On Sat, Oct 8, 2011 at 10:05 PM, Simone Onofri <simone.onofri@gmail.com> wrote: > Hi Hao, > > IMHO  as for methodology You can use the OSSTMM [1] which have modules > such as Active Detection Verification, task for it and tool [2] (this > is used prior testing because a filtering device can corrupts the test > result, but I think it's a good start). Please correct me if I'm wrong > with this mapping. Considering the WAF as an Authentication Control (via whitelis) and also Alarm (if it has this functions) and Non-Repudiation (if maintains logs and/or send data to a SIM/SIEM or other Log Management system). It may be a good idea to check also these, for a complete test, not only checking for bypassing. > So how to run the tasks depends on the vector and test type and your > reason to test, even if OSSTMM said "It may be necessary to coordinate > these tests with the appropriate persons within the scope.". > > If you have access to Web Application Firewall/Webserver logs you can > check for requests passed or not, otherwise if You have no access to > logs You may "tune" the script in order to recognize if a request is > blocked or not (for example, dropped packets, specific or generic HTTP > errors, WSOD... depends on WAF used). Testing in a "lab" attacker -> > WAF -> test-webserver is the best. > > Depending on WAF type and techniques used (regular expression and so > on...) it's also possible to use a custom script in order to: >  - crawl the application, looking for pages and parameters >  - tune the script >  - send sample attacks, looking for reactions >  - you may also elaborate attacks with evasion techniques (there are a > lot of papers... from packets fragmentation to encoding) another interesting, inspired by this thread [3] test is the HTTP Parameter Pollution [4]. > Now You have "raw" output with requests passed and not. This output > can be analyzed (on parameters, attack type and/or evasion techniques) > in order to get some conclusion about how and when WAF works. > > Note depending on WAF type you may found a filtering on a layer 7, > also with custom rules for each parameter or in a lower layer, with > different characteristics. Also note a WAF can be configured to > proactively blocks the attacker, compromising Your test (reactions > must be deactivated for test). > > Cheers, > > Simone > > [1] http://www.isecom.org/osstmm/ > [2] http://www.purehacking.com/news/afd-technical-details [3] http://seclists.org/pen-test/2010/Sep/3 [4] https://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf > On Sat, Oct 8, 2011 at 10:43 AM, Hao Wang (haowa2) <haowa2@cisco.com> wrote: >> Hi All, >> >> Do you know some material about how to test a WAF and write a testing report? I wish there are some examples, could you help? >> >> Regards, >> -Hao >> _______________________________________________ >> The Web Security Mailing List >> >> WebSecurity RSS Feed >> http://www.webappsec.org/rss/websecurity.rss >> >> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA >> >> WASC on Twitter >> http://twitter.com/wascupdates >> >> websecurity@lists.webappsec.org >> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >> >

I would say that a real world way to test a WAF is to test a web application first. Then, put the Web Application Firewall in front of it, then test again. This time, If you can't find any of the vulnerabilities that you found before then the WAF is probably doing an ok job. Take into consideration that most WAFs will block out of the box scanning, but will fail on simple variations of injections. Here is a good inject for XSS against WAFs: <input oninput%3d""> I personally don't trust most WAFs to block more than just automated scanning, and isn't a cure for vulnerabilities in your sites code. @superevr On Oct 8, 2011, at 10:47 AM, "Hao Wang (haowa2)" <haowa2@cisco.com> wrote: > Hi All, > > Do you know some material about how to test a WAF and write a testing report? I wish there are some examples, could you help? > > Regards, > -Hao > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

Hi all, I did a presentation at AppSec USA Washington 2010 about Open Source WAF. I was then turning a standard Apache Server into a Reverse-Proxy and then into a WAF. Everything was/is prepared for the participants on a LiveCD. Everything is available as video tutorial. Videos showing all steps (From Apache to WAF with mod_security) https://www.hacking-lab.com/news/newspage/open-source-entry-server.html For your question how to proceed a) download and install vulnerable web app - damn vulnerable web app - hackme bank - webgoat - or just use a real app in the wild b) setup WAF - reverse proxy - pre-authentication - mod_security - mod_proxy - mod_replace - mod_unique_id c) Configure your WAF for a) Enjoy! Some more Videos based on the same technique: PART 1: Howto Create WAF in front of Facebook http://media.hacking-lab.com/movies/rp2/ PART 2: Howto Create WAF in front of Facebook http://media.hacking-lab.com/movies/rp2.2/ Regards Ivan -----Original Message----- From: websecurity-bounces@lists.webappsec.org [mailto:websecurity-bounces@lists.webappsec.org] On Behalf Of super evr Sent: Sonntag, 9. Oktober 2011 02:58 To: Hao Wang (haowa2) Cc: websecurity@webappsec.org Subject: Re: [WEB SECURITY] WAF testing I would say that a real world way to test a WAF is to test a web application first. Then, put the Web Application Firewall in front of it, then test again. This time, If you can't find any of the vulnerabilities that you found before then the WAF is probably doing an ok job. Take into consideration that most WAFs will block out of the box scanning, but will fail on simple variations of injections. Here is a good inject for XSS against WAFs: <input oninput%3d""> I personally don't trust most WAFs to block more than just automated scanning, and isn't a cure for vulnerabilities in your sites code. @superevr On Oct 8, 2011, at 10:47 AM, "Hao Wang (haowa2)" <haowa2@cisco.com> wrote: > Hi All, > > Do you know some material about how to test a WAF and write a testing report? I wish there are some examples, could you help? > > Regards, > -Hao > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec. org _______________________________________________ The Web Security Mailing List WebSecurity RSS Feed http://www.webappsec.org/rss/websecurity.rss Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA WASC on Twitter http://twitter.com/wascupdates websecurity@lists.webappsec.org http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec. org