Thank all of you for kindness help, I made summarization form your suggestions, following is what I plan to do: 1.Build a vulnerable web application 2.Configure WAF environment(such as apache+httpd for modsecurity WAF) , deploy application and put WAF in front of web application. 3.Attack the application (with some modified vectors)and check logs to observe the effectiveness, evaluate the WAF refer to Evaluation Criteria 4.Testing another WAFs on same way and compare their difference( cost, effectiveness , speed, .etc) If there misses something key steps or has mistake, please point it out. PS:Each step seems take much time =_= Thanks again. -Hao -----Original Message----- From: super evr [mailto:superevr@gmail.com] Sent: Sunday, October 09, 2011 8:58 AM To: Hao Wang (haowa2) Cc: websecurity@webappsec.org Subject: Re: [WEB SECURITY] WAF testing I would say that a real world way to test a WAF is to test a web application first. Then, put the Web Application Firewall in front of it, then test again. This time, If you can't find any of the vulnerabilities that you found before then the WAF is probably doing an ok job. Take into consideration that most WAFs will block out of the box scanning, but will fail on simple variations of injections. Here is a good inject for XSS against WAFs: <input oninput%3d""> I personally don't trust most WAFs to block more than just automated scanning, and isn't a cure for vulnerabilities in your sites code. @superevr On Oct 8, 2011, at 10:47 AM, "Hao Wang (haowa2)" <haowa2@cisco.com> wrote: > Hi All, > > Do you know some material about how to test a WAF and write a testing report? I wish there are some examples, could you help? > > Regards, > -Hao > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec. org

Testing and comparing WAF is a time consuming task. And you even didn't mentioned the: 1) Bypasses techniques tests: parameter splitting, filter bypass, HPP, etc 2) WAF exploitation 3) WAF manufacturer detection 4) Application logic attacks 5) Advanced attacks protection e.g. CSRF, ClickJacking, web scraping, Ajax support, MITB detection, etc Kind Regards, Shlomi Narkolayev Visit my blog: http://Narkolayev-Shlomi.blogspot.com On Sun, Oct 9, 2011 at 3:53 AM, Hao Wang (haowa2) <haowa2@cisco.com> wrote: > Thank all of you for kindness help, I made summarization form your > suggestions, following is what I plan to do: > > 1.Build a vulnerable web application > 2.Configure WAF environment(such as apache+httpd for modsecurity WAF) , > deploy application and put WAF in front of web application. > 3.Attack the application (with some modified vectors)and check logs to > observe the effectiveness, evaluate the WAF refer to Evaluation Criteria > 4.Testing another WAFs on same way and compare their difference( cost, > effectiveness , speed, .etc) > > If there misses something key steps or has mistake, please point it out. > > PS:Each step seems take much time =_= > > Thanks again. > > -Hao > > > -----Original Message----- > From: super evr [mailto:superevr@gmail.com] > Sent: Sunday, October 09, 2011 8:58 AM > To: Hao Wang (haowa2) > Cc: websecurity@webappsec.org > Subject: Re: [WEB SECURITY] WAF testing > > I would say that a real world way to test a WAF is to test a web > application first. Then, put the Web Application Firewall in front of > it, then test again. This time, If you can't find any of the > vulnerabilities that you found before then the WAF is probably doing > an ok job. > > Take into consideration that most WAFs will block out of the box > scanning, but will fail on simple variations of injections. > > Here is a good inject for XSS against WAFs: > <input oninput%3d""> > > I personally don't trust most WAFs to block more than just automated > scanning, and isn't a cure for vulnerabilities in your sites code. > > @superevr > > > On Oct 8, 2011, at 10:47 AM, "Hao Wang (haowa2)" <haowa2@cisco.com> > wrote: > > > Hi All, > > > > Do you know some material about how to test a WAF and write a testing > report? I wish there are some examples, could you help? > > > > Regards, > > -Hao > > _______________________________________________ > > The Web Security Mailing List > > > > WebSecurity RSS Feed > > http://www.webappsec.org/rss/websecurity.rss > > > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > > > WASC on Twitter > > http://twitter.com/wascupdates > > > > websecurity@lists.webappsec.org > > > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec. > org<http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.%0Aorg> > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >