RE: WAF Testing..suggestions??

["DucNguyen" <ducnp () misoft-hcm com>]

Hi False,

> 1) Does anyone have any suggestions on what I can use to simulate/generate
attacks/suspicous traffic towards the weberver from my client?

==> You can generate traffic attacks by web assessment tools, recommend :
W3af, Websecurify, not recommend Acunetix because it fixed http header, WAF
so easy detect and block.

> 2) Is there a honeypot image out there that I can download that would be
good to be the role of my test
> webserver?

You can try some images : OWASP Webgoat ; WebDojo ...

Search article of NSA : waf testing procedure .

-------------------------------------------
Regards,
DucNguyen
Tactical Security Researcher 
Contact : ducnguyenrs\x40\gmail\2e\com

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Tasos Laskos
Sent: Friday, August 27, 2010 9:46 PM
To: false
Cc: pen-test () securityfocus com
Subject: Re: WAF Testing..suggestions??


Hi,

On 23/08/10 18:16, false wrote:
> I need to test my WAF. I want to set up a simple network in the lab like
this:
> XP or Linux client<-->  WAF<-->  Honeypot/test webserver
>
> 1) Does anyone have any suggestions on what I can use to simulate/generate
attacks/suspicous traffic towards the weberver from my client?
>
How about a web app security scanner?
Skipfish, WebSecurify, W3af?
> 2) Is there a honeypot image out there that I can download that would be
good to be the role of my test
> webserver?
You don't need to do that, just setup Linux in a VM and use tcpdump to 
dump the traffic into a file for later analysis.
If you want to analyze the traffic that is...otherwise a simple Linux VM 
will suffice.

Cheers,
Tasos.

> Any suggestions or ideas are very much appreciated.
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review
Board
> Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require a
full practical examination in order to become certified.
> http://www.iacertification.org
> ------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually
do a proper penetration test. IACRB CPT and CEPT certs require a full
practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------