Re: WAF Testing..suggestions??

[bin4ry <bin4ry () theknetgroup org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey False,

one thing you should keep in mind: While i was pentesting mod_security
and a bunch of commercial WAFs, i recognized that most of the products
work pretty well with popular assessment tools (w3af, etc.). They
detectedmost of the attacks. Afterwards i setup a vulnerable website
and tried to manually attack it. There was a huge difference: A lot of
manuall attacks were not recognized. I guess this is because most of
those WAF vendors try to show how good their product is by running
automated pentests which such tools. Therefore their products seem to
be optimized for such scenarios.
So to really get a picture about a WAF's performance, handcrafted
attacks are a must!

Cheers

Am 27.08.2010 21:59, schrieb Dotzero:
> Try waffit - http://code.google.com/p/waffit/source/checkout
>
> On Mon, Aug 23, 2010 at 11:16 AM, false <jctx09 () yahoo com> wrote:
> > I need to test my WAF. I want to set up a simple network in the lab
like this:
> > XP or Linux client <--> WAF <--> Honeypot/test webserver
> >
> > 1) Does anyone have any suggestions on what I can use to
simulate/generate attacks/suspicous traffic towards the weberver from my
client?
> > 2) Is there a honeypot image out there that I can download that would
be good to be the role of my test
> > webserver?
> >
> > Any suggestions or ideas are very much appreciated.
> >
> > ------------------------------------------------------------------------
> > This list is sponsored by: Information Assurance Certification Review
Board
> > Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require
a full practical examination in order to become certified.
> > http://www.iacertification.org
> > ------------------------------------------------------------------------
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require
a full practical examination in order to become certified.
> http://www.iacertification.org
> ------------------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJMfhXEAAoJELgHfGPPLPuOCsIH/0T/XiFcQwb+LF392puLGvum
v15NeBJYbUkX7T/gd051UUma1mBcvrtd/fKf2m3zu5YKkqrzchTE0JywJgG41dO1
pC7lZiiM9QyP79FlcnugEVZDVsiVQ67FzRgS/y0ZP6bSVyx8kJWFmf4IwpQbW/lo
FK3anUZ7DzWR0kMqOr4BMLhoHhJopP4Mav7P8+gHHh68HUOZIunpd4d9R5e/SVJM
GZf8FGtT1YJdRaxk0xx0tYnPimUmJTb7yRk2vNcZm9h7rE1R1ZSb5r3TvsOG5tfg
x99SrElqxL2ofj3CvrNjbspfMD/k3rJahdb7jRbRCCh1szrIHrMV8L5FScMceE0=
=9zut
-----END PGP SIGNATURE-----


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------