Thank all of you for kindness help, I made summarization form your
suggestions, following is what I plan to do:
1.Build a vulnerable web application
2.Configure WAF environment(such as apache+httpd for modsecurity WAF) ,
deploy application and put WAF in front of web application.
3.Attack the application (with some modified vectors)and check logs to
observe the effectiveness, evaluate the WAF refer to Evaluation Criteria
4.Testing another WAFs on same way and compare their difference( cost,
effectiveness , speed, .etc)
If there misses something key steps or has mistake, please point it out.
PS:Each step seems take much time =_=
Thanks again.
-Hao
-----Original Message-----
From: super evr [mailto:superevr@gmail.com]
Sent: Sunday, October 09, 2011 8:58 AM
To: Hao Wang (haowa2)
Cc: websecurity@webappsec.org
Subject: Re: [WEB SECURITY] WAF testing
I would say that a real world way to test a WAF is to test a web
application first. Then, put the Web Application Firewall in front of
it, then test again. This time, If you can't find any of the
vulnerabilities that you found before then the WAF is probably doing
an ok job.
Take into consideration that most WAFs will block out of the box
scanning, but will fail on simple variations of injections.
Here is a good inject for XSS against WAFs:
<input oninput%3d"">
I personally don't trust most WAFs to block more than just automated
scanning, and isn't a cure for vulnerabilities in your sites code.
@superevr
On Oct 8, 2011, at 10:47 AM, "Hao Wang (haowa2)" haowa2@cisco.com
wrote:
Hi All,
Do you know some material about how to test a WAF and write a testing
report? I wish there are some examples, could you help?
Regards,
-Hao
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
Testing and comparing WAF is a time consuming task.
And you even didn't mentioned the:
Kind Regards,
Shlomi Narkolayev
Visit my blog: http://Narkolayev-Shlomi.blogspot.com
On Sun, Oct 9, 2011 at 3:53 AM, Hao Wang (haowa2) haowa2@cisco.com wrote:
Thank all of you for kindness help, I made summarization form your
suggestions, following is what I plan to do:
1.Build a vulnerable web application
2.Configure WAF environment(such as apache+httpd for modsecurity WAF) ,
deploy application and put WAF in front of web application.
3.Attack the application (with some modified vectors)and check logs to
observe the effectiveness, evaluate the WAF refer to Evaluation Criteria
4.Testing another WAFs on same way and compare their difference( cost,
effectiveness , speed, .etc)
If there misses something key steps or has mistake, please point it out.
PS:Each step seems take much time =_=
Thanks again.
-Hao
-----Original Message-----
From: super evr [mailto:superevr@gmail.com]
Sent: Sunday, October 09, 2011 8:58 AM
To: Hao Wang (haowa2)
Cc: websecurity@webappsec.org
Subject: Re: [WEB SECURITY] WAF testing
I would say that a real world way to test a WAF is to test a web
application first. Then, put the Web Application Firewall in front of
it, then test again. This time, If you can't find any of the
vulnerabilities that you found before then the WAF is probably doing
an ok job.
Take into consideration that most WAFs will block out of the box
scanning, but will fail on simple variations of injections.
Here is a good inject for XSS against WAFs:
<input oninput%3d"">
I personally don't trust most WAFs to block more than just automated
scanning, and isn't a cure for vulnerabilities in your sites code.
@superevr
On Oct 8, 2011, at 10:47 AM, "Hao Wang (haowa2)" haowa2@cisco.com
wrote:
Hi All,
Do you know some material about how to test a WAF and write a testing
report? I wish there are some examples, could you help?
Regards,
-Hao
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.
orghttp://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.%0Aorg
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org