Penetration Testing mailing list archives
Re: WAF Testing..suggestions??
From: Dotzero <dotzero () gmail com>
Date: Wed, 8 Sep 2010 10:35:44 -0400
Joe McCray gave a presentation at DC18 that had a section on WAFs - slides are available online http://defcon.org/images/defcon-18/dc-18-presentations/McCray/DEFCON-18-McCray-Still-Got-Owned.pdf WAF section starts at slide 22. http://defcon.org/images/defcon-18/dc-18-presentations/McCray/DEFCON-18-McCray-Still-Got-Owned.pdf On Mon, Sep 6, 2010 at 2:48 PM, K K Mookhey <kkmookhey () niiconsulting com> wrote:
This is indeed an excellent point by bin4ry, and I'd just like to add my 2cents to it in terms of the manual testing: 1. Trying to violate the access control mechanisms - business and application specific stuff 2. Trying to violate password reset and other authentication-related mechanisms to see if the WAF picks it up beyond running scanner-based attacks 3. Other out of the box stuff depending on the application 4. Also, many obfuscation techniques are available to bypass WAF's. Some of these specialized ones can also be tried out. Some examples are given here: http://www.xiom.com/2009/11/03/new-waf-bypass-method-take-advantage-comment- anti-evasion http://linuxpoison.blogspot.com/2010/07/idsipswaf-evasion-flooding-tool.html http://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-henrique .pdf Also, another interesting link is the WAF Testing Procedure from NS Labs http://nsslabs.com/certification/waf/nss-waf-v10-testproc.pdf Cheers, K. K. Mookhey Principal Consultant Network Intelligence Web: www.niiconsulting.com/services.html -----Original Message----- Hey False, one thing you should keep in mind: While i was pentesting mod_security and a bunch of commercial WAFs, i recognized that most of the products work pretty well with popular assessment tools (w3af, etc.). They detectedmost of the attacks. Afterwards i setup a vulnerable website and tried to manually attack it. There was a huge difference: A lot of manuall attacks were not recognized. I guess this is because most of those WAF vendors try to show how good their product is by running automated pentests which such tools. Therefore their products seem to be optimized for such scenarios. So to really get a picture about a WAF's performance, handcrafted attacks are a must! Cheers Am 27.08.2010 21:59, schrieb Dotzero:Try waffit - http://code.google.com/p/waffit/source/checkout On Mon, Aug 23, 2010 at 11:16 AM, false <jctx09 () yahoo com> wrote:I need to test my WAF. I want to set up a simple network in the lablike this:XP or Linux client <--> WAF <--> Honeypot/test webserver 1) Does anyone have any suggestions on what I can use tosimulate/generate attacks/suspicous traffic towards the weberver from my client?2) Is there a honeypot image out there that I can download that wouldbe good to be the role of my testwebserver? Any suggestions or ideas are very much appreciated.------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Re: WAF Testing..suggestions?? Yiannis Koukouras (Sep 01)
- <Possible follow-ups>
- Re: WAF Testing..suggestions?? bin4ry (Sep 01)
- RE: WAF Testing..suggestions?? K K Mookhey (Sep 07)
- Re: WAF Testing..suggestions?? Dotzero (Sep 08)
- RE: WAF Testing..suggestions?? K K Mookhey (Sep 07)