PaulDotCom mailing list archives
Re: [Security Weekly] Audit a WAF
From: RAMELLA Sébastien <sebastien.ramella () white-hats fr>
Date: Tue, 8 Apr 2014 20:16:50 +0000
Thanks all, In my case the WAF is a blackbox, so, before starting I try to evaluate the possibilities... My customer have web application with WAF protected and I need audited website. My first approach was to evaluated the WAF in order to have a starting line. I started with a frame analyzer and good old basic concept and finally I have scripted for obtain an basic whitelist. I now seeking the way to operated with what I found but is realy limited. RAMELLA Sébastien Intégrateur systèmes et réseaux / Consultant en sécurité des SI Microsoft Certified System Administrator -----Original Message----- From: securityweekly-bounces () mail securityweekly com [mailto:securityweekly-bounces () mail securityweekly com] On Behalf Of Chris Campbell Sent: mardi 8 avril 2014 18:56 To: Security Weekly Mailing List Subject: Re: [Security Weekly] Audit a WAF Are you auditing the WAF and all the associated issues (logging, alerting, signature updates, policy updates etc.) or are you auditing the WAF policy and the application coverage that it provides? If it's the latter, and the WAF policy is black box, then I like to see a vuln. assessment done with and without WAF coverage to see what the difference is. If the policy is available to you then you should be looking for whitelist/blacklist holes, examples are where wildcards are used or where there is no input validation or the wrong type/length checks in the case of whitelist, or where signature sets aren't enabled in the case of blacklist. If it's the former then standard IPS-like procedures should be in place for updates, logging etc. so I would focus on areas where the operational teams may not have skills or defined procedures. Chris.
On 7 Apr 2014, at 19:27, RAMELLA Sébastien <sebastien.ramella () white-hats fr> wrote: Hello, I read several articles about WAF. Mainly methods of bypass. Several papers were retained my attention, he was referred to a fuzzer like tool called "Waffun". I would like to assess the WAF through a company internal project. Anyone can share this tool or just inform me, tips, tools similar ... or best practice for evaluate WAF. Thanks in advance. RAMELLA Sébastien Intégrateur systèmes et réseaux / Consultant en sécurité des SI Microsoft Certified System Administrator __________________________________________ _______________________________________________ securityweekly mailing list securityweekly () mail securityweekly com http://mail.securityweekly.com/cgi-bin/mailman/listinfo/securityweekly Main Web Site: http://pauldotcom.com
_______________________________________________ securityweekly mailing list securityweekly () mail securityweekly com http://mail.securityweekly.com/cgi-bin/mailman/listinfo/securityweekly Main Web Site: http://pauldotcom.com
Attachment:
PGP.sig
Description:
_______________________________________________ securityweekly mailing list securityweekly () mail securityweekly com http://mail.securityweekly.com/cgi-bin/mailman/listinfo/securityweekly Main Web Site: http://pauldotcom.com
Current thread:
- [Security Weekly] Audit a WAF RAMELLA Sébastien (Apr 07)
- Re: [Security Weekly] Audit a WAF David Maynor (Apr 08)
- Re: [Security Weekly] Audit a WAF TAS (Apr 08)
- Re: [Security Weekly] Audit a WAF Chris Campbell (Apr 08)
- Re: [Security Weekly] Audit a WAF RAMELLA Sébastien (Apr 08)