Home page logo

pen-test logo Penetration Testing mailing list archives

RE: WAF Testing..suggestions??
From: "K K Mookhey" <kkmookhey () niiconsulting com>
Date: Tue, 7 Sep 2010 00:18:25 +0530

This is indeed an excellent point by bin4ry, and I'd just like to add my
2cents to it in terms of the manual testing:
1. Trying to violate the access control mechanisms - business and
application specific stuff 
2. Trying to violate password reset and other authentication-related
mechanisms to see if the WAF picks it up beyond running scanner-based
3. Other out of the box stuff depending on the application 
4. Also, many obfuscation techniques are available to bypass WAF's. Some of
these specialized ones can also be tried out. Some examples are given here:

Also, another interesting link is the WAF Testing Procedure from NS Labs


K. K. Mookhey
Principal Consultant
Network Intelligence
Web: www.niiconsulting.com/services.html 

-----Original Message-----

Hey False,

one thing you should keep in mind: While i was pentesting mod_security
and a bunch of commercial WAFs, i recognized that most of the products
work pretty well with popular assessment tools (w3af, etc.). They
detectedmost of the attacks. Afterwards i setup a vulnerable website
and tried to manually attack it. There was a huge difference: A lot of
manuall attacks were not recognized. I guess this is because most of
those WAF vendors try to show how good their product is by running
automated pentests which such tools. Therefore their products seem to
be optimized for such scenarios.
So to really get a picture about a WAF's performance, handcrafted
attacks are a must!


Am 27.08.2010 21:59, schrieb Dotzero:
Try waffit - http://code.google.com/p/waffit/source/checkout

On Mon, Aug 23, 2010 at 11:16 AM, false <jctx09 () yahoo com> wrote:
I need to test my WAF. I want to set up a simple network in the lab
like this:
XP or Linux client <--> WAF <--> Honeypot/test webserver

1) Does anyone have any suggestions on what I can use to
simulate/generate attacks/suspicous traffic towards the weberver from my

2) Is there a honeypot image out there that I can download that would
be good to be the role of my test

Any suggestions or ideas are very much appreciated.

This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]