Penetration Testing mailing list archives
RE: WAF Testing..suggestions??
From: "DucNguyen" <ducnp () misoft-hcm com>
Date: Sat, 28 Aug 2010 02:48:23 +0700
Hi False,
1) Does anyone have any suggestions on what I can use to simulate/generate
attacks/suspicous traffic towards the weberver from my client? ==> You can generate traffic attacks by web assessment tools, recommend : W3af, Websecurify, not recommend Acunetix because it fixed http header, WAF so easy detect and block.
2) Is there a honeypot image out there that I can download that would be
good to be the role of my test
webserver?
You can try some images : OWASP Webgoat ; WebDojo ... Search article of NSA : waf testing procedure . ------------------------------------------- Regards, DucNguyen Tactical Security Researcher Contact : ducnguyenrs\x40\gmail\2e\com -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Tasos Laskos Sent: Friday, August 27, 2010 9:46 PM To: false Cc: pen-test () securityfocus com Subject: Re: WAF Testing..suggestions?? Hi, On 23/08/10 18:16, false wrote:
I need to test my WAF. I want to set up a simple network in the lab like
this:
XP or Linux client<--> WAF<--> Honeypot/test webserver 1) Does anyone have any suggestions on what I can use to simulate/generate
attacks/suspicous traffic towards the weberver from my client?
How about a web app security scanner? Skipfish, WebSecurify, W3af?
2) Is there a honeypot image out there that I can download that would be
good to be the role of my test
webserver?
You don't need to do that, just setup Linux in a VM and use tcpdump to dump the traffic into a file for later analysis. If you want to analyze the traffic that is...otherwise a simple Linux VM will suffice. Cheers, Tasos.
Any suggestions or ideas are very much appreciated. ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review
Board
Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- WAF Testing..suggestions?? false (Aug 27)
- Re: WAF Testing..suggestions?? Tasos Laskos (Aug 27)
- RE: WAF Testing..suggestions?? DucNguyen (Aug 27)
- RE: WAF Testing..suggestions?? Roland Lindsey (Aug 27)
- Re: WAF Testing..suggestions?? Dotzero (Aug 27)
- Re: WAF Testing..suggestions?? Tasos Laskos (Aug 27)