Akamai presence by edgekey/akamaiedge CNAMEs and Akamai-specific headers
  • Flag Fastly by X-Served-By cache headers and fastly.net CNAME matches
  • Identify bot management like PerimeterX or DataDome via _px* or datadome cookies
  • Uncover CDN chaining when CNAME and header signals point to different providers

FAQ

Single signals can indicate a provider but are lower confidence; combine headers, cookies, CNAME and JARM evidence for higher accuracy.

What if signals conflict or show multiple providers?

Conflicting signals may indicate CDN chaining, migration, or intermediate services; report all matches and their weights to reflect uncertainty.

Can TLS/JARM fingerprints identify CDNs?

Yes—exact JARM matches can provide strong evidence, but missing or altered JARM values should fall back to header and DNS checks.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational
cdn_waf_fingerprinter skill by transilienceai/communitytools | VeilStrat