Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: WAF Testing..suggestions??
From: Dotzero <dotzero () gmail com>
Date: Wed, 8 Sep 2010 10:35:44 -0400

Joe McCray gave a presentation at DC18 that had a section on WAFs -
slides are available online
http://defcon.org/images/defcon-18/dc-18-presentations/McCray/DEFCON-18-McCray-Still-Got-Owned.pdf

WAF section starts at slide 22.

http://defcon.org/images/defcon-18/dc-18-presentations/McCray/DEFCON-18-McCray-Still-Got-Owned.pdf

On Mon, Sep 6, 2010 at 2:48 PM, K K Mookhey <kkmookhey () niiconsulting com> wrote:
This is indeed an excellent point by bin4ry, and I'd just like to add my
2cents to it in terms of the manual testing:
1. Trying to violate the access control mechanisms - business and
application specific stuff
2. Trying to violate password reset and other authentication-related
mechanisms to see if the WAF picks it up beyond running scanner-based
attacks
3. Other out of the box stuff depending on the application
4. Also, many obfuscation techniques are available to bypass WAF's. Some of
these specialized ones can also be tried out. Some examples are given here:
http://www.xiom.com/2009/11/03/new-waf-bypass-method-take-advantage-comment-
anti-evasion
http://linuxpoison.blogspot.com/2010/07/idsipswaf-evasion-flooding-tool.html
http://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-henrique
.pdf

Also, another interesting link is the WAF Testing Procedure from NS Labs
http://nsslabs.com/certification/waf/nss-waf-v10-testproc.pdf

Cheers,

K. K. Mookhey
Principal Consultant
Network Intelligence
Web: www.niiconsulting.com/services.html


-----Original Message-----

Hey False,

one thing you should keep in mind: While i was pentesting mod_security
and a bunch of commercial WAFs, i recognized that most of the products
work pretty well with popular assessment tools (w3af, etc.). They
detectedmost of the attacks. Afterwards i setup a vulnerable website
and tried to manually attack it. There was a huge difference: A lot of
manuall attacks were not recognized. I guess this is because most of
those WAF vendors try to show how good their product is by running
automated pentests which such tools. Therefore their products seem to
be optimized for such scenarios.
So to really get a picture about a WAF's performance, handcrafted
attacks are a must!

Cheers

Am 27.08.2010 21:59, schrieb Dotzero:
Try waffit - http://code.google.com/p/waffit/source/checkout

On Mon, Aug 23, 2010 at 11:16 AM, false <jctx09 () yahoo com> wrote:
I need to test my WAF. I want to set up a simple network in the lab
like this:
XP or Linux client <--> WAF <--> Honeypot/test webserver

1) Does anyone have any suggestions on what I can use to
simulate/generate attacks/suspicous traffic towards the weberver from my
client?

2) Is there a honeypot image out there that I can download that would
be good to be the role of my test
webserver?

Any suggestions or ideas are very much appreciated.



------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault