Penetration Testing mailing list archives

RE: WAF Testing..suggestions??

From: Roland Lindsey <R.Lindsey () F5 com>
Date: Fri, 27 Aug 2010 16:45:04 +0000

The Testing Guide at OWASP will give you examples of most every major attack vector, as well as some instructions on 
how to test it. You can check it out here: http://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Table_of_Contents

Additionally, you could also put a WAF in front of Google Gruyere (http://google-gruyere.appspot.com/) Gruyere is an 
intentionally hackable web application and there are instructions provided on exactly how to hack it along every vector.

Hope this helps!

Roland Lindsey │Product Management Engineer
www.f5.com             
IT Agility. Your Way.
________________________________________
From: listbounce () securityfocus com [listbounce () securityfocus com] on behalf of false [jctx09 () yahoo com]
Sent: Monday, August 23, 2010 8:16 AM
To: pen-test () securityfocus com
Subject: WAF Testing..suggestions??

I need to test my WAF. I want to set up a simple network in the lab like this:
XP or Linux client <--> WAF <--> Honeypot/test webserver

1) Does anyone have any suggestions on what I can use to simulate/generate attacks/suspicous traffic towards the 
weberver from my client?

2) Is there a honeypot image out there that I can download that would be good to be the role of my test
webserver?

Any suggestions or ideas are very much appreciated.

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Current thread:

WAF Testing..suggestions?? false (Aug 27)
- Re: WAF Testing..suggestions?? Tasos Laskos (Aug 27)
  - RE: WAF Testing..suggestions?? DucNguyen (Aug 27)
- RE: WAF Testing..suggestions?? Roland Lindsey (Aug 27)
- Re: WAF Testing..suggestions?? Dotzero (Aug 27)