Re: [Security Weekly] Audit a WAF

[Chris Campbell <chris () ctcampbell com>]

Are you auditing the WAF and all the associated issues (logging, alerting, signature updates, policy updates etc.) or 
are you auditing the WAF policy and the application coverage that it provides?

If it's the latter, and the WAF policy is black box, then I like to see a vuln. assessment done with and without WAF 
coverage to see what the difference is. If the policy is available to you then you should be looking for 
whitelist/blacklist holes, examples are where wildcards are used or where there is no input validation or the wrong 
type/length checks in the case of whitelist, or where signature sets aren't enabled in the case of blacklist.

If it's the former then standard IPS-like procedures should be in place for updates, logging etc. so I would focus on 
areas where the operational teams may not have skills or defined procedures. 

Chris.  

> On 7 Apr 2014, at 19:27, RAMELLA Sébastien <sebastien.ramella () white-hats fr> wrote:
>
> Hello,
> I read several articles about WAF. Mainly methods of bypass.
> Several papers were retained my attention, he was referred to a fuzzer like tool called "Waffun".
>
> I would like to assess the WAF through a company internal project.
>
> Anyone can share this tool or just inform me, tips, tools similar ... or best practice for evaluate WAF.
> Thanks in advance.
>
> RAMELLA Sébastien 
> Intégrateur systèmes et réseaux / Consultant en sécurité des SI
> Microsoft Certified System Administrator
> __________________________________________
>
>
> _______________________________________________
> securityweekly mailing list
> securityweekly () mail securityweekly com
> http://mail.securityweekly.com/cgi-bin/mailman/listinfo/securityweekly
> Main Web Site: http://pauldotcom.com
_______________________________________________
securityweekly mailing list
securityweekly () mail securityweekly com
http://mail.securityweekly.com/cgi-bin/mailman/listinfo/securityweekly
Main Web Site: http://pauldotcom.com