Re: WAF Testing..suggestions??

[Tasos Laskos <tasos.laskos () gmail com>]

Hi,

On 23/08/10 18:16, false wrote:
> I need to test my WAF. I want to set up a simple network in the lab like this:
> XP or Linux client<-->  WAF<-->  Honeypot/test webserver
>
> 1) Does anyone have any suggestions on what I can use to simulate/generate attacks/suspicous traffic towards the 
> weberver from my client?
How about a web app security scanner?
Skipfish, WebSecurify, W3af?
> 2) Is there a honeypot image out there that I can download that would be good to be the role of my test
> webserver?
You don't need to do that, just setup Linux in a VM and use tcpdump to 
dump the traffic into a file for later analysis.
If you want to analyze the traffic that is...otherwise a simple Linux VM 
will suffice.

Cheers,
Tasos.

> Any suggestions or ideas are very much appreciated.
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
> and CEPT certs require a full practical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------