Re: WAF Testing..suggestions??

[Dotzero <dotzero () gmail com>]

Joe McCray gave a presentation at DC18 that had a section on WAFs -
slides are available online
http://defcon.org/images/defcon-18/dc-18-presentations/McCray/DEFCON-18-McCray-Still-Got-Owned.pdf

WAF section starts at slide 22.

http://defcon.org/images/defcon-18/dc-18-presentations/McCray/DEFCON-18-McCray-Still-Got-Owned.pdf

On Mon, Sep 6, 2010 at 2:48 PM, K K Mookhey <kkmookhey () niiconsulting com> wrote:
> This is indeed an excellent point by bin4ry, and I'd just like to add my
> 2cents to it in terms of the manual testing:
> 1. Trying to violate the access control mechanisms - business and
> application specific stuff
> 2. Trying to violate password reset and other authentication-related
> mechanisms to see if the WAF picks it up beyond running scanner-based
> attacks
> 3. Other out of the box stuff depending on the application
> 4. Also, many obfuscation techniques are available to bypass WAF's. Some of
> these specialized ones can also be tried out. Some examples are given here:
> http://www.xiom.com/2009/11/03/new-waf-bypass-method-take-advantage-comment-
> anti-evasion
> http://linuxpoison.blogspot.com/2010/07/idsipswaf-evasion-flooding-tool.html
> http://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-henrique
> .pdf
>
> Also, another interesting link is the WAF Testing Procedure from NS Labs
> http://nsslabs.com/certification/waf/nss-waf-v10-testproc.pdf
>
> Cheers,
>
> K. K. Mookhey
> Principal Consultant
> Network Intelligence
> Web: www.niiconsulting.com/services.html
>
>
> -----Original Message-----
>
> Hey False,
>
> one thing you should keep in mind: While i was pentesting mod_security
> and a bunch of commercial WAFs, i recognized that most of the products
> work pretty well with popular assessment tools (w3af, etc.). They
> detectedmost of the attacks. Afterwards i setup a vulnerable website
> and tried to manually attack it. There was a huge difference: A lot of
> manuall attacks were not recognized. I guess this is because most of
> those WAF vendors try to show how good their product is by running
> automated pentests which such tools. Therefore their products seem to
> be optimized for such scenarios.
> So to really get a picture about a WAF's performance, handcrafted
> attacks are a must!
>
> Cheers
>
> Am 27.08.2010 21:59, schrieb Dotzero:
> > Try waffit - http://code.google.com/p/waffit/source/checkout
> >
> > On Mon, Aug 23, 2010 at 11:16 AM, false <jctx09 () yahoo com> wrote:
> > > I need to test my WAF. I want to set up a simple network in the lab
> like this:
> > > XP or Linux client <--> WAF <--> Honeypot/test webserver
> > >
> > > 1) Does anyone have any suggestions on what I can use to
> simulate/generate attacks/suspicous traffic towards the weberver from my
> client?
> > > 2) Is there a honeypot image out there that I can download that would
> be good to be the role of my test
> > > webserver?
> > >
> > > Any suggestions or ideas are very much appreciated.
>
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
> and CEPT certs require a full practical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------